CleanTalk - caught some spam but still getting through, plus the monthly cost adds up Turnstile - better UX than reCAPTCHA but bots seem to be solving it reCAPTCHA v2 - effective but users hate the image challenges reCAPTCHA v3 - invisible but I'm still getting 20-30 spam submissions daily even with strict thresholds
I've also implemented honeypots, rate limiting, basic keyword filtering, and email validation (both format checking and MX record verification). The spam is getting more sophisticated - proper English, realistic email addresses that actually exist, even passing behavioral checks. What I'm curious about: How does Hacker News handle spam so effectively? I rarely see spam comments here, and there's no visible CAPTCHA. Are you using something custom, or is there a service/approach I'm missing? For context, I get about 500 legitimate form submissions per month, so I need something that won't block real users while stopping the bot flood. What's worked best for your sites? Especially interested in hearing from anyone who's dealt with determined, human-like spam at scale.
gus_massa•1d ago
Go to your profile https://news.ycombinator.com/user?id=pettycashstash2 and enable "showdead". There is a lot of bad post that are [dead] and are hidden unless you really want to see them.
There is a mix of automated tools, but the details are part of the secret sause, dang never told them. Also a lot of manual moderation by the mods. And also, users can flag and downvote bad comments and with enough of them the post is marked as [dead].
A long time ago, I used Spambayes to filter email. I'm not sure if it van be adapted to filter your contact messages.
pettycashstash2•19h ago
gus_massa•9h ago
Also, other blog has a hidden field, that should be empty, but bots like filling all fields.
I'd try those stupid tricks, and if they fail I'd try to put Spambayes as a filter. It was nice because it has good/bad/unusual, and you may like to take a look at unusual stuff to detect false positives. (I'm not sure if there is a better alternative to Spambayes. I used it like 20 years ago.)