Default Settings May Not Be Enough To Block Spam - Add Warning Info To Docs And Possible Code Solution

[9mido]

https://starcross.dev/blog/6/customising-django-simple-captcha/

Found that link and I thought the code snippet / link should be added to the documentation. If the author of this website claims that django-simple-captcha is not powerful enough out of the box to prevent all bots from spamming, then everybody else probably has the same problem and should be informed about it. This should be added to the "Roll your own" section but have a warning piece saying that doing something like this is more powerful from preventing spam or something like that.

"this example is easy to circumvent automatically"

Since the code example is still better than the default settings but still not perfect according to that quote, it would be even better for the maintainers to add code / provide code examples that would be more protected against any spam bot in the documentation or to the actual code itself.

[mbi]

Interesting read, and I agree that it'd be an interesting addition to the documentation!

[9mido]

@mbi I just wonder though what kind of captcha_challenge function would be bullet proof? Maybe a mix of letters and numbers and guessing the next one for each? But what if the bot had a very good tesseract OCR image to text reader detection and the spammer programmer could just program the bot to fill in the next letter/number of each character? And if it was a mathematical problem, the spammer programmer for the bot could just solve the math problem? Maybe machine learning will be able to defeat this methodology in the future? If you or anyone else could provide some code for this I think it would be really helpful.

[mbi]

I think the takeaway of the linked article is that there isn't and there can't be a generic bullet proof way of proposing a captcha challenge that is simple enough for the legitimate user to solve, but hard enough for a bot to fail.

Each solution needs to be creative and unique so that the bot programmers can't implement a simple OCR + logic, and will force them to understand ("add one to each digit") the challenge like a human user would.

If django-simple-captcha started doing "add one to each digit" in its default challenge and everyone deployed that as a default, bot developers would pick that up in a few weeks and defeat the challenge.

[9mido]

@mbi good points. Just brainstorming here. Maybe do something like given IP, geoIP, time on page, number of interactions, time of day, etc. some simple model predicting likelihood of spam? This data should not be stored anywhere in a database since IP breaks GDPR / PII / cookie laws. But maybe you could do something like that in your code to help protect users from spam without necessarily giving bot programmers the solution to solving the captcha.

[9mido]

@mbi

I found this site and the default design with lines and dots of django-simple-captcha can be defeated. Could the solution be a redesign or implementation of the gif captcha?

https://dev.to/presto412/how-i-cracked-the-captcha-on-my-universitys-website-237j