php spambot prevention on signup

Question

I dont have any problems with spam bots (yet).

Do you really have to use captcha? I hate it myself, some can be hard to read

What about just one field with a simple question any human could answer?

like "what animal is Donald Duck?"

then in php i check if its = duck.

maybe load some diffrent questions from db

How can spambots figure this out?

cant understand how spambots can figure this out? does it goggle it etc? Maybe someone can explain how spambots work?

Maybe i dont even need this kind of things because you have to email activate your account anyway ( i delete accounts not activated within 1 week)

Tell me what you think

Answer 1

I think you'll find a few techniques combined are helpful.

1. Similar to StackOverflow - limit activity to a threshold (e.g. votes per day/per 5 seconds)
2. A honey pot on signup/registration or commenting is a nice addition (Google it)
3. If allowing comments, with links, the nofollow option will reduce the "benefit" for spammers spamming your site/app with links
4. Provide a captcha where needed - you want to strive for distorted enough that it is hard for bots to solve, but simple enough that users aren't pulling their hair out trying to figure it out
5. Enable other users to flag users/content so that the site/app becomes self-managing
6. Determine where "suspicious" activity is occurring, and flag those users for moderation
7. Remove all spam content so that there is no "gain" for the spammer - many blogs don't do/allow this allowing the spam to live forever

Answer 2

I have tried both ways, creating my own image verification (which has worked well on my site with 0 spam accounts) and also with the text-read and answer box. Honestly, if you're site is very popular, then you can really start worrying about it, but with a site like mine, which has around 1000 new visits a month, a simple (random) string generator should work fine. There are plenty to go around.

If a spam bot is programmed rather well, simple question and answer type deals like you have explained will not work well, because they would have programmed in thousands of those questions for it to review and answer.

Answer 3

This was an actual nightmare for me because Captcha was not only horrible but it didn't even work - I was being hit by bots with human solvers behind them :/ It wasn't even like it was a popular site - only had a handful of users - but it was like a magnet for this sort of spam all the same. You actually get people being paid a couple of cents per captcha that they solve. In other cases I've heard of porn sites acting as a front for captcha-solving - a user thinks that the captcha is for registering on the site they're using, but really it's solving a captcha for somewhere else. Extremely annoying.

I eventually got around it by using Q&A challenges like you suggest, but I had to make them difficult enough for human solvers to just not bother. Things like "what's pi to the first 10 places in hexadecimal", and questions about public key crytography. Frankly I'm amazed that my site even has any members left because of it.