One other thing I forgot to mention about Honeypot - besides implementing reverse-CAPTCHA, it also looks at how long it took from when your server sent the HTML with the <form> and when the response arrived. A lot of the malware out there is too dumb to delay a few seconds, so the malware sends its response faster than a human possibly could.
What's worrisome is that these solutions are only temporary measures. I can easily think of ways around both of these tests if I were writing code for the bad guys. So I expect that their programmers will implement such workarounds in the near future. And at that point we'll have no effective protection.
This is not just a Drupal problem - it affects every website regardless of what technology it's built with. So, please put the word out to any developers you know - we need to be dreaming up innovative ways of distinguishing between software-generated responses and human-generated responses right now so we'll be ready when the current approaches all start failing.
Mark Rosenthal mbr@arlsoft.com
On 4/5/14 12:38 PM, Dan Kegel wrote:
I'll try honeypot!
I've been making do with the attached script and adding things to .htaccess; it was surprisingly effective (though lately I'm seeing spam from within my own city).