[Matt3o12_]

What is your thread model? What’s the worst thing a spammer can do if they sign up? For most websites, what spammers can do is very limited so why are you expecting spammers to sign up in the first place?

If you really think a captcha is necessary, limit it. For example, require that a captcha is required for two account registrants with a 24h period from the same ip. Don’t require captchas for logins unless a reasonable limit of attempts has been exceeded (5 wrong passwords within 24h by the same ip for example).

If your site is small, a captcha is often overkill. A hidden input can trick pretty much any automated spam bot (if input empty, real user, otherwise bot). Just make sure you do enough research so accessibility readers also work with that field properly.

If a spammer targets you, you can always active a captcha manually, although by the time you realize it, it might be too late.

Keep in mind that a captcha only adds friction to the spammer (and users). Bypassing reCAPTCHA is possible for any motivated spammer for only a few cents/captcha. There are services that have humans in developing countries solve them for you. Coupled with a headless chromium, you can easily build a reputation so that google will let you through. For testing credit cards, this setup is definitely used and most likely worth it. So a captcha will not always save you from bots.

Also keep in mind that hacker news does not have a captcha and the amount of spammers is minimal.

[massaman_yams]

1. Identify a large number of email newsletter signup pages that don't use captcha and which either send an opt-in confirmation message or a welcome message on signup.

2. Identify a target for some kind of account takeover attack. (Assuming you have other details needed for takeover.)

3. Rent botnet.

4. Perform thousands of signups for the target's email address starting shortly before your attack.

If the account's only security notifications (e.g., password reset, etc.) are in the form of emails, the flood of spam will usually keep the target from seeing them until too late.

These are real attacks, frequently seen in the wild.

[the_af]

> What’s the worst thing a spammer can do if they sign up?

In any site that creates a community or has any kind of interaction between its users, spammers and spambots will ruin the site for everyone else.

[hombre_fatal]

They must have not been around when proboards/ezboards/phpbbs were regularly taken over by spammers. It could single-handedly kill communities if the admins couldn't keep up.

It's hard for me to take people seriously who rail against recaptcha yet don't seem to realize why we use it nor pitch a real alternative. Or that spammer protection is overrated because their obscure blog doesn't get much spam.

It's easy to enumerate what sucks about something, but you can't just stop there.

[Retailer]

>>> What’s the worst thing a spammer can do if they sign up? <<<

Depends on your size and resources. Imagine you're basically scrappy with a very small and tight budget and still trying to validate your idea, and you're using one of those providers that gives you a free quota (like Google App Engine), you don't want 'spammers' to drain your free allotment of resources. I know someone who has a small niche blog in the health sector whose blog was repeatedly targeted by spammers/bots. He repeatedly saw increases in his bills till he had someone audit his blog and try to block the bots

[whakim]

For a lot of sites, as you mention, it's payments and testing credit cards.

I have found that simply throwing a reCaptcha onto your form forces you to make a bad choice between protecting the user's privacy and creating a mostly-seamless experience: if you don't want most of your users identifying school buses, you need to send all their behavior to Google.

To get around that, I've tried layering a number of different approaches. These include outright throttling/blocking repeated form submissions from the same ip; using a honeypot field; using a third-party email verification/validation service; showing captchas only under certain very restrictive circumstances (heuristics that make a guess/overall traffic patterns); etc. It's more work, and still a bit cat-and-mouse but at least I don't feel like I'm pissing off every potential customer

[buzer]

> What’s the worst thing a spammer can do if they sign up?

I have seen spammers signing up just to send short message via welcome email ("Hi firstname," -> "Hi check this foo.com,") to their targets. The worst thing that can happen from that is that your domain/email servers end up in the blacklists.

[LunaSea]

If you send a validation email being targeted by spammers already means cost increase, messy databases / analytics and maybe even a ban for having sent to many emails at the same time.

[mobjack]

reCAPTCHA can already be configured to be invisible and only display if it suspects the user could be a bot.

For the majority of users, they won't see a captcha challenge and it is a seamless experience with no added friction.

Those who have lots of tracking/privacy protections however will more likely be flagged as a potential bot and usually have tougher challenges as a result.