I had an epiphany whilst out running this evening.

You can use “sporting methods” (coin termed from Otto) to block comment spam; things like cookie and JavaScript validation fit into this category. These features are available in my Spam Destroyer plugin and are adequate for most websites.

However, sites which are hit with serious spam problems still require CAPTCHA’s to properly block spam attacks. The “sporting methods” are able to block 99.9% of the attacks, but the remaining 0.1% manage to bypass this, probably because they’re using something like PhantomJS to process the page. Properly rendering a page costs the spammers a lot of money because it requires substantially more processing power than just sending off post requests, but some sites are deemed worthy of this treatment, and it is those sites which require extra protection. The use of CAPTCHA’s requires a substantially increased amount of processing power again, because cracking CAPTCHA’s is non-trivial and so is usually an effective solution.

My epiphany whilst running, was that we could simply increase the amount of processing power required to crack the CAPTCHA, by forcing the browser to do a calculation every time the page is loaded, rather than requiring the end-user to solve a CAPTCHA. I’m envisaging a page which loads, but sits there in the background hashing a string a few thousand times before adding it to an input field ready for sending back to the browser. This would require JavaScript to be running in the browser, but could offer a substantial upgrade in spam-protection without effecting 99.9% of users visiting the page. Their browser would need to do some extra calculation, but as long as it wasn’t too extreme, then even the slowest devices would still only take a few seconds to process the calculation, yet this would hopefully be enough to cost the spammers too much in processing time to be worth their effort.

Do you folks think this is a good idea or bad idea? Have you heard of this being implemented elsewhere before? If it’s deemed a good idea, I’ll probably implement something like this into the Spam Destroyer plugin in future.

Ideas based on Feedback from Twitter

Andrey Savchenko pointed out running JS in this kind of way could cause the page to lag. It could be set to load later on after important things have already loaded, but we don’t have a reliable way to determine when the page has fully rendered.

A solution to this problem, could be to trigger the calculation on clicking the submit button. So instead of immediately submitting the form, a box could pop up, or another page could be loaded, which did the calculation then. A timer could be added, and if the calculation took too long, then a CAPTCHA could be served instead (useful for devices which are not able to handle complex calculations).