[gingerbread-man]

Because Google can extract value from captchas, it makes world-class captchas and bot detection AI available to every webmaster for free. I don't know what that level of service would otherwise cost, but it almost certainly wouldn't be affordable for low-traffic blogs and the like, which would end up vulnerable using weaker captchas or trying to roll their own. Everywhere else the cost would just get passed on to users.

I don't love the compromise of paying for things with my data or by training Google's AI, but it's hard to say users aren't getting anything out of it. That said, I do miss the old reCaptcha.

[JohnFen]

> it almost certainly wouldn't be affordable for low-traffic blogs and the like

Very few low-traffic blogs that I see use (or need) CAPTCHAs. I know that the ones I run don't.

> I don't love the compromise of paying for things with my data or by training Google's AI, but it's hard to say users aren't getting anything out of it.

I don't think they are getting much, if anything out of it -- aside from being increasingly punished for defending themselves against being spied on by Google.

[jopsen]

My personal blog has a spam filter for comments.. it's either that or captcha.. or sign in with Google/Facebook.

[johannes1234321]

Often a trivial non-standard thing like "what's the name of the author" works well enough. Especially outside the English language. Spammers won't spend the time to bother adopting their scripts for that.

If this somple thing comes from a popular WordPress plugin the equation for the spammer changes, of course.

[hombre_fatal]

There's certainly a period of time where that solution is sufficient as it stops the lowest level of drive-by <form> spam.

But it also sucks the first day you get an attacker who solves it once and then spams you thousands of times.

Modern spam tools are pretty impressive these days and minimize the targeted work the human spammer needs to do in these cases. In the early 2000s, you could set a custom question and then assume no attacker is going to manually code for your little blog.

But even in 2008 I was using spam software (out of curiosity) where you could import a massive blog list, and it would pause spamjobs with failed comment submissions, let you pencil in a value for this unknown field, and then click resume.

You could also choose other actions for that field like "prompt me each time" and sit at your computer multiplexing your labor across hundreds of blogs. And that was pretty polished ten years ago.

[jopsen]

> If this somple thing comes from a popular WordPress plugin the equation for the spammer changes, of course.

Exactly :)

[JohnFen]

My sites use a spam filter as well. I find that it's perfectly adequate.

[seventhtiger]

It's the same with email for example. I've helped a friend roll out his own server because he doesn't want Google reading his emails.

Fair enough, but you won't get Google's spam filter or availability either, which your privacy was paying for.

[tomatocracy]

I do this. Funnily enough one of the reasons I did it was because Google’s spam filters gave me too many false positives and my gmail account attracted enough spam that sorting through manually was a pain.

[seventhtiger]

Has it been a good experience for you? What are you using?

My point was just that even if something is provided to the customer for free, doesn't mean it's easy to produce. That causes a lot of the issues my non-tech friends have with understanding the scope of work. Just because social media is free and easy to set up as a customer doesn't mean developing a social media is easy at all.

[tomatocracy]

I’ve been using exim and dovecot with rspamd for spam filtering. Have two VPSs on different providers to provide MX backup properly (they’re cheap these days and for low traffic I don’t need much more than the smallest VPS). I do DKIM and SPF but not DMARC and it gets through gmails spam filter fine and passes the various other tests you can find online. Took a while to set up right (in the end I found the best route to predictability to be writing my own exim config file rather than using someone else’s template) but pretty simple to run after that - there’s some effort to make sure I keep up to date with security patches and monitor log files for anything untoward but it’s relatively small. Using letsencrypt certs so email clients have been relatively simple to set up.

Overall it’s been a good experience. I run into a few sites which when I send to them classify my email as spam or grey list my sending IP so mail doesn’t get through quickly but then I used to have the same spam problem with some sites running my own domain through google apps.