Captcha issue, a few additional thoughts (Bugs)
But, to be fair, graphical captchas are generally considered ineffective, so they might be not in use in the most cases/instances anyway.
I know. There is an extensive bibliography with algorithms that they used to break the different captchas.
Also our alternative for the graphical captcha, the mathematical captcha, is not really effective, as reports here in the forum show (in example this one or that older one). Both captcha methods have an additional issue beside their ineffectiveness. The captchas makes it harder up to impossible to use the software for people with certain disabilities. Being not able to solve the captcha tasks exclude one from using the software.
All that says nothing about a really working alternative to captchas.
- The forum script works optionally with the service Stop Forum Spam to check e-mail-addresses during the registration process for being known as spam senders. There is no check for the entry form or the contact form.
- The script works optionally with Akismet, to check the content of the entry form and/or the contact form for being possibly spam. There is no check for the registration form.
- The script utilises Bad Behavior locally to scan for spam. The entry form will definitely be checked but I can't say anything about the other cases (registration and contact form) at the moment.
- Last but not least there are the (in this software) ancient blacklist methods for bad words, IPs and user agents. Those methods works in all three cases (entry form, contact form, registration form) but are IMHO very limited because of the really great maintenance effort.
We introduced honey pot fields to several forms in a few minor versions of the 2.4-branch what excludes really silly bots. We introduced a Bayes based spam filter with version 20220508.1, that can be enabled for forum entries, e-mails sent over the contact form and for the registration form separately. The filter has to be trained manually before working good by itself. This is getting done by catching spam entries by hand and with the old methods, that can mark entries as spam and hide them from the thread list. Those hidden entries can be manually marked as spam afterwards, what trains the Bayes based filter.
Every single method is far from perfect but working in combination makes them much more efficient although still not perfect. In this installation we use all of the methods, even without using every feature of every method. For entries I can say, that every when and then (maybe every two or three weeks) a spam entry succeeds but around eight to ten entries per day were catched and get hidden from the thread list to be training material for the Bayes based filter. I can say nothing about the contact form function but I know that our hosting company checks automatically for suspect traffic and there are no reports since over a half year (and the latest reports was about automatically sent e-mails for a privacy feature).
That's my experience with this installation. This tells us nothing about other cases. Other hosting companies might be more thin-skinned about possible spam or forbidding the use of one or another spam prevention method (in example by forbidding the contacting of external services). But with the knowledge of the ineffectiveness of both existing captcha methods we should be able to substract them in our mind from the conglomerate of the other methods we use without making the spam prevention remarkable less effective. Therefore, one should think about not using the captchas any more.
Trenne niemals Müll, denn er hat nur eine Silbe!