Are you human? (or How to prevent spam)


What mechanisms do you know that prevent your site from being abused by anonymous spammers.

For example, let's say that I have a site where people can vote something. But I don't want someone to spam something all the way to the top. So I found (a) creating an account and only allowed to vote once and (b) CAPTCHA to decrease spam. What other methods do you know and how good do they work?

4/28/2016 5:29:30 AM

Accepted Answer

The big thing I've noticed is that whatever you do, you want your system to be unique. You want an attacker to have to tailor their automation program for your specific site, rather than just throw a pre-existing script at it that will work almost anywhere. It doesn't even have to be cryptographically secure; it just has to make your site a little different from the norm.

This doesn't mean you can't or shouldn't use something like a pre-built captcha widget. Absolutely do use one of those as a staring point! It just means you have to customize it somewhere so that something extra happens that is outside the norm and will break any pre-existing script that could normally defeat it.

If your site gets big enough that you have attackers targeting it specifically, then your simple little customization probably won't hold up anymore and you might have do something a little more special and think about real cryptography and all that. But that's one of those things that's a "good" problem to have.

6/13/2010 9:31:02 PM

For a CAPTCHA system, I heartily recommend reCAPTCHA.

Traditional computer-generated CAPTCHAs will eventually be broken by developing a sufficiently intelligent system. For instance, here's someone who claims to break the Google CAPTCHA, formerly considered unbreakable, with a 30% hit rate. reCAPTCHA, by definition, shows you only images that cannot be recognized by optical character recognition.

And at the same time, your users' effort will be directed towards the common good - they help digitize books by recognizing words that cannot be recognized automatically.

See here for further explanation and to try it out.


  • Limit the number of votes per IP address per time
  • Block anonymizing proxies.
  • For voting: How about shuffling the value that has to be returned by the form on a "per session basis". Once "1" means the first item, "2" means the second. Then "77" means the first item, "812" means the second, ... could be some simple maths behind the scene, but it prevents users from just sending the same HTTP query over and over again.
  • What's worked for me very well: Use AJAX forms, not simple HTTP forms. Technically it's not much more complicated to fake votes, but I have written a simple blog software and it's only SPAM protection mechanism is to submit the comments via AJAX - no SPAM so far.

I'm a fan of the "hidden field" CAPTCHA. I don't remember where I read about it, but the idea is this:

  • create your form as normal
  • add an extra field but hide it (i.e. style="display:none" on the surrounding div or table row)
  • after submission, if the field is blank, do the appropriate action (eg send an email); if the field has been filled in, then it's a robot submitter

The only case where this falls down is if the user's browser doesn't handle CSS (or they have it switched off), which is very rare.


Charge for votes, like they do on some television "talent" shows, and get spammed all the way to the bank!

Seriously, this is a really tough problem, and someday (maybe soon, if you listen to Ray Kurzweil), computers will do testing to screen out humans. The answers I'm adding to the list have obvious drawbacks, but just for the sake of enumeration: moderation (have humans do the testing), and IP-based tracking (limit the number of votes from a host).