rails - Choosing captcha plugin

Question

There are a lot of captchas plugins in Rails and also many types of solutions for preventing spamming and flooding. So it isn't only Rails question.

Let's see what types of plugins do we have:

1. Classic image captcha (zendesk's Captcha, Simple_captcha, Validates_captcha, winton's Captcha, Raptcha).

positive:

• Can be effective to prevent automatic decrypt (not sure about Simple_captcha, but it seems that both zendesk's and winton's captchas don't achieve that, as they use pre-generated images (instead of on-demand), so our possible spam bots can be learned on that images).

negative:

• Require DB table (at least Simple Captcha. Not so bad, but do they clean it after use?).
• Require RMagick or similar (not so actual for me, as I already have it on my site).
• Fail manual decrypt ($2/1000 images as I know).
• Annoying to users and can hurts conversion rates.

2. ReCaptcha (Recaptcha, Rack-recaptcha).

positive:

• Can be effective to prevent automatic decrypt.
• Don't require Rmagick and DB table.

negative:

• Make api-calls to 3rd-party site.
• Fail manual decrypt.
• Even more annoying than previous.

3. Honey pots (Negative-captcha, Trap_door, Reverse_captcha, Honeypot-captcha, Bouncy_bots, invisible_captcha).

positive:

• User doesn't know about captcha presense.
• Don't require Rmagick and DB table.

negative:

• May fail automatic decrypt (are there any bots that can recognize this plugins?).
• Fail manual decrypt.

4. Text-base (Humanizer, Brain_buster, Gotcha).

positive:

• Don't require Rmagick and DB table (except of Brain_buster).

negative:

• May fail automatic decrypt.
• Fail manual decrypt.
• Little bit annoying (can be localized).

5. Other (Acts_as_snook)

positive:

• User doesn't know about captcha presense.
• Don't require Rmagick and DB table.

negative:

Don't know if there any because it's very unusual. But I think it may cause problems in case of flooding, as it can require post's moderation in some times.

6. Akismet-like solutions (don't know about their efficiency).

positive:

• User doesn't know about captcha presense.
• Don't require Rmagick and DB table.

negative:

• Make api-calls to 3rd-party site.
• Deliver user's details to 3rd-party site (very, very bad).

I also should say a few words about my site. Users can see protected form only after an ajax request (after putting something to cart for example). Are modern bots have abilities to do ajax requests and storing cookies?

Answer 1

Flooding is a different problem from spam. You should definitely build the logic around rate limiting into your application, you can do this using validation to check that the user hasn't, for example, placed more than 2 orders in the last 15 minutes.

In regards to captchas any of the plugins you select are most likely going to be great. I wouldn't think of having to install RMagick as a positive or negative, it really isn't that hard to get working. If it was me choosing, my first instinct would be to go with recaptcha, it's the least annoying of them all.

Spam is another issue, it's often entered by human users who can bypass your captcha. Akismet is great for catching spam, definitely take a look at it, you can use it in conjunction with something like recaptcha.

Finally, modern bots are very sophisticated. Far more sophisticated than any of us probably expect. They can fully automate browsers, use OCR to read captcha text and generate spammy content that will bypass even the most sophisticated filters. That said, it's not about "stopping all spam/bots" it's about making the barrier to entry just high enough that it isn't worth it for the casual user.