Inspired by the post
Form Spam Bot Blocker: Protecting Web-forms without CAPTCHA! . All prerequisites are there.
Option modification ideas
:
1. In the html-page with a comment for each group there are several identical fields with different id, for example, for the message field, the “text”, “message”, “post”, “comment” fields ...
2. By default, additional fields are hidden, only one is displayed, each time a different one (for example, now we show “message”)
3. In addition, the page displays a captcha with a field for entering it.
4. The style is loaded from the external generated css-ki, to which the session identifier is sent, similar to the created html-ki.
5. It is prescribed in the style, which fields we will display, which ones to hide - in our example for the group “message” we hide everything except “post”
6. Also in the css-ke hide from the user's gaze captcha and its input field
Thus, if the user's browser has requested the generated style, only the “post” field is displayed, the other fields are hidden. If they are changed, the receiving script will understand that the bot did it and cut it off. If the style is not loaded, the classic captcha is displayed. So a bot that did not load our css should determine the visible field and, without touching the others very similar in meaning, fill it and the captcha. Well, or load the css, analyze it and determine which field is displayed.
')
“Anomalous” users (for example, those who have a lot of comments), when the standard values ​​are exceeded, show a captcha under compulsion with the other security elements turned on.
Of course, it won't save you from targeted hard attacks, but it will save your nerves to ordinary users.
PS: clarification in the comments