The logic is sound, but doesn't play out in the real world that often. The reality is, the overwhelming majority of form spam comes from scripts and bots that are not that well-targeted, and in most cases, people who would normally install reCAPTCHA have no need for it.
Additionally, even though the module has been published for quite a while, and honeypot/time-gate techniques are fairly common, most bots can't account for the small adjustments that are made from site to site using adjustable settings for the module (like field name, time defaults, etc.).
The truth is: once your site or app is targeted by a human who is determined to spam you, the stakes are raised to the point where neither CAPTCHAs nor standard honeypots will deter everything. You will have to do at least some ongoing work to find a way to defeat the spammers.
>The logic is sound, but doesn't play out in the real world that often.
It does play out in the real world a whole lot if you have the misfortune to be in charge of certain kinds of websites.
> once your site or app is targeted by a human who is determined to spam you, the stakes are raised to the point where neither CAPTCHAs nor standard honeypots will deter everything.
reCAPTCHA stops the bulk of it. Yes, people can still use CAPTCHA farms, but at the very least they increase the attacker's cost and will generally reduce their spam rate by a lot. After 4chan rolled out reCAPTCHA, 5+ years of spam problems vanished in an instant.
> It does play out in the real world a whole lot if you have the misfortune to be in charge of certain kinds of websites.
Very true; for some classes of sites, this is definitely the case. I was speaking more in a general sense, as I see many developers and project teams install some sort of CAPTCHA on every site as a default. In most circumstances, I think people should go for the simpler solution first, then be ready to drop in something like reCAPTCHA (or some other active spam deterrent) only when spam becomes a real problem.
I'd agree with that. It's good to have the code production-ready at a moment's notice though, because the reaction time can sometimes mean the difference between having to clean up 100 spam submissions and thousands of spam submissions.
Additionally, even though the module has been published for quite a while, and honeypot/time-gate techniques are fairly common, most bots can't account for the small adjustments that are made from site to site using adjustable settings for the module (like field name, time defaults, etc.).
The truth is: once your site or app is targeted by a human who is determined to spam you, the stakes are raised to the point where neither CAPTCHAs nor standard honeypots will deter everything. You will have to do at least some ongoing work to find a way to defeat the spammers.