I have been using Google reCaptcha V2 (Invisible recaptcha) for a long time and we know that if some spammer or bot is trying to call our API then the user will get a puzzle to solve. What will happen if I use the Google Enterprise solution, in this case, Google API will simply return the score based on the action taken by the user? What if spammer buys a fresh new IP range and is trying to call our APIs, How frequent the google returns the low score that particular IP. I have seen on my website that spammer used to call APIs with new IP every time, so need to check how google detects this as a spammer.
Asked
Active
Viewed 594 times
2
-
That sounds like a good bunch of questions for their product support – Nico Haase Aug 22 '22 at 09:14
1 Answers
1
The score-based site key is the currently recommended type. You are correct that there is no challenge or puzzle in this case.
https://cloud.google.com/recaptcha-enterprise/docs/choose-key-type
While the IP is a part of what determines the score, it is far more complex than that, and having malicious users or bots simply change their IP address will not circumvent the bot detection, the algorithm is quite sophisticated.
The exact details of what signals the score is based on is proprietary and Google holds those details close to the chest, because if adversaries knew those details they could attempt to make workarounds for their bots.
Cory Kramer
- 114,268
- 16
- 167
- 218