Eleven years ago, I stumbled across a technical paper from 2002 by Adam Back. It was about HashCash—a proof-of-work system designed to make spammers’ lives miserable by forcing their machines to grind through heavy calculations. I thought, “This could work for bot spam in Joomla forms,” and built my first Captcha - HashCash plugin. Little did I know, someone else had tried it before me—and their version vanished after landing on the CVE list in 2006. If I’d known, I might’ve picked a different name. But that’s ancient history, and my HashCash? It’s still kicking.
Fast forward to a few weeks ago. I was deep into a Joomla 5 rewrite of the plugin, tinkering with a new “wait-for-interaction” feature—making the calculation start only when a user engages with the form. It’s a slick way to trip up bots that either rush in or dawdle too long. Then, mid-code, I had a lightbulb moment: what if I could detect bots and punish them? Not just block the bot spam —make them regret ever sniffing around my site.
The Punishment Play
The idea was simple but devious. If the plugin spots suspicious activity (a bot attempting to trigger the calculation to start), it tweaks the calculation to become unsolvable. Bots get stuck churning CPU cycles forever, chasing a solution that doesn’t exist. And if they somehow magic up an answer? It’s still the wrong answer. I coded it up, flipped it off by default (gotta give folks a choice), and threw it to the Joomla forums for feedback. The response? A unanimous “Heck yes—if they’re abusing your site, let ‘em burn.” Version 5.2.7 was born.
From 2002 to 2025: A Quiet Victory
HashCash isn’t new—Adam Back nailed the concept over two decades ago. My spin leans on modern JavaScript, the Web Cryptography API, and a bit of Joomla magic to keep it invisible and lightweight. No mangled text or “click the crosswalk” nonsense—just a silent shield. Users fill out forms without a hitch; bots hit a wall. I’ve been running it on my contact page, and here’s the kicker: not a single spam email in weeks. Weeks! After years of tweaking difficulty levels (1 to 4, depending on how mean I’m feeling) and adding tricks like delayed calculations, this latest twist feels like the kill shot.
From Blocking to Watching
While wrestling with the Joomla 5 rewrite, I had a brainwave: blocking bots is solid, but why not spy on them too? So, I baked in a feature to capture analytics on every bot HashCash catches. Now, when a script stumbles over the delayed calculation or hammers the form too hard, I snag a snapshot: their IP address, the exact time they hit, their user agent (that little “I’m a browser, honest!” lie bots love), plus some nerdy event details—whether it’s a legit interaction, the form they targeted, and if it’s fishy enough to raise an eyebrow.
It’s not just a log—it’s a window into the chaos. Right now, it’s raw intel sitting pretty in the plugin, but the next move’s brewing: feeding it into Google Analytics as a custom event. Soon, I’ll see it all—how many bots crash the party, when they strike, and what they’re pretending to be. No more blind defense; it’s like flipping on a spotlight and watching them scatter. For now, it’s me, a spam-free inbox, and a growing stash of bot secrets. Big plans ahead.
Did I Solve Bot Spam?
So, did I solve Joomla bot spam? I’m tempted to say yes—or at least, “Yes, for me.” My inbox is clean, my users aren’t annoyed, and somewhere out there, a bot’s CPU is crying. The plugin’s not a silver bullet—nothing is—but it’s a damn good stake through the heart of form abuse. It’s come a long way from that scrappy idea 11 years ago, inspired by a paper I read on a whim. I didn’t set out to reinvent the wheel; I just wanted something that worked without making users hate me.
In reality - no, I didn't solve anything. I did, however, make it MUCH more expensive to spam Joomla forms that are using HashCash. Not in the way Adam Back envisioned (with CPU cycles), but by requiring much more sophisticated tools to circumvent the bot checks. They're pretty bulletproof, unless you're using a scripted/headless browser to manipulate the form using mouse and keyboard inputs. That's the expensive part. Scripted/Headless automation costs a lot more than a JavaScript someone bought off some guy on the dark web, and my plugin can catch some of those too. I'm OK with partial success.
The new version of HashCash is a far cry more effective than ReCaptcha has been for the past year. Slowing them down to a crawl and forcing them to spend more money seems like a win to me.
What’s Next?
You can grab Captcha - HashCash and try it yourself—hit the Contact Us link below and see (or rather, don’t see) it in action. Crank the difficulty, toggle the punishment mode if you’re feeling spicy, and watch your spam dry up. Did I solve bot spam for Joomla? Maybe I did, maybe I didn’t—but I’m calling this one a win. Eleven years, a few forum high-fives, and a lot of bot tears later, I’ll take it.
