> On one of the forms, I politely ask that the sender include todays date somewhere in the text, which I then validate to be within +/- 25 hours of the server time
It sounds like you made your own CAPTCHA-lite. If it's not a very attractive form to spammers, sounds like that's fine, but for bigger sites it may not be enough. CAPTCHAs don't have to always be squiggly letters... there are many picture-based puzzles these days, along with human-like interaction checks, audio puzzles, logic puzzles, video advertisement puzzles, etc.
I manage a forum at work and after a few years of no spam, suddenly someone found us and made hundreds of spam accounts and posts over one weekend. And Discourse doesn't have good bulk spam moderation in the UI, so it was a pain going through them afterward =/ I really wish we had a CAPTCHA!
I run three businesses. One has a captcha and two don't (contact us forms and sign up forms). I get around 1-3 spam submissions per-day for forms that don't contain a captcha.
Crazy theory: The spammers have moved on to prompt hacking AI or experimenting with AI based spam. Some have even raised venture capital.
Chuck up an unprotected form on the Internet and see the crap that gets submitted, it's the worst.
I use a mix of honeypots and Cloudflare Turnstile to avoid the spam.
The amount of bots scanning for vulnerabilities or spam for a hidden, no seo, no important website approaches 700 visits a day. In the past it was a bit more personal as someone had to target you directly, now it's just crawlers and bots everywhere. I know not anyone is able to do the same but I basically block ASN for all clouds and cheap vps hosters + few countries.
Here is a fun story: years ago I avoided using CAPTCHAs on my sites by simply adding a hidden file upload field (hidden by js) and a hidden field that was expected to be empty.
Lots of spam bots did not run JS back then and tried posting values in fields that were supposed to be empty.
And then there were many many bots that could not properly form an empty multi part upload request, because that was not implemented in the most popular web request libraries (like curl). It is probably not as effective anymore since it's way easier to run the headless browser these days, but I used that approach for many years. :)
My log files were full of spam that was caught this way.
I was asked to solve a CAPTCHA on a hospital registration kiosk to visit a friend.
I set up a form to send basic email info for wedding RSVPs for my wedding, no validation, and never got a single piece of spam. Granted it’s hosted in Cloudflare so don’t know if they blocked out all the hard work for me.
How did you manage to spot the spam? I host static comments on my site[1] with a comment form. I get a lot of spam that looks like Russian!
On my 50k monthly UU side-project, I used this to eliminate a vast majority of spam submissions:
> $.post($(this).attr('action') + '?nospam=1'
(skipping processing but returning a success response when nospam is absent, so I guess it counts as an honeypot)
I also blacklisted the words cialis and viagra.
What remained were serial submissions from pen-testers who then sent emails begging for money, so I implemented a one-click removal of all submissions from an ip range.
That's after Cloudflare's regular WAF.
Not much effort, so I guess it's only an issue if it gets exponentially worse with increased traffic (which it probably does).
I would never use a CAPTCHA though, not my philosophy to outsource effort to the user.
captcha will be hard to replace or improve on as the most pointless and agrivating thing ever invented the only way I ever go through with it is if I am getting something material,money say,that is locked behind a craptcha event
I think it depends on how motivated the attackers are.
If we are talking about the account creation form of Facebook, you bet you will need some CAPTCHA. If it's a random form with no obvious benefit of spamming then I'm not sure how many "attempts" will be done to begin with regardless of the protection mechanisms.
In those cases you may be enocuntering bots that "blast spam" and usually the slightest form of barrier stops them because they tend to be made for the common denominator, for example by targeting popular blog/forum software that have a predictable form structure that the bot can be programmed for.
I have seen some basic anti-spam features that are "home-made captcha".
For example it says something like "Pandas are black and:" and you have to enter "white".
Those can sometimes be made in a way that is more user-friendly compared to a "real captcha".
However it takes some careful consideration and knowing your audience to make sure that they understand what to do. Some users may not understand it due to language or cultural differences or due to people being used to the traditional captcha.
You may want to remove the protection mechanism to see if you get any spam at all or not (or at least log and measure success vs failure cases).
Without knowing anything about your use case, personally I'd remove the CAPTCHA and see how many spams come through. Then I'd put a very basic and gentle barrier just enough to remove those spams and gradually increase the barrier if required.
Another thing to consider is that if your users have to login you can have some kind of basic reputation metric so that "known good" users are not subject to the same restrictions.
> However it takes some careful consideration and knowing your audience to make sure that they understand what to do.
I fail reCAPTCHA at least 50% of the time so it would be hard to be worse.
> Did the scammers and spammers realize that stuffing every input field on the web with commercial links and javascript exploits dosen't actually work ?
How sure are you about this?