I'm building an Open Source email newsletter tool and one of the challenges we have is form spam: As soon as a signup form goes live somewhere, bots will try to sign up. This is possibly an attempt to overwhelm the inbox of people whose accounts have been compromised. But it's also bad for the people who run the newsletter as these ultimately unwanted emails reduce their sender reputation.
There was recently a discussion here on HN about this topic [1]. The post author ended up using Cloudflare Turnstile to mitigate the issue. We currently already have support for external captcha solutions like hCaptcha. However, many of our users are quite privacy-conscious and don't like having user data sent to third parties (especially non-EU third parties for our European users).
So now I've been thinking of adding an invisible proof-of-work (PoW) captcha to all signup forms. Possible implementations I've been considering are Altcha [2] and mCaptcha [3].
Now to my question: Have any of you tried using PoW captchas to protect against form spam? What have your experiences been with it so far?
[1] https://news.ycombinator.com/item?id=47609882
[2] https://altcha.org/
[3] https://mcaptcha.org/
It increases cost to bot only and does not stop anything unless you sign up for the monthly subscription pay per request plan from Altcha for example. Then you are in a paid Turnstile situation. And not self host. (https://altcha.org/docs/v2/sentinel/ - with third party API services, paid IP databases, additional paid subscription key, this is only mode that will do anything of much value)