YHacker News
points by kay_o 1 day ago | hide | 0 comments
I have tried everything so far. Something like recaptchav3 will block most headless browsers but very invasive, solving it raises cost quite (for the auto solvers).

Notably no matter what the advertised repositories say So-called „pure play“ (%100% local, no tracking) kind of PoW captcha doesn't do anything for if you are a target and specifically having tools written for you.

For example: I work at a company for MMO game, and as such have to look at what is made. Our form requires numerous so-called invasive features featuring multi-step, TLS analysis, fingerprinting, WebGL, and more. People write dedicated tools to brute force login details or spoof spam, that includes full browser automation and don't care about 100% Usage of CPUs. (I do not have any say in this manner and its out of my scope, I do not "like" this kind of invasiveness)

It depends on your threat model and what is this for. A personal blog a regular one will be fine, any will do. Anything someone will write targeted tool for all self hosted PoW will do nothing.

If you are getting generic form spam simply renaming your field or adding one random invisible field is sufficient to stop automated bot traffic until someone writes a targeted for your.

pentacent_hq1 day ago | | | parent | | on: 47745948
Thanks for sharing! My current experience is that honeypot fields are often ignored by the bots we're dealing with, but adding hCaptcha is pretty reliable in getting rid of them.
kay_o1 day ago | | | parent | | on: 47749318
What do you usually name them? You typically want opaque names on all fields and various combinations (some fields auto-filled in with JS that clones the email field, some need to be left blank, some filled in during the onsubmit JS hook..)