Hackszine.com: Negative Captcha

Negative Captcha

Here's an interesting thought. The flip side of "prove you aren't a robot," is "prove you are human."

Though it's no easier to prove, at least it places the onus of proof on the spam bot and not your human guests. It's subtle, but there's a philisophical difference between requiring people to do something that is difficult for a machine, versus asking the machine to do what a real human will do naturally.

Damien Katz writes about one way to approach this problem with the use of CSS.

It's a neat idea, instead of asking the user to prove he's human, it instead tricks the spam bot into revealing it's a bot. It does this with a email field that is hidden from the user by CSS.

When a human user fills out the form, the hidden field will always be blank. But when filled out by a spam bot, it doesn't know the field is supposed to be hidden, so it adds a bogus email address and submits the form. When the back-end code sees the email in the posting, it knows the email was filled in by a bot and ignores the whole submission.

It's not perfect—this won't stop custom-coded spam attacks—but it does kill some of the automated, roving, spider-based comment spam. Working negative captcha methods into a dynamic changing-key system (much like current captcha but transparent to your human users) is the obvious next step, and I bet we'll be seeing (or should I say "not seeing") stuff like this very soon. - Link.

Posted by Jason Striegel | Feb 4, 2007 12:04 PM
Web | Permalink | Comments (4)

Comments

Newest comments listed first.

Posted by: penguinator on February 4, 2007 at 2:07 PM

Thats quite cool.
Could you fool a custom coded one by randomizing which e-mail field or other fields are hidden? Maybe this could be custom coded for too, but it would be more difficult

Posted by: eL_sTiKo on February 4, 2007 at 2:41 PM

From an accessibility standpoint, wouldn't this approach have a tendency of assuming that the visually impaired were bots, seeing as their browsers would ignore the css and reveal the field to them? Just a thought, and I am very tired this morning, so maybe I've overlooked something obvious.

Posted by: Chuso on April 20, 2008 at 5:42 AM

Testing negative CAPTCHA

I've take your idea to move my webpage (chuso.1.vg) from the positive CAPTCHA it was using to a negative one.
Positive CAPTCHA blocked spam, but when I moved to negative one I received spam again. I discovered that it was because input fields had too descritive names (url, text, captcha, nick...) so bots know how to fill them, but I change their names to field1, field2, ... so bots can't guess what are fields used to and now I receive no spam without annoying visitors with CAPTCHAs.
Thanks!

Posted by: grimen on June 13, 2008 at 4:20 PM

This won't work if the bot is smart and lookin through the DOM tree for input fields that are hidden and therefore should be ignored.