Mar 6: Evil form spam protection

Everybody who has ever set up an HTML form on a website (e.g. contact form for sending eMails), knows that some nasty spam bots visit your site from time to time and submit the form with random spam. The usual countermeasure is to verify that an actual human being is submitting the form. This verification is normally done with the help of a Captcha, a small image containing random letters. By typing the letters into an input field, you prove to be human, because it is assumed that bots cannot recognize the letters in the image. (Actually nearly every Captcha implementation has been defeated so far and trained bots can circumvent their protection.)

Over at Marian's website, we have a form for online support requests by customers and encountered an increasing amount of spam coming to the support staff's inbox through the HTML form. Since I was to lazy to set up a captcha - although I liked to idea of the reCAPTCHA - I tried a different, evil, mean, unfair but still elegant way of blocking spam posts. Knowing that spam bots want to deliver their advertisement links in any possible way, I just set up an additional input field in the form:
<input type="text" name="website" value=""/>
This field is hidden using CSS display:none on the surrounding element, so that normal users don't see it. One can assume, that bots usually don't care much about CSS and try to fill out all form fields, especially the one labeled "website". They just can't resist.. hrhr.. For CSS unaware user agents and screen readers, we add a (also hidden) text message, telling the user to leave the field empty. Now, with our trap in place, everytime the form is submitted, we just check if this input field is left empty. If it was indeed filled out, we reject the submission with an error message, since it was probably submitted by a bot.

Outcome: During February, the form was submitted 7 times with a non-empty website field, everytime containing a spam link. No other spam came through our filter and the support staff is happy. I know, it's not much data now, but principially this easy method seems to work quite well in our case. Evil grin..

Note: Obviously this trap only works for "generic" spam bots, which have no prior knowledge about our form and the madness of its programmer.. Usability note: There might be some issues with browsers automatically filling certain form elements, based on visits to other forms with same input field names.

Posted by Peter in Misc Comments: (0) Trackbacks: (0)
Defined tags for this entry: ,

Trackbacks
Trackback specific URI for this entry

No Trackbacks

Comments
Display comments as (Linear | Threaded)

No comments


Add Comment

Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
Standard emoticons like :-) and ;-) are converted to images.

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
CAPTCHA