I looked at an example related to the article you posted. At first glance it seems that this can be easily circumvented.
The captcha flag works on the grounds that spam bots do not analyze or use JavaScript code embedded in web pages. Because of this, they will not find the checkcha checkbox element in the form that it is looking for, and therefore will not send the post value for the flag along with the form, and on the server side you will reject the form if the flag value is not submitted.
The problem with this:
- The flag name is always the same (
gasp_checkbox ) - The bot can be easily "trained" to detect this javascript on your page and act accordingly.
- Even if you print a random name and value that should be used for this flag, it can still be detected
The result of these 3 problems means that it is much easier to break than image drops or other methods. All bots should do when they submit your form, adding: gasp_checkbox=on to their HTTP request.
However, if you implement this for yourself on your own site, it is unlikely that any bots will be able to get past it, because its use is not widespread.
You can make it safer by following these steps:
- Create unique name / value pairs for the server side checkbox and print these values in javascript obfuscation for the client
- Submit the script away from your form, preferably in the external javascript file that the script creates.
- Make sure that the values sent for the checkbox correspond to a pair that was previously generated and not used before.
If you do this, I think you can set an effective captcha flag. If someone catches this on your site, it can still be trivial to win even with the above guarantees, but it can take some time and still be effective for you most of the time.