BOTCHA Spam Prevention

Open Bugs: 
Development Status: 
Seeking co-maintainer(s)
Maintenance fixes only

BOTCHA is a highly configurable non-CAPTCHA spam protection framework.

In CAPTCHA, user has to prove he/she is human. Unfortunately, spambots learned

to bypass CAPTCHA really well, and real users are frustrated with increasing

complexity and burden of CAPTCHA.

In BOTCHA, we don't abuse our human users - BOTCHA protection is completely

transparent to them and non-intrusive.

BOTCHA lets spambots to prove they are bots, and let real users zip by.

BOTCHA is useful for any form that has to be protected from spambots.

BOTCHA always works as designed - guaranteed! All of BOTCHA recipes are covered by Selenium-tests and we have our own "TestSwarm" to do testing as often as possible: see #1894478: The latest Selenium-tests launches & reports
for details.

You could be also interested in #1896760: BOTCHA success stories


How it works

The approach of BOTCHA is to add various elements to forms that need protection from bots. These elements do not present new fields to users, so BOTCHA is completely transparent to humans. Both humans and bots submit those forms and BOTCHA performs heuristic analysis on each submitted form. Bots are usually programs/scripts that are relatively dumb, and most of the time they fail BOTCHA tests and human users don't.

Once BOTCHA proves the submission is by a bot, the form submission is blocked.

The more there are opportunities for the bot to slip and prove it is a bot, the better defense from spam we have. So we can combine multiple BOTCHA recipes as opposed to only one CAPTCHA per form. This gives huge advantage to BOTCHA.


There are many advantages of BOTCHA over CAPTCHA:

  • BOTCHA does not bother normal human users
  • BOTCHA tests are designed in such a way that normal users will never see them
  • There is no limitation on number of tests BOTCHA can implement on each form, so it gets progressively stronger
  • As bots get smarter, BOTCHA will be updated with new recipes to defeat them
  • BOTCHA needs very little configuration

It is possible to use BOTCHA alone without CAPTCHA. Nevertheless, it is recommended to use BOTCHA together with CAPTCHA. BOTCHA does not interfere with CAPTCHA, and more lines of defense are always better.

See the Screenshot of a real system log when BOTCHA works beside CAPTCHA. Note there are only two CAPTCHA blocks and eight BOTCHA blocks. It means BOTCHA blocked 6 spambot registration attempts in 16 minutes that CAPTCHA let through.

Recipes included

  • NoResubmit (working without JavaScript): The method consideres as spam all submissions made using already submitted forms.
  • Timegate (working without JavaScript): During the form generation hidden by CSS field is added to the form containing the timestamp. At the moment of submission this timestamp is used for spam check: if the form is submitted too fast, the submission is considered as spam. The minimum number of seconds that must elapse from the time of form generation is an adjustable parameter.
  • Honeypot: Implementation of honeypot-trap. The gist of it is that the field is added to the form with a certain value, which is then modified by JS. Spam is any form submission, the calculated value of which is not the same as we need.
  • Honeypot2: The same as above, but using as a source of calculation not the value of a particular field, but the data from CSS.
  • ObscureUrl: Similar to the previous recipe: constructed by JS is compared to the need. The difference is that the initial value is passed through the GET-parameter.

Which version to choose?

Unless you want to test Forwardport, you should choose 3.x version, which is the most stable and feature-rich release.


  • (For 6.x-3.x, 6.x-4.x) Download and install Autoload and DBTNG modules
  • (For 6.x-3.x, 6.x-4.x, 7.x-3.x, 7.x-4.x) Download and install Module Object Oriented Programming API module
    Please note!:
    • If you are upgrading from one of the elder versions (such as any version of 7.x-1.x or 7.x-2.x branch), you should install and enable all dependencies first - and only then update the Botcha module itself.
    • For Botcha 6.x-3.x, use downgraded Moopapi 6.x-1.2, as there are problems with latest Moopapi #1969736: Error message on install
  • Copy the module's directory to your sites/all/modules directory (choose a way you prefer: using drush dl or manually).
  • (For 6.x-4.x, 7.x-4.x) Download the most recent version of Drupal-major-version-independent "library".
    Please note!: In fact it is not a library in terms of Libraries, consider it just as a regular module, which doesn't have its own repository. It is due to missing libraries_load function in Libraries D6: so when it gets backported (see #1144992: Backport 7.x-2.x to 6.x-2.x
    ), "library" will be turned into library.

    Choose the way you prefer:
    • Using drush make: run this command from Drupal root
      drush make sites/all/modules/botcha/botcha.make . --no-core
    • Using Composer (not implemented yet):
      • Install Composer (for example, using drush drush dl composer).
      • Install Botcha

        drush dl botcha-4.x
        drush en botcha
    • Manually: download "library" from . See botcha.make file for information about the current version. Unpack it to the 'botcha_base' directory inside sites/all/modules.
  • Activate the module.


Module starts working as soon as it is activated. There are reasonable default settings and no configuration is required, though it can be adjusted at any time on Administer > User management > BOTCHA page (D6) and Configuration > People > BOTCHA (D7).

Module records its activity in the log and collects statistics which are shown on the 'Status report' page.

There are some default forms that BOTCHA protects out-of-the-box, including user/register, which is the most important line of defense. Current version by default protects all other forms that CAPTCHA is enabled for. CAPTCHA is not required since BOTCHA can be configured independently.

(Note: this feature is available since 6.x-1.6) BOTCHA configuration page allows selecting which forms to protect. There is also an admin mode checkbox which adds links to forms for simple BOTCHA configuration.

Development roadmap

What "BOTCHA" means?

BOTCHA stands for "BOT Computerized Heuristic Analysis"

BOTCHA also means "Bombs On Target, Come Home Alive" (military, UrbanDictionary).

"BOTCHA is a feel-good cheer after bombing spambots to the ground."

BOTCHA also means "Double-dead meat" (Wikipedia), which is a health hazard.

"We feed BOTCHA to spambots and wait for them to get diarrhea and food poisoning."

How much does it cost?

It is absolutely free. But you have the opportunity to contribute to the implementation of new features or speed up the closure of the bug that annoys you, or just to thank the developers.

Support this module to make new features to be implemented faster:

Project resources


I first developed fully-automated method to protect HTML forms open to un-authenticated users back in 2002, long before I started using Drupal. That method had proven very effective back then. Time went by, and I moved that website to Drupal, and installed CAPTCHA. Eventually the site started getting few dozen automated user registrations a day followed by few spam posts on each account. I tried strengthening Captcha settings, but the stream did not slow down while human users started to complain of the difficulty of Captcha challenges. Apparently Captcha is not deterring recent generation of spambot scripts. I turned back to the old method, and wrote a module for that. The stream stopped and I have zero spambot user registrations since. Now I want to share this module.

Similar modules

  • JS Validate Forms (merged with BOTCHA): Provided in terms of BOTCHA Honeypot recipe protection variation (instead of randomly calculated value it used current timestamp).
  • un.captcha.lous (merged with BOTCHA): Provided in terms of BOTCHA Honeypot2 recipe protection (it was called there "Honeypot") and Honeypot recipe protection (it was called there "Magic Number").
  • Honeypot: Provides in terms of BOTCHA Honeypot recipe and Timegate recipe protection.
  • Spamicide: Provides in terms of BOTCHA Honeypot2 recipe protection. The difference is that in Spamicide the content of this field is user-configurable and in BOTCHA it is randomly generated during each form submission.
  • Hidden Captcha: Provides in terms of BOTCHA Honeypot2 recipe protection. This module is similar to Spamicide, read more about their difference here: #840838: Hidden CAPTCHA v. Spamicide


PatchRanger - the first crowdfunded Drupal freelancer:
Flattr PatchRanger


I expect this project to grow very fast and become very powerful in combat against spam. I am looking for co-maintainers and contributors that want to make a difference and improve user experience. I have plans to expand this project beyond Drupal. Please contact me for joining the team!

Release Dates: