1

I am looking for opinions about how bulletproof could his captcha system be to avoid spam in a contact form.

The form submit goes through ajax.

  • So I generate 2 random numbers with javascript.
  • The sum of those numbers must be correct.
  • On form submit, I validate the inputs and the sum.
  • If all is correct, I send the form data and also both numbers with the result.
  • At backend, the 3 numbers must be received and their sum must match, otherwise something went wrong.

The question is, is this system good enough to avoid spam bots? Any other idea is welcome too.

Note:

Please avoid to recommend the google captcha due the department boss doesn't want to implement it.

Rohit Gupta
  • 203
  • 2
  • 3
  • 12
kosmosan
  • 123
  • 6
  • 1
    Love the department boss who is deciding to reinvent the wheel rather than just reuse google's wheel... @pg02 We recently added google captcha to one of our forms and found it to be a very painless integration. One or two days effort at most, in exchange for a powerful, user friendly, captcha system. Your effort would be best spent trying to get your boss to let you use google's captcha instead of writing your own. – Maybe_Factor Apr 26 '18 at 05:35
  • This guy reinvented the wheel a lot of times already That's what I'm tried before write the post... Let's see if with your comment and the answer below is enough to convince him. Thanks. – kosmosan Apr 26 '18 at 05:55

1 Answers1

3

This is a very weak captcha, and not generally a good solution.

  1. It excludes legitimate users that do not have JavaScript enabled. To be fair, those are very few, but still non-zero. If having this contact form is necessary for legal compliance, you should think very carefully about such accessibility issues.

  2. It does not block bots which run JavaScript. Browser automation has become very simple, so you should assume that many bots will execute all JS just like a normal user.

  3. The numbers don't have to be random. I could record one set of numbers and reuse them for arbitrarily many requests. Note that the tripe (0, 0, 0) would be a valid combination of numbers, so I could hardcode that if I wanted to spam your site in particular.

Fundamentally, the issue with this validation method is that it relies solely on client-provided data, which you cannot trust. Instead, captchas generally use a challenge–response system: the server challenges the client with an unique problem. This problem should be easy for humans but difficult for bots.

However, challenge-response systems can still be circumvented easily by delegating the challenges to a real human, while the bot otherwise runs automatically. As such, any captcha system can only rate-limit your spam, but never prevent it entirely.

amon
  • 132,749
  • 27
  • 279
  • 375