CAPTCHA or email confirmation?

Neither method is foolproof at blocking automated requests, but both have been effective for me in the past. Let me explain:

Automating a response to an email is fairly easy, and thus cannot be taken as assurance that the client is not a bot. Similarly, captcha is easily broken (not even using humans). For instance, the hacker group DC949 recently released stiltwalker, which can reliably bypass recaptcha and many other popular captcha services. As is often the rule in security, if someone is determined enough, they can break in.

However, email verification and recaptcha have had great impact for me in the past when fighting spam accounts/reviews. While it can be bypassed, many spammers don't know how and/or don't bother. So, while it is not "secure", it is still effective.

P.S. Another technique I have heard about is using javascript to gauge the amount of time the user spent on the webpage before submitting. Most bots will submit things almost instantly (if they even run the javascript at all), so checking that a second or 2 has elapsed since the page rendered can block a lot of spam as well.

They both solve different problems.

• CAPTCHA prevents automated signups.
• Email verification proves that the email address is valid.

As such, you should use both. However, a determined spammer will simply outsource image based CAPTCHA solving to 3rd world countries, or get unsuspecting users to solve them via phishing attacks.

The best type of CAPTCHA is one the user never sees. As such, a honeypot CAPTCHA is one of the most effective and user-friendly options.

Email confirmation and CAPTCHA solves different problems. The first one should be implemented when you want users to use their real e-mail address in the registration process. Email confirmation also protects us from identity theft. I cannot register by typed the whitehouse.gov emails address and pretend that I am the President ('cos I'm not able to click on the confirmation link sent to whitehouse.gov, because I'm not the owner of this address). So email confirmation allows to link each user to each email address.

However email confirmation doesn't protect us from the bots (as the CAPTCHA does). Honestly, almost every spam-bot I've seen had email confirmation implemented. It's really easy stuff and it's just a few lines of code to force our program to check emails and click on every activation links). The interesting detail is that some of that spam-bots used 123456 as the password to their webmails accounts.

So, let's talk about the CAPTCHA. It was created to distinguish human from the robot. Reading the text from the image, solve maths formulas, etc. The main problem is that online robots are still evolving. Their modules are upgrading, they haven't got problems with solving formulas, their OCR modules are better (so they are able to extract text from the image). All of these means that CAPTCHA is not the 100% protection against non-humans, but it's the first defense-line and it's very recommended.

The best CAPTCHA is the CAPTCHA which was implemented by you. Trust me, a lot of people try their luck with breaking popular CAPTCHA. Why? The answer is very easy here. Popular CAPTCHAS are used by a lot of website. If we can break that CAPTCHA, then we could put a lot of spam content on that websites. So if your website is not very popular and has own CAPTCHA implementation, I am pretty sure, that noone will lose their time and money to break your CAPTCHA. However if you are not sure how to implement it in the proper way, you could try non-obvious CAPTCHAs. Like image-base CAPTCHA (here is the example) or 3D CAPTCHA (another example).