How websites like Facebook are protected against bot without any captcha

Facebook uses some sort of hidden spam protection, if you view source of sign-up form you will see things like:

class="hidden_elem"><div class="fsl fwb">Security Check</div>This is a standard security test that we use to prevent spammers from creating fake accounts and spamming users.

so capture becomes visible when javascript will think that you are a bot.

Where is few methods of making it harder for bots to complete registration without capture, things like timing to fill out form, originators of mouse clicks events ect. also random session based values in form (to privent direct submissions without downloading of the form first)

also some people use hidden form elements with common names like 'email' that is styled invisible in css but common simple bots will try to fill out all form fields and so you can block them if this hidden element have any value

twitter and fb spend lot of time on developing tecniques to block spammers i don't think they will made it public as it will be counter productive for them to fight the spammers.

But all the client side javascripts you can download from fb or twitter and study them if you want, because most of the protection will happen inside client not on server.

server could only issue some random session variable, check for valid headers in request, overall time etc. its really limited.

some sites are also use ajax exchanges between server and client during the time when user is filling out the form , mostly just to make it harder for bot developer to do simular fake exchanges of data.

Anyway, unfortunatelly where is no easy solution to do decent protection , espesially without captcha or some kind of question

also, for submit button you can use image map instead of button, you can dynamically create big image with a submit botton image drawn on it at random position using things like GDI in PHP and using css to display only portion of that image with the actuall button, and on server side check X and Y position of where mouse was clicked, this will be hard for bots to break. Unless they use real browsers and just emulate keyboard and mouse. Anyway , as i said unfortunatelly where is no easy solution.


One way would be to send a verification to the user's email address or cell phone and obtain verification (so in that case, you would have to allow only one email address or cell phone per account)

Another option is to use "Negative CAPTCHA" or "Honeypot Captcha"