If spammers and service abusers went away, CAPTCHAs would go away. Service providers don't use CAPTCHAs for the giggles. And the bad guys are getting better with OCR (or using sweat shops) so CAPTCHAs need to get harder to read to keep enough of them out.
If you can come up with something else that can distinguish legitimate users and bad guys, you'd be a very popular guy.
Some service providers seem to do it, because everyone else does it. Tiny blogs, obscure niche sites. They are afraid of spammers and never had a real look at it how necessary CAPTCHAs really are.
Oftentimes, a simple JavaScript-based spam protection is enough.
Automatically fill a hidden form with constant text. Unless you are a big site, smammers are really just bots who hit your site along with thousands of others. No one will notice if your site doesn't accept the spam, and if they did, no one would care enough to implement a work around.
Unfourtuantly, you cannot bundle this feature into a popular library, because then enough people would use it, that bot makers would implement a work around.
So true! Its beyond ridiculous when you are forced to enter captchas on tiny sites which hardly get 10 visitors in a day. Have seen this in numerous such sites.
Do you think that tiny sites get less automated spammers? In such sites the spambot registration attempts far outnumber the real users.
If you have a decent site, you can afford to review/delete/block spam afterwards, but if you have a small site and don't babysit it every dey, then a tough captcha is an absolute requirement.
For a small site, doing anything out of the ordinary is enough to stop the vast majority of spam.
For years, I had a non-captcha on my blog that simply read:
Enter the word "elbow": ________
That was it. The word was hardcoded, and the server simply checked to see if that input field did, indeed, contain the word "elbow". Spam completely halted for a long time. Eventually, it started showing up again, and once I got tired of deleting a couple of spams per week, I changed it to:
Enter the word "humour", but with American spelling: ________
Once again, spam stopped for a long time. As a bonus, I had a couple of commenters complaining that not everybody was a native English speaker and this question was too hard. I say "bonus", because I like keeping away commenters who can't be bothered to spend five seconds on Google.
This started to break down eventually as well. My latest effort, done more for fun than effectiveness, is to implement a hashcash proof-of-work system in Javascript. In short, the server sends a random salt to the client, and the client must then come up with a string which, when concatenated with the salt, has an SHA-1 hash with a certain number of leading zero bits. This is easy to verify (the server just takes the client's result, performs a hash, counts the leading zero bits) but hard to produce (the client has to brute-force it).
The relative slowness of JavaScript crypto makes this not actually very useful in a theoretical sense. I've calibrated the difficulty to take about 20 seconds of work in the browser, but a decent native code implementation can do the same amount of work in maybe a tenth of a second. So, against a determined attacker, it won't be much of an obstacle.
But as a relatively small site with a completely custom anti-spam solution, I don't get determined attackers. I get the occasional spam message with this in place, but from the server logs it's obvious that it's actual real human beings firing up the comment form and waiting the ~20 seconds for the hashcash to complete before posting their comment. Terribly inefficient for them, and it keeps stuff down to a manageable level.
In summary, if you have a small site, you can throw up nearly any custom anti-spam measure, no matter how silly or easy, and have it be effective. A standard captcha may be easier to add than a non-standard anything, but it's definitely not an "absolute requirement". Big sites are completely different, since they'll attract enough spammer attention for site-specific attacks.
I don't care if you prevent me from posting for 20 seconds, but if you make my laptop fan spin up, or cause my old computer to get unresponsive, especially if I have no clue why, I'm gonna be upset. I'm used to video sites slowing down the computer slightly, but if a simple blog does it, I'm gonna be confused, and possibly pissed.
The trick is to start the compilation when you start showing the comment box -- and only show the "reply" button once it's done. This way, for nearly all comments, it will be done calculating before you are done commenting (this has already taken me more than 20 seconds!), and it retains its hard-to-spam properties.
My comment box is always visible, but I don't start the computation until the user actually focuses one of the fields. The submit button is disabled until the hashcash computation completes, but that's about it. If you're not racing the hashcash computation, you'll likely not notice anything unusual.
Can you back that claim with actual data or are you exactly the guy I was talking about in my post?
I run a phpBB forum and 2 blogs. They got the standard spam like everyone else. Once I installed Spam Destroyer for Wordpress and made a 3-line JS-based modification for phpBB, I reduced spam by approximately 99,99%.
My main Web App gets something like 40,000 visits per week and is online since 2006. I never bothered with a CAPTCHA and there are hardly any spam signups. Same JS-based spam protection mechanism.
Yeah, if you are a small site using any off-the-shelf forum software, you will need defense from the spambots. They don't care that your forum has only 10 real users. It's spray-and-pray spamming.
If you can come up with something else that can distinguish legitimate users and bad guys, you'd be a very popular guy.