I have to decide a technique to prevent spam bots from registering my site. In this question I am mainly asking about negative captchas.

I came to know about many weaknesses of bots but want to know more. I read somewhere that majority of bots do not render/support javascript. Why is it so? How do I test that the visiting program can't evaluate javascript?

I started with this question Need suggestions/ideas for easy-to-use but secure captchas Please answer to that question if you have some good captcha ideas.

Then I got ideas about negative captchas here http://damienkatz.net/2007/01/negative_captch.html

But Damien has written that though this technique likely won't work on big community sites (for long), it will work just fine for most smaller sites.

So, what are the chances of somebody making site-specific bots? I assume my site will be a very popular one. How much safe this technique will be considering that?

Negative captchas using complex honeypot implementations here described here http://nedbatchelder.com/text/stopbots.html

Does anybody know how easily can it be implemented? Are there some plugins available?

Thanks,

Sandeepan

I read somewhere that majority of bots do not render/support javascript. Why is it so?

Simplicity of implementation — you can read web page source and post forms with just dozen lines of code in high-level languages. I've seen bots that are ridiculously bad, e.g. parsing HTML with regular expressions and getting ../ in URLs wrong. But it works well enough apparently.

However, running JavaScript engine and implementing DOM library is much more complex task. You have to deal with scripts that do while(1);, that depend on timers, external resources, CSS, sniff browsers and do lots of crazy stuff. The amount of work you need to do quickly starts looking like writing a full browser engine.

It's also computationally much much expensive, so probably it's not as profitable for spammers — they can have dumb bot that silently spams 100 pages/second, or fully-featured one that spams 2 pages/second and hogs victim's computer like a typical web browser would.

There's middle ground in implementing just a simple site-specific hack, like filling in certain form field if known script pattern is noticed in the page.

So, what are the chances of somebody making site-specific bots? I assume my site will be a very popular one. How much safe this technique will be considering that?

It's a cost/benefit trade-off. If you have high pagerank, lots of visitors or something of monetary value, or useful for spamming, then some spammer might notice you and decide workaround is worth his time. OTOH if you just have a personal blog or small forum, there's million others unprotected waiting to be spammed.

How do I test that the visiting program can't evaluate javascript?

Create a hidden field with some fixed value, then write a js which increments or changes it and you will see in the response..