I have put validation along the lines of 2 and 3 above on the forms on my websites and I have found both of them to be very effective. Since implmenting them I have only had the odd manually submitted form submission.

Number 3 would be pretty easy to bypass...

Perhaps - but not in my experience. How would you do this?

There are so many questions that can be asked that are only answerable by humans. For example I ask questions like what month follows March? How do you code something to automatically answer questions like this?

I've been using number 3 on my forum for about a year now and have had no bot registrations since using it. that's down from one or two a day at its worse.

I'm glad to hear that, though I'd be interested to hear why number 3 wasn't pretty easy to crack. All the info you require is right there on the screen, whereas at least the math one needs "solving".

I can't believe a simple script to solve those text ones isn't circulating out there.

All the info you require is right there on the screen, whereas at least the math one needs "solving".

All the info you require is right there on the screen if you are a human. How do you program a bot to answer random questions like what month comes after March? I keep hearing people saying that this "should be" easy but all I can tell you is that in a more than a year of using this system on several websites no bot has ever cracked it.

Bots are not intelligent. You need intelligence to answer questions like this.

Well, I was speaking specifically about Drupal's implementation of text captchas which is only of the type:

"What is the third word in the phrase: 'dog cat shoe house snow bucket red'?"

Once you get THIRD and the word list out of that, it is pretty simple for a bot to solve. As I say, all the info is there. With your "what month is after March?", all the info is not on the screen. It requires solving and the retrieval of information not currently visible. Like the math one.

Depending on what data is being submitted, you may be able to do without captcha altogether.

For instance, if all the botspam contains loads of urls (but you are not expecting more than one) then it should be possible to detect that rather than implement a captcha system.

Kaled.

Possibly, but all I can do is repeat that in my experience a simple validation question is all that is required.

Image Captcha is just a PITA. I am getting to the stage that after two attempts at attempting to decipher and input these seriously obscured image Captchas I just abandon it and go elsewhere. I cannot see the point in this when (AFAIK) a simple validation question fulfils the same purpose and it is much easier for people to use and understand.

@esllou - that is what I meant

@thecoalman - this may have prevented bots but it is still easy to bypass if someone bothered to write one

Sometimes there's a simple solution.
Most bot's are programmed to 'break' into standard systems. Compare it as a standard anti-theft alarm for a car. Most thieves now these systems by hart and can break it in 1 minute, others take 5 and some can not(yet) be broken.
But if you hide a simple switch in your car interrupting the starter/battery no thief will start looking for it. It's like one "original" system unnown to them.
So just ad one field in your form and ask one original question and you'r done.
I had a guest book and after I added one field with above something like "fill in here 1-2-3" there was no bott anymore filling in this form. (and this "fill in here 1-2-3" never changes).
You could even ask "leave this field empty", or wathever as long as it's original.

I can't believe a simple script to solve those text ones isn't circulating out there.

The main reason text captchas are currently so effective is because they're nonstandard, particularly the ones that require you to think up your own questions. I've found mine to be very effective for just this reason.

This approach becomes useless when you try to scale it up for use on a popular site, or on a popular script, without changing the questions on the same scale. You need to have more questions and answers than it would be worthwhile to write a programme to solve, and they all need to be in random formats. What I mean by that is you can't have them all in the form of "spell HSIF backwards", and so on.

Someone will probably come along with a way to defeat common forms of text captchas. The sums are pretty common, so I imagine they will be the first to be routinely broken. But so long as you have a system that allows you to write your own questions and answers that won't be a problem.

No idea how good this is but it helps digitizing physical books.

BBC article [news.bbc.co.uk]
reCAPTCHA Site [recaptcha.net]

yeah, I read about that. ReCaptcha is now a drupal module too.

ReCaptcha is a better use of image recognition, but it's still a bad idea. Even people with good vision struggle to complete image captchas. I think it's better not to use it at all, and let them come up with a different way to get people to help digitise old books; some kind of game, perhaps.