Hi there,
This is a nice plugin here, I was planning to do one for myself and open-source it later, but it seems there's no need while PoliteCaptcha is here. I've implemented and pushed a quick hack for a problem which many spam prevention libraries have.
The fact: There are tools out there to brute-force forms especially if you want to harm "a specific website". You can assign values into forms, assign random values, use a text-list etc.
The problem: PoliteCaptcha only prevents bots randomly brute-forcing forms on the internet. If an attacker comes to your website and attacks specifically your form, PoliteCaptcha is very easy to crack by just putting a string, and its reverse.
The solution: Save the randomly generated guid into the session, validate it also from the session and (!) don't forget to reset the guid in the session after a successful validation, otherwise the method I describe at the bottom of this post can break it.
Now with this solution, the attacker has to request the first page first, parse the form and generate the form values. This is harder.
The solution is here: atas@2b0293f and if you like that I can tidy up the codes a little bit, make it optional with a parameter and we can merge it.
Step 2 - Better prevention: Output a guid into the form named "RequestKey" and make the form request the NoCaptchaChallengeField by ajax with the RequestKey from the server on 10 seconds after user generates the form. This way, the server can actually prevent giving Guid before 10 seconds, and each attacker IP address can only brute-force within 10 second intervals most frequently. I'm not even saying that this requires a very advanced or specially-coded brute force tool which should also work on a distributed network across servers because attacking every 10 seconds from a single IP address will not do a real harm.
Now I intend to implement the Step 2 also as an option to users, but first I want your opinions. If you are not open to merge them, I may go and implement may own from the scratch.
**A method to crack many prevention libraries_: use the form manually for the first time, get posted values and put it into the brute-force tool. Change email randomly everytime, send other information always unchanged like NoCaptchaChallengeField (which you can generate any random numbers) or session cookie (if needed)._