[1116574]

But it doesn't catch fraudsters!

Point fo captcha is to make sure that there is a human eg. writing this comment or creating account.

If I used this (admitedly cool and useful) rate limiter instead of real captcha I would have 1000s of ai generated posts and 100s of new accounts. Yes, it would be rate limited and spread over a day or week, and servers would easly handle it, but that's not the point. I don't want this fake activity at all - that's the point!

This seems like a good alternative/addition to cloudflare and their anti ddos features though (?)

[thayne]

But a traditional captcha doesn't solve that either. Even if the captcha really is too hard for a bot, you can pay other humans to solve captchas for you at a click farm. Or even just generate content and automate everything except the captcha, and solve those yourself.

[Dylan16807]

A dead comment thinks you're making a no true Scotsman argument, but you're right. The key is that the workarounds you're listing are very cheap and easy, not just possible.

[kaba0]

There are no easy/non-annoying tasks left that could easily differentiate between a human and a bot, and any that may exist will only work for a short time. The only thing left, as mentioned, is to move the price point for an automated attack: I'm sure creating a fake account on your site is not worth, say, 1000$ for those 1000 accounts. Remember, a troll can also register by hand 10-20 accounts, with any kind of captcha, so it's not zero sum either.