WebAIM - Web Accessibility In Mind

E-mail List Archives

Re: CAPTCHAS [was] Re:? I don't even know whatsubject heading to put for this question :)


From: Jared Smith
Date: Sep 20, 2006 5:10PM

Darrel Austin wrote:
> Just be sure that IF you are using them you have run out of all other
> options. Annoying the end-user should always be a last resort.


For 99% of sites, there are many things you can do instead of implementing CAPTCHAs. Is the problem
that bots are simply submitting data, such as spam messages, into your forms? Or are they actually
trying to establish an account or your specific site data in an automated way?

Most of the problems that folks encounter are bots that inject data into your form processing
scripts. They do this to spam you and annoy you, or in the hopes that your site will display a link
to their site, thus boosting their Google ranking and potentially bringing more traffic. Most of the
time, this can be avoided by checking page referers (to ensure the form data is coming from your own
site), parsing form data for suspicious spam-like content, and perhaps flagging against a list of
blacklisted words.

The following few lines of PHP code are used to flag about 90% of the form spam on our site:

if ( preg_match( "/bcc:|cc:|multipart|<a|[url|Content-Type:/i", implode($_POST ) ) ){

There is also the option of less intrusive, relatively easy tests to ensure the user is a human,
such as logical puzzles...

Enter the word "human" into the text box.
What color is a red rose?

While these types of test receive some criticism for requiring some cognitive processing and load,
most anyone that comes to and understands your site, knows what a form is, and can complete/submit
it, will probably be able to handle such questions. This does not, however, mean that you SHOULD use
them. And these types of tests can be easily bypassed if someone is targeting your site
specifically, but the chances of low-life spammers taking the time is very slim.

But if you do have a site that has the potential of being specifically targeted for form automation
(like Flickr, Yahoo, etc.), then the solutions become much more limiting. These are the situations
that CAPTCHAs were designed for (NOT for things like blog comments or contact forms). And there's a
fair amount of work out there on accessible implementations and alternatives for these graphical

But as Darrel says, it should take a VERY strong argument for you to want to annoy and discomfort
your users in this way.

Jared Smith