frontpage.
newsnewestaskshowjobs

Made with ♥ by @iamnishanth

Open Source @Github

fp.

Ask HN: What Are You Working On? (April 2026)

216•david927•16h ago•668 comments

Tell HN: Docker pull fails in Spain due to football Cloudflare block

875•littlecranky67•20h ago•324 comments

Tell HN: OpenAI silently removed Study Mode from ChatGPT

170•smokel•19h ago•71 comments

Tell HN: Reddit now demands to know why you won't use their app

15•josephcsible•6h ago•16 comments

Ask HN: What are all the bad things that AI companies have done which we forgot

7•Imustaskforhelp•19h ago•1 comments

Ask HN: Do you trust AI agents with API keys / private keys?

12•devendra116•1d ago•24 comments

Ask HN: Anyone using Nostr as a lightweight back end/DB for rapid prototyping?

6•wasimsk•1d ago•0 comments

Ask HN: What are you building that's not AI related?

148•meander_water•4d ago•204 comments

Ask HN: What's your experience with PoW captchas against form spam?

5•pentacent_hq•19h ago•8 comments

Ask HN: Hiring in the age of AI-assisted coding: what works?

26•nitramm•2d ago•17 comments

Is the pitch deck culture making founders worse at building businesses?

17•chinhqtran•1d ago•6 comments

Ask HN: Best books on building a programming language

17•ezzato•2d ago•8 comments

Ask HN: What should I do with my app? 130 downloads 3 real subscribers

3•oyaa52•1d ago•7 comments

Ask HN: Former grok-code-fast-1 users, what coding model are you using now?

2•whycombinetor•1d ago•3 comments

Any Open Source projects in need of documentation writer?

21•tree666•3d ago•13 comments

Ask HN: Why Databases Instead of Filesystem?

13•uticus•2d ago•20 comments

Ask HN: Agentic Permutation of Testing Paths In A System

4•davidajackson•1d ago•0 comments

Tor Browser on Android leaks IP in desktop mode

13•shchess•1d ago•2 comments

Ask HN: Has anyone reconsidered Antivirus software after recent security news?

6•pants2•1d ago•5 comments

Ask HN: Should AI credits be refunded on mistakes?

19•ed_elliott_asc•4d ago•20 comments

Do founders' political views affect how you see a product?

4•rishikeshs•1d ago•3 comments

I collected startup ideas. It changed how I think about ideas completely

10•vibecoder21•2d ago•11 comments

Is VC the new PMF strategy?

3•networkOne•2d ago•5 comments

Ask HN: How do you manage your digital legacy for after you die?

15•orbanlevi•4d ago•16 comments

Ask HN: Local-first meetings recorder and transcriber?

7•dandaka•3d ago•1 comments

Open Source card game cuttle.cards has its world championship Saturday at 1pm ET

4•aleph_one•2d ago•0 comments

Is it just me, or Opus 4.6 is sounding bit dumb lately

7•rambrrest•2d ago•4 comments

Ask HN: Are you encountering AI-related questions in the hiring market?

7•somthingwrong•3d ago•2 comments

You've reached the end!

Open in hackernews

Ask HN: What's your experience with PoW captchas against form spam?

5•pentacent_hq•19h ago
Hey folks,

I'm building an Open Source email newsletter tool and one of the challenges we have is form spam: As soon as a signup form goes live somewhere, bots will try to sign up. This is possibly an attempt to overwhelm the inbox of people whose accounts have been compromised. But it's also bad for the people who run the newsletter as these ultimately unwanted emails reduce their sender reputation.

There was recently a discussion here on HN about this topic [1]. The post author ended up using Cloudflare Turnstile to mitigate the issue. We currently already have support for external captcha solutions like hCaptcha. However, many of our users are quite privacy-conscious and don't like having user data sent to third parties (especially non-EU third parties for our European users).

So now I've been thinking of adding an invisible proof-of-work (PoW) captcha to all signup forms. Possible implementations I've been considering are Altcha [2] and mCaptcha [3].

Now to my question: Have any of you tried using PoW captchas to protect against form spam? What have your experiences been with it so far?

[1] https://news.ycombinator.com/item?id=47609882

[2] https://altcha.org/

[3] https://mcaptcha.org/

Comments

foundermodus•18h ago
I think Altcha is better, I have heard good things about them. And it looks easy to implement and can be selfhosted which is great!!
pentacent_hq•18h ago
Thanks! Would you be able to share a bit more of what you've heard about Altcha?
dlcarrier•16h ago
I'm convinced the most accurate way to use a captcha is to assume that any user that completes the puzzle is a bot.
pentacent_hq•15h ago
Well, that's just not true, is it? Try having any public form and you'll see tons of bot submissions, add a captcha, most of them go away.
kay_o•12h ago
These will stop curl-based requests but will not do anything against headless browsers. mCaptcha mostly dead.

It increases cost to bot only and does not stop anything unless you sign up for the monthly subscription pay per request plan from Altcha for example. Then you are in a paid Turnstile situation. And not self host. (https://altcha.org/docs/v2/sentinel/ - with third party API services, paid IP databases, additional paid subscription key, this is only mode that will do anything of much value)

pentacent_hq•11h ago
Well, that's why I am asking for practical experience using these tools. Maybe most form spam bots are (still) not advanced enough to complete PoW captchas. Have you tried Altcha or mCaptcha in production?
kay_o•9h ago
I have tried everything so far. Something like recaptchav3 will block most headless browsers but very invasive, solving it raises cost quite (for the auto solvers).

Notably no matter what the advertised repositories say So-called „pure play“ (%100% local, no tracking) kind of PoW captcha doesn't do anything for if you are a target and specifically having tools written for you.

For example: I work at a company for MMO game, and as such have to look at what is made. Our form requires numerous so-called invasive features featuring multi-step, TLS analysis, fingerprinting, WebGL, and more. People write dedicated tools to brute force login details or spoof spam, that includes full browser automation and don't care about 100% Usage of CPUs. (I do not have any say in this manner and its out of my scope, I do not "like" this kind of invasiveness)

It depends on your threat model and what is this for. A personal blog a regular one will be fine, any will do. Anything someone will write targeted tool for all self hosted PoW will do nothing.

If you are getting generic form spam simply renaming your field or adding one random invisible field is sufficient to stop automated bot traffic until someone writes a targeted for your.

pentacent_hq•46m ago
Thanks for sharing! My current experience is that honeypot fields are often ignored by the bots we're dealing with, but adding hCaptcha is pretty reliable in getting rid of them.