5
Ask HN: What's your experience with PoW captchas against form spam?
Hey folks,
I'm building an Open Source email newsletter tool and one of the challenges we have is form spam: As soon as a signup form goes live somewhere, bots will try to sign up. This is possibly an attempt to overwhelm the inbox of people whose accounts have been compromised. But it's also bad for the people who run the newsletter as these ultimately unwanted emails reduce their sender reputation.
There was recently a discussion here on HN about this topic [1]. The post author ended up using Cloudflare Turnstile to mitigate the issue. We currently already have support for external captcha solutions like hCaptcha. However, many of our users are quite privacy-conscious and don't like having user data sent to third parties (especially non-EU third parties for our European users).
So now I've been thinking of adding an invisible proof-of-work (PoW) captcha to all signup forms. Possible implementations I've been considering are Altcha [2] and mCaptcha [3].
Now to my question: Have any of you tried using PoW captchas to protect against form spam? What have your experiences been with it so far?
[1] https://news.ycombinator.com/item?id=47609882
[2] https://altcha.org/
[3] https://mcaptcha.org/
These will stop curl-based requests but will not do anything against headless browsers. mCaptcha mostly dead.
It increases cost to bot only and does not stop anything unless you sign up for the monthly subscription pay per request plan from Altcha for example. Then you are in a paid Turnstile situation. And not self host. (https://altcha.org/docs/v2/sentinel/ - with third party API services, paid IP databases, additional paid subscription key, this is only mode that will do anything of much value)
Well, that's why I am asking for practical experience using these tools. Maybe most form spam bots are (still) not advanced enough to complete PoW captchas. Have you tried Altcha or mCaptcha in production?
I have tried everything so far. Something like recaptchav3 will block most headless browsers but very invasive, solving it raises cost quite (for the auto solvers).
Notably no matter what the advertised repositories say So-called „pure play“ (%100% local, no tracking) kind of PoW captcha doesn't do anything for if you are a target and specifically having tools written for you.
For example: I work at a company for MMO game, and as such have to look at what is made. Our form requires numerous so-called invasive features featuring multi-step, TLS analysis, fingerprinting, WebGL, and more. People write dedicated tools to brute force login details or spoof spam, that includes full browser automation and don't care about 100% Usage of CPUs. (I do not have any say in this manner and its out of my scope, I do not "like" this kind of invasiveness)
It depends on your threat model and what is this for. A personal blog a regular one will be fine, any will do. Anything someone will write targeted tool for all self hosted PoW will do nothing.
If you are getting generic form spam simply renaming your field or adding one random invisible field is sufficient to stop automated bot traffic until someone writes a targeted for your.
Thanks for sharing! My current experience is that honeypot fields are often ignored by the bots we're dealing with, but adding hCaptcha is pretty reliable in getting rid of them.
I'm convinced the most accurate way to use a captcha is to assume that any user that completes the puzzle is a bot.
Well, that's just not true, is it? Try having any public form and you'll see tons of bot submissions, add a captcha, most of them go away.
I think Altcha is better, I have heard good things about them. And it looks easy to implement and can be selfhosted which is great!!
Thanks! Would you be able to share a bit more of what you've heard about Altcha?