[ndabas]

How does this actually stop spam? Any automated bot would just do the POST or whatever is behind the HTML form, without actually loading up the page with this script, and since there's no server-side verification of the user input, it would merrily go through.

[thraxil]

The motionCAPTCHA author seems to be hilariously clueless. Read through the comments on the site from a year ago. A bunch of people, including Aaron Swartz, point out that it misses the fundamental point of a CAPTCHA (being a task that's easier for a human to carry out than a program) and his response to each is some variation of "you need to read the README more closely", or "I'll have a more production version that uses a regular PHP fallback out in a month".

I've been checking in every once in a while to see if there was actually a "secure", "production" version deployed. Figured I could throw together a bot to defeat it in a few minutes and that would be good for a laugh. Doesn't look like there has actually been any development done in a year though.