In my experience CAPTCHA is annoying, ineffective in a lot of situations, and it plain gets in the way of legitimate users doing legitimate things. CAPTCHA should never be a first, second, or hell, even the thirtieth solution, yet with so many web development projects it’s frequently the first and that’s just not acceptable if you care about the user experience.

That said, in the ExpressionEngine add-on ecosystem there are quite a few solutions to avoid adopting CAPTCHAs like the plague that it is. I’ve adopted a simple strategy that works out quite well using a tiered approach to comment spam prevention. Using a combination of VZ Bad Behavior, Snaptcha, and Low NoSpam the mithra62.com site went from around 100 spam comments a day to, seriously, zero. To be fair though, mithra62.com is a fairly new site so depending on scale your results may differ and due diligence should still be taken. Your results may vary.

VZ Bad Behavior

The first line of defense is VZ Bad Behavior from Eli Van Zoeren. VZ Bad Behavior is a free ExpressionEngine extension that’s essentially a wrapper for one of my favorite PHP libraries, Bad Behavior. The great thing about Bad Behavior is that it acts as a gatekeeper for your site that helps prevent spammers from even seeing your site much less submitting spam. It’s a pretty elegant solution really. Bad Behavior looks at each request to a web page, checking for known malicious or spammy patterns, and either blocks or allows the request. Bad Behavior can even use data from the http:BL service from Project Honeypot to really make things work.

In my experience, Bad Behavior works really well for your normal, everyday, website visitor. It does not hold up under RESTful scenarios at all though. It makes sense if you think about it; considering the nature of RESTful requests, while trusted, fall well within the bounds of what a malicious or spam request would look like, of course it’s going to be blocked. To Eli’s credit though, he’s well aware of this and has made accommodations within VZ Bad Behavior. If you use ExpressionEngine as sort of an API you’ll want to check those out.

Snaptcha

For those requests that get past Bad Behavior, and some will, the next line of defense I like to use is Snaptcha from PutYourLightsOn. From the official page:

Snaptcha will automatically add a hidden field to your Comment forms, Safecracker forms, Freeform forms and Member Registration forms and will validate it on submission. If it determines that a spambot is attempting to submit the form then it will prevent the form from being submitted and will output an error message. You can control the level of security as well as the error message text.

Snaptcha is a really elegant and simple solution if you think about it. By adding a hidden field to your forms Snaptcha sort of entices spammers to do what they’re doing by default and keeps legitimate users from being inconvenienced at all. It’s like Snaptcha uses the spammer’s own logic against it. Very nice IMHO.

The only downside, if you can consider it one, is that out of all 3 options Snaptcha is a commercial solution. But, c’mon, it’s only $8.95 per site. Plus, it’s from motherfuckin’ Ben Croker so you know it’s gonna stay quality and the support is gonna be spot on.

Low NoSpam

The last line of defense for mithra62.com right now is Low NoSpam from Low. Low NoSpam is a free ExpressionEngine extension that checks comments against either the Akismet spam API service or TypePad AntiSpam. Honestly, I’m not familiar with TypePad AntiSpam, even a little, but coming from WordPress, Akismet isn’t a mystery. A comment gets submitted and it, and all the meta info (like IP, user agent, email, and content), gets checked against a database of known spammers. Not a very elegant approach IMHO (we all get that blacklists don’t scale very well right?) but it does cut down on spam. I can only assume TypePad AntiSpam works in a similar fashion but I could be wrong.

That said, eyes open, it’s important to recognize the limits of services like Akismet. As anyone who throws a large amount of data at those services can tell you, they’re starting to show the strain. False positives abound and trapping legitimate comments or posts is common and to be expected even. To me though, aside from legitimate users being blocked (which is a problem but it’s better than annoying all visitors with CAPTCHA), Akismet or TypePad are better options than CAPTCHA and Low NoSpam delivers those services in as nice and unobtrusive a package as possible.

Using a combination of the above add-ons (VZ Bad Behavior, Snaptcha, and Low NoSpam) has proven to be a winner so far. I’ve been without CAPTCHA for a couple months and after installing Snaptcha last month mithra62.com has been a spam free zone. Of course, your results may vary so it’s important to tailor a solution around your specific needs but these 3 are a good place to start.