Anyone here applying an extra hidden input field in their forms to to fight against spamming? Is this a good precaution, or just an extra burden on coding/checking for it. Captcha seems to be working well so far.
Captcha is enough for me, if you see any problems with it, you can try hidden fields, though, i wouldn't even think ill need it with a good captcha system.
Anymore, I like to use the user friendly mode of captcha- a simple question. What I mean is this: Is ice hot or cold? And then the user inputs cold, which allows the form to post. However, this question could easily be beat by a bot. However, what if we COMBINE the two technologies: Is <ice.jpg> <hot.jpg> or <cold.jpg>? Obviously, with renamed JPEGs. Wouldn't this be harder for captcha aware bots to break?
If the spammer's bots are capable of breaking your captcha, a hidden field won't do much I think. Yes, especially if you were able to change up the image hash every time it loads (imagemagcik maybe), this would add an extra layer of security. The problem with the "simple-question" captcha is always coming up with enough questions. It may be enough to fool most of the spam bots on the market, but if someone wants to spam you bad enough, they can usually get by this method. Seems easier to just use the recaptcha api. (Not as user-friendly I know, but it's pretty darn secure).
I don't normally self promote, but I just recently wrote a blog post on this exact problem, and resolution (too few questions, and an attacker re-writing their captcha-aware bot to use challenges): http://remote-linux-support.com/blog/2009/09/easy-alternatives-to-captcha/