[desbest]

Actually a "2 + 3" captcha is much more effective than a typical one with an image. You'd be surprised.

When I ran a phpBB forum that spammers would join to get some of my PageRank 2 juice, putting up a special question on the registration form (by modifying the php code), was much more effective than phpBB3's captcha function with maximum difficulty applied.

Spamming software doesn't have support for capctha questions, only captcha images.

[paulgb]

It depends on the threat. If you're worried about someone writing a custom script to attack your site, you want a hard captcha. If you're worried about random form-filling bot spammers, you want to be unique.

I wrote a plugin for wordpress years ago that simply asked you to copy a number into a box. If you had JavaScript, it would even do it for you and hide it so most users never even knew it was there. It filtered out nearly every single piece of spam. This would have been mid-2000s though, might be different now.

[pooriaazimi]

The problem is, it's always in the form of "x + y = ?", which makes it ridiculously easy to bypass with an script.

At least that's what I initially thought. But after some more digging it seems that x and y are hard-coded to be 2 and 3, respectively.

I opened the registration page in 4 different browsers with different IP addresses (my own, my VPS, and a couple borrowed from Tor) and in all cases the "security" question was "What is 2 + 3?"

Unbelievable.

[sjwright]

Ten minutes to implement, stops nearly all automated attacks that aren't specific to this site, much less user hostile, and far fewer accessibility issues.

Believable.

[dmorgan]

Not to mention a placeholder for a more advanced captcha to eventually be deployed.

Extremely believable.