Hacker News

points by pentacent_hq 1 day ago | hide | 0 comments

Well, that's why I am asking for practical experience using these tools. Maybe most form spam bots are (still) not advanced enough to complete PoW captchas. Have you tried Altcha or mCaptcha in production?

I have tried everything so far. Something like recaptchav3 will block most headless browsers but very invasive, solving it raises cost quite (for the auto solvers).

Notably no matter what the advertised repositories say So-called „pure play“ (%100% local, no tracking) kind of PoW captcha doesn't do anything for if you are a target and specifically having tools written for you.

For example: I work at a company for MMO game, and as such have to look at what is made. Our form requires numerous so-called invasive features featuring multi-step, TLS analysis, fingerprinting, WebGL, and more. People write dedicated tools to brute force login details or spoof spam, that includes full browser automation and don't care about 100% Usage of CPUs. (I do not have any say in this manner and its out of my scope, I do not "like" this kind of invasiveness)

It depends on your threat model and what is this for. A personal blog a regular one will be fine, any will do. Anything someone will write targeted tool for all self hosted PoW will do nothing.

If you are getting generic form spam simply renaming your field or adding one random invisible field is sufficient to stop automated bot traffic until someone writes a targeted for your.

Thanks for sharing! My current experience is that honeypot fields are often ignored by the bots we're dealing with, but adding hCaptcha is pretty reliable in getting rid of them.

What do you usually name them? You typically want opaque names on all fields and various combinations (some fields auto-filled in with JS that clones the email field, some need to be left blank, some filled in during the onsubmit JS hook..)