The Ruby on Rails Security Project would like to help you make your Rails applications more secure. I'm Heiko Webers of bauland42 and I also do Rails security audits. You read the official Rails Security Guide? Great, so we know each other already, I wrote it. Contact me at 42 -the AT sign- bauland42.de or on Twitter.

Do you have a Rails security strategy?
Here's the new complete Rails guide to developing an overall security strategy. If you sign up today, I’ll give it to you for free.

Feeds / Syndication
Most Popular
This site is currently being updated to be more useful, enter your email to be notified

« My talk at the RubyFools Conference | Main | [WebAppSec] Sign-in seals against phishing »

[WebAppSec] The idea of negative CAPTCHAs

Spam and automatic submitters really are a problem. One idea to defend this are CAPTCHAs. CAPTCHAs are noisy images and the user (usually) has to recognize the text in the image and enter it in a field. Although some weak algorithms are already broken, this is a good way to keep junk content away. But as automatic recognition gets better, the CAPTCHAs get more sophisticated, and thus harder to read for humans. CAPTCHAs are annoying.
Negative CAPTCHAs
The idea of negative CAPTCHAs is not to ask a user to proof that he's human, but reveal that a spam/login robot is a robot (bot). Most bots are really dumb, they crawl the web and enter their junk in every form's field they can find. Negative CAPTCHAs take advantage of that and include a "honeypot" field in the form which will be hidden from the human user by CSS or JavaScript. Ned Batchelder has several ideas how to do that in his original post.
On the server side, you will check the value of the field: If it contains any text, it must be a bot. Then, you can either ignore the post or return a positive result, but not saving the post to the database. This way the bot will be satisfied and moves on. You can do this with annoying users, as well.
Next step 
This is the basic idea of negative CAPTCHAs, you can make them more sophisticated with Ned's help.

PrintView Printer Friendly Version

EmailEmail Article to Friend

References (8)

References allow you to track sources for this article, as well as articles that were written in response to this article.
  • Response
    Ruby on Rails Security Project - Journal - [WebAppSec] The idea of negative CAPTCHAs
  • Response
    Yes, I am also with you, CAPTCHA is annoying but not enough to stop the spamming. I read many blogs and comments on the topic, but interestingly many of those comments are not related to the original topic of the blogs are discussing there. So what's the advantages of CAPTCHAs. I ...
  • Response
    Response: money making blogs
    Ruby on Rails Security Project - Journal - [WebAppSec] The idea of negative CAPTCHAs
  • Response
    Ruby on Rails Security Project - Journal - [WebAppSec] The idea of negative CAPTCHAs
  • Response
    Captchas are probably the second most irritating thing on the Web after popups. The negative captcha is not to ask a user to proof,it's reveal that a spam/login robot is a robot.
  • Response
    Response: happy diwali
  • Response
    Response: builders
    Ruby on Rails Security Project - Journal - [WebAppSec] The idea of negative CAPTCHAs
  • Response
    Response: rusheessay
    The blog is providing the information is about negative captchas and those information is helpful to every user. Thank you so much to your educational services and other content writing services.

Reader Comments (5)

I really like this idea. Although I do find it slightly funny I have to fill out a Captcha to post this message. :)

April 4, 2008 | Unregistered CommenterEric Anderson

Interesting. I wonder how long this technique will remain effective?

April 4, 2008 | Unregistered CommenterJames H.

I posted about exactly that at my website.


Even with akismet I was getting a big amount of spams. So I decided to go the honeypot approach.

In my case, I don't know if the bots actually decide if a field is worth filling. So I used a field which I assumed most of them would like to fill, which is the 'email'.

Publishing the email of a user in ones website only allows for spams to capture it and use to spam even more, so I think 'email fields could be considered bad'.

I left the field with a CSS class to hide it and whenever someone fills it in, I silently ignore it. Even then a few spams still go through, I don't know how.

I do hate image captchas, they are annoying.

April 4, 2008 | Unregistered CommenterAkitaOnRails

[...] and brought to my attention by Heiko Webers’ RoR Security Project.) Posted by iqag Filed in Development, Interweb, Security and [...]

I just added a user visible field called URL with the text "if you are a spammer enter your website here, your message will then get deleted"
All bots fill it out :-)
Idiot users also fill it out, which is a good thing too.

April 5, 2008 | Unregistered CommenterGeorge

PostPost a New Comment

Enter your information below to add a new comment.

My response is on my own website »
Author Email (optional):
Author URL (optional):
Some HTML allowed: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <code> <em> <i> <strike> <strong>