How to protect html form from spammers?

Question

I'm getting problems with spam entries in my database through signup form. I have tried many open source Captcha solution, but still facing same problem.

I am therefore looking for an alternative solution. What about the solution, where users would have to input the answer to a question? The answer to the question will be a server-side specific word then would this surely defeat a spambot?

Would it be better to have a series of simple randomized questions or something like "6 + ? = 9" be better as a question? The only thing that concerns me is that if it's as easy as this to protect a signup then why aren't the big giant like Facebook doing this?

Answer 1

Update: The answer was accepted because I recommended KeyCAPTCHA. From my hard-earned painful expereince, KeyCAPTCHA is a scam by professional spammers. I removed my recommendations of KeyCAPTCHA

---

Note that most professional spambots are integrated with sweatshops (1 USD a 1000 solutions) human captcha solvers API. When a spambot cannot pass captcha itself it (spam bot), keeping hundreds of open connections, sends screenshot (or webpage code) with CAPTCHA for solving by sweatshop human. This is legal and big business. In order to be legal and integrate with bots through APIs the human solvers can not directly interact with cracked web boards (blog comments, registration pages, chats, wiki, forums, etc.).

Another problem is that anti-spam programs cannot detect context-based spamming by professionally made bot. There are many approaches. The simplest one is web scraping multi-author human dialogs from other web boards and posting them CONTEXT-SENSITIVELY (bots can detect topics) from different IP addresses of different countries at different times, so even (a weblog) owner (human) cannot detect that dialogs are posted by bots(they are really from stored in database human dialogs).

This is only the matter of interest to your website from professional spammers or time+qualified persistence of amateurs to automatically circumvent most (if not all) CAPTCHAs.

Answer 2

To be honest, I find those things quite useless. If someone can bypass your CAPTCHA then they will for sure be able to bypass simple mathematical equations, as it requires much less effort to do so.

If it is for a signup form I guess the best thing to do is to have a CAPTCHA + confirmation link sent by email (and exclude bogus email addresses, like mailinator). You can purge the DB from unconfirmed registrations periodically.

Of course there is no 100% safe method, any form of CAPTCHA can be bypassed (given enough time and resources), so I guess we have to live with that.