First off.. if a check mark was enough to do the trick, why was captcha ever invented?
social_experiment wrote:So the developer creates the questions. Here are a few points to consider :
1. Will there be a totally new question for each of visitor?
2. If not, how long will it be before the bot has figured out the pattern and you have the same problem.
If they are all coming from the same location (im assuming you are infering IP address) why not ban the IP? Write a script for that instead. I also doubt a person will go through all the trouble. But then again, they 'cracked' CAPTCHA didn't they? It's like the saying goes "If you make it idiot-proof, they will build a better idiot". Good luck with the script and let me know if it works.
1) Negative. No need. I honestly don't understand why you're having so much trouble understanding how this all works. I'll break it down for you. There are bots that scan thousands of sites a day, looking to exploit specific php functions. It finds a contact.php form and you get added to the list. Now... you're on bot2's list and this bot runs different code.. all day long to make use of the exploit on those computers known to have the vulnerability. It runs code to break all the typical spam protection. It sees capthca, it runs ocr code to try and break it. If it's smart enough.. it cracks it and uses your form for fun. Now.. with HII, you can ask a question such as 'what's the 2nd letter of the word cereal?'. Is a bot going to be smart enough to figure out random questions you're asking and supply the right answer? No. It won't. Hence, the name. The programmers wouldn't even attempt it because they know there's an infinite amount of questions they can't program in. Captcha code just looks at the main captcha programs on the internet and figures those out.
So now.. bot 2 runs it's code on your page that you now have HII on. It fails to 'post' a url. I'm the guy in India running bot 2 and my logs show that this week, I successfully posted to 3400 websites with the known exploit. I see 384 that it didn't work on. Meanwhile.. bot 1 finds another 15 sites today that get added to the list. Now do you really think India guy is going to say "let's go see why this failed on these 384 sites and fix it?" A week later.. you change your question.. "let's go look at these new 50 sites it failed on". Not gonna happen! Again.. these guys are interested in numbers. Bot runners don't go back to your site. They never went there in the first place. Therefore...
2) It ain't gonna' happen. Or maybe it will down the road? For now though, bot can't crack HII and guarding my site in the here and now is what I'm trying to do.
I also meant they're coming from the same location.. as in India. GeoTracking shows me that. Sometimes they're identical but they change every few days. I actually have a 'Ban IP' script working.. but it does little good in this case.
I am 100% sure this works. Back about 10 years ago, I was running the now archaic FrontPage forum and the bots started hitting that.. spamming the hell out of it almost hourly. I created the same page name and put authentication on it.. giving the username and password to enter right on the page. I never received another piece of spam for the next couple years.
And as for this.. I just found a php script that will allow me to do this same. I now have a piece of php code at the top and bottom of my current page. I have put the password right on the page and only by entering that can you access it. I would bet you a hundred dollar bill that I'll not see any more spam from those bots. Maybe the occasional human? Sure.. but no more bots. Even if India guy comes to visit my page, and see what I'm doing.. unless what I'm doing becomes immensely popular, they'll shrug and move on. Numbers.. it's all numbers to them.
If you want to understand more of how this works, I just found an excellent article at the same place I found the script. He reinforces everything I've said here... so since you seem to have a problem believing me,
you can read it for yourself.