Add server-side validation for drawn points

[RobThree]

How is this going to stop anything other than “human spammers” (which are close to non-existent compared to spam-bots anyways)? Any decent bot will (in time) just retrieve the “hidden” URL and use it to post it’s spam to. It doesn’t care if it has to parse the action attribute or some other field to get the URL to post the data to.

If you want this to be of any use at all, you’ll need to send the strokes themselves (or a “fingerprint” or “hash” of them) to the server and let the server decide whether the captcha is passed or not.

I'm sorry. I like your idea and out-of-the-box thinking. But it's practical use (fight automated spam) is close to zero.