Captcha vs. email verifications

[tmsdev]

Ok, so both email verifications and email with captcha are used for controlling user registration across the web quite extensively. Here is a summary of pros and cons for each, based on our humble experience of cutting off annoying daily streams of endless spam:

• A good captcha is harder to crack than email verification. Which is important, because if a spam bot cracks your registration process and registers as a user on the website, it can do a lot of damage by spamming legitimate users with private messages, hiding spam deep in the threads, etc. If they bother with the trouble of hacking your registration, chances are, they will get creative once they are inside.
  
• Captchas may bother some people more than email verification, but that is not too huge of a factor: once somebody decides to register, they will most likely go through either one just fine.
  
• Email verification alone is easy to abuse: stupid mass registration bots will hammer on it with fake or real email addresses, and even though most of them will fail, they will still generate a large flow of outgoing mail, which eventually will get labeled as spam by a lot of mail servers, and your mail server’s IP address will end up on a blacklist, which cripples the registration process for benign users.

Considering all this, our choice is: captcha first. Email verification is fine, but only after we’ve confirmed that you’re not a robot. Replacing email with captcha and trading one or another is risky because every day new ways to get around one of those methods appear. For instance, a number of recent captcha bypass services relied on cheap human workforce "solving" the captcha tests in bulk for money.

P.S. Of course, Akismet and other spam-fighting plugins should be considered as well; some popular services get by just using those. Akismet plugins are available for all common web scripts, including Wordpress, PhpBB, Drupal and many others.