How many comment spam bots are general purpose that they'd get fooled by something like that? I always assumed they targeted particular websites or particular common CMS's.

Also this is from 2007, they heyday of blogs. Is comment spam even much of a thing anymore, given how much has been sucked up by social media platforms?

In a coincidence, I deployed this exact measure to my ActivityPub server yesterday. There are these annoying bots that would submit spam into every HTML form they see, without even trying to load CSS or JS. Some are capable of recognizing simple captchas like the one I added as my initial attempt at fighting them, though it did, too, cut the spam significantly.

Here's the example of spam I kept getting: https://i.imgur.com/I1pTdSh.png

I always think that fighting automated spam is a cat-and-mouse game, but I guess most spammers are still remaining unsophisticated and will still get defeated by simply using CSS to hide the a honeypot form field. Wow.

Is it just because CSS/JS consume too much CPU and they want their spamming to run as fast as possible and don't care if they get a bunch of false negatives?

From how I subjectively see it, 5% of effort gets rid of 90% of spam. Of course, this would never catch any targeted attacks, but in the grand scheme of things, those are exceedingly rare. In other words, good luck keeping out the remaining 10% without significantly degrading the experience for the innocent majority of your users.

A fun experiment would be to spin up a unsecured wordpress comment section.

From my web-experience: any slightly popular <form> will be submitted.

I feel like the TikTok captchas are honeypots somehow.

It says “complete to proceed” but you can just x out of it with no issue.

They just want to collect some info from the people who do it. Same with the fake “verify your phone number” and “unlock your phone to continue”

TikTok has CAPTCHAs?