No, a captcha is very different. A captcha relies on some output (letters/numbers in a graphic or an equation to solve) that is human readable/solvable. This is almost impossible for a bot to decipher and hence is a good defense. A referer is trivial to fake. Just put the domain name in the referer and voila: it is not a defence. So, it just becomes another arsenal in the arms race that becomes useless quickly, giving a false sense of securty, wasting effort, and bloating the code. On 10/1/05, Larry Garfield <larry@garfieldtech.com> wrote:
Um, isn't that the idea behind a captcha? We've got that already.
http://drupal.org/project/captcha
On Saturday 01 October 2005 10:44 am, Theodore Serbinski wrote:
One method we may want to look into. When a session is created a for user and they are on a page that allows comments, we come up with a unique hash based on say the node ID and session ID. We store this in the user's session. When the user goes to create a comment, we pass this unique hash with a hidden input field and when they click "post comment" we verify this input hidden hash against one stored in the user's session. This should prevent most spam comments, IMO.
ted
On 10/1/05, Khalid B <kb@2bits.com> wrote:
This defense may work for a while, but will be very short lived.
Spam bots will be upgraded to fake a referer that contains the domain name.
The spam arms race continues ...
-- Larry Garfield AIM: LOLG42 larry@garfieldtech.com ICQ: 6817012
"If nature has made any one thing less susceptible than all others of exclusive property, it is the action of the thinking power called an idea, which an individual may exclusively possess as long as he keeps it to himself; but the moment it is divulged, it forces itself into the possession of every one, and the receiver cannot dispossess himself of it." -- Thomas Jefferson