That will work for low end drive by stuff. Anyone motivated will have a better bot. I was running one 10-12 years ago that was essentially a headless browser. It had a JavaScript runtime and a custom DOM. It could run jquery, prototype, ajax and just about everything else that was popular at the time. I even had a custom flash runtime in there for the jackass sites with the nav in flash.
These days you could just throw together a selenium script and call it a day.
This kind of stuff is fine for stopping comment spam because there are so many other opportunities out there that the spammers move on to an easier target. If you need to protect against a targeted attack then it’s a lot more difficult.
Maybe. Maybe not. They are pretty darn difficult. I’ve seen a few that are fairly straightforward to break. For the good ones, you’d need some quality CV tech and if what you have is that good then you’re probably better off using it for something other than breaking captchas in order to post comment spam for penis pills or whatever they are peddling these days.
You can pay teenagers in the Phillipines a few dollars a day to solve any kind of captchas for you. Maybe I have a different concept of a targeted attack, but that seems certainly in the realm of what a criminal enterpise or nation state would expend on a high value target.
These days you could just throw together a selenium script and call it a day.
This kind of stuff is fine for stopping comment spam because there are so many other opportunities out there that the spammers move on to an easier target. If you need to protect against a targeted attack then it’s a lot more difficult.