I have long wanted to create a service that would allow you to quickly and easily get rid of spam and flood on any site. And then, finally, the hands reached and the service was created. EXOCAPTCHA, the service received such a name - now available to everyone.

There are several successful projects on the Internet on the topic of CAPTCHA, but all the ones I have watched have some kind of disadvantage.

The goals that were set before the EXOCAPTCHA service :

1. Simplicity and speed of installation, platform independence.
2. Possibility of individual settings (type, size, color, symbols used, etc.)
3. Lack of core vulnerabilities.

And now a little more about this:

1. Simplicity and speed of installation, platform independence

All that is required of you is to specify an e-mail, to which a small code will be sent for insertion on the pages of your site, as well as ready-made implementation examples on the form (ASP for Windows and PHP for UNIX). No special settings or settings on the web server are required. Everything should take a few minutes!

2. Possibility of individual settings

In your EXOCAPTCHA service account you can create several instances of captcha (for example, different types for different sites). By experimenting with the parameters you can create your own unique captcha. And if spammers create programs to automatically recognize a specific instance of a captcha, it’s easy (and without making changes to the pages of your site) to change the graphical representation of the code, thereby quickly reducing the efforts of spammers to nothing.

3. Lack of core vulnerabilities

• Reuse of session identifiers.
  Typically, most CAPTCHA implementations store the correct response in a session variable. Some of these implementations do not reset this variable after checking the values. Those. it is enough to manually pass the CAPTCHA test once, transfer the session identifier and the response to the CAPTCHA bot and it will generate a large number of successful requests.
  
  Another disadvantage of using a session variable is its limited lifetime. If the user, after the session time (usually 20 minutes), enters the correct response to the CAPTCHA, then the server no longer has the opportunity to check it and the answer is recognized as incorrect. Minus? Of course minus! Who wants to prove 2 times that he is a man ?!
  
  EXOCAPTCHA is devoid of this drawback, because nothing is stored in the session variables, and checking the value can take up to 24 hours (it may take longer, but is limited by this time for practical reasons).
  
• Determining the answer for any information contained on the page.
  The answer to CAPTCHA in some of its implementations can be contained in open or encrypted form in a hidden form field or in the request parameter of a picture with a code (example here: www.xakep.ru/post/31268 ). Those. Having determined the decoding algorithm, the bot will 100% know the correct answer to CAPTCHA.
  
  EXOCAPTCHA does not have this drawback, because the response in the request parameters is not contained in any form.
  
• The probability of selecting an answer.
  Many site management systems use pre-generated images as captcha. Having created a database of such pictures and the correct answers, the spammer will easily bypass the main purpose of the captcha. Another vulnerability option is a limited number of CAPTCHA response options. For example, if there are 1000 answers, then even with a performance of 1 request per second, the bot can produce 86 successful requests per day.
  
  EXOCAPTCHA is devoid of this drawback. All pictures are generated based on many random parameters. And the number of possible answers is determined by the user himself, which determines the possible characters in the captcha and their number.

That's all for now. Who you are interested in, please use:
www.e-xo.ru/captcha/setup.asp

I will be glad to hear your opinions and suggestions.