非常简单的算术很好。盲人也能回答。(但正如Jarod所说，要注意操作符优先级。)我想有人可以编写一个解析器，但这使得垃圾邮件的成本更高。

足够简单，并且围绕它编写代码并不困难。我看到了两个威胁:

随机的垃圾邮件机器人和可能支持它们的人类垃圾邮件机器人;而且 机器人创建游戏堆栈溢出

通过简单的算术，你可以打败威胁1，但不能打败威胁2。

Make an AJAX query for a cryptographic nonce to the server. The server sends back a JSON response containing the nonce, and also sets a cookie containing the nonce value. Calculate the SHA1 hash of the nonce in JavaScript, copy the value into a hidden field. When the user POSTs the form, they now send the cookie back with the nonce value. Calculate the SHA1 hash of the nonce from the cookie, compare to the value in the hidden field, and verify that you generated that nonce in the last 15 minutes (memcached is good for this). If all those checks pass, post the comment.

This technique requires that the spammer sits down and figures out what's going on, and once they do, they still have to fire off multiple requests and maintain cookie state to get a comment through. Plus they only ever see the Set-Cookie header if they parse and execute the JavaScript in the first place and make the AJAX request. This is far, far more work than most spammers are willing to go through, especially since the work only applies to a single site. The biggest downside is that anyone with JavaScript off or cookies disabled gets marked as potential spam. Which means that moderation queues are still a good idea.

从理论上讲，这可以作为通过模糊性的安全，但在实践中，这是很好的。

我从未见过垃圾邮件发送者试图破解这种技术，尽管可能每隔几个月我就会收到一个手动输入的主题垃圾邮件条目，这有点怪异。

你看过威基斯吗?

Waegis是一个在线web服务，它公开了一个开放的API(应用程序编程接口)。它通过API方法获取传入数据，并应用快速检查，及时识别垃圾邮件和合法内容。然后它将结果返回给客户端，以指定内容是否是垃圾邮件。”

即使使用rep，仍然应该有某种类型的验证码，以防止恶意脚本攻击。

Mixriot.com使用ASCII艺术验证码(不确定这是否是第三方工具)。

 OooOOo  .oOOo.  o   O    oO   
 o       O       O   o     O   
 O       o       o   o     o   
 ooOOo.  OoOOo.  OooOOo    O   
      O  O    O      O     o   
      o  O    o      o     O   
 `OooO'  `OooO'      O   OooOO

实际上，有一个与编程相关的验证码集是一个不错的想法。例如:

有人可能会构建一个语法检查器来绕过这个，但绕过验证码需要做更多的工作。不过，您应该知道有一个相关的验证码。