Stop form spam - When CAPTCHA is not enough

Filed in archive Anti-Spam Tools on November 9, 2006

We all have this problem, don't we? CAPTCHAs are simply not enough anymore to stop spammers from seeding your comment fields and various contact forms. Only last week we suffered a spam flood, leaving us with a sour taste in our mouths and searching for the ultimate answer.

Luckily, Internet Storm Center and its Johannes Ullrich also had similar problems, and that lot solved the problem by employing the use of invisible form fields:

"one or more fake form fields are added to the form. But style sheets are used to make them "invisible". To further confuse the attacker, the fake form fields are given names like "subject" and such suggesting to the bot that these are the form fields they are looking for. However, whenever a form is submitted with content in a "hidden" field, it is discarded. I am not talking about the classic hidden form fields that are not user changeable, but form fields that are marked with "display: none"

Smart isn't it?

Internet Storm Center cut its response form spam to a bare minimum, so I think this would be a great solution for many blogs, websites and online shops.

Related Entries:

« CAN-SPAM - a big bag of n... | Main | Flickr spam - and a virus... »

Permalink: Stop form spam - When CAPTCHA is not enough

Tags: spam+fight anti+spam captcha form+spam comment+spam response+spam

Vote for Stop form spam - When CAPTCHA is not enough:

Currently 7.44/10
1
2
3
4
5
6
7
8
9
10

Rating: 7.44 out of 9 vote(s) cast.

Response from: Anthony (01/29/08 2:32pm)

I have been reading up on several ways to prevent spambots from spamming web forms. I came up with a simple technique that doesn't use image validation but simple number validation. Each time a user enters my form, I generate a unique ID and a 5-7 digit number code. I save this unique ID to a database along with its associated number code. When the form is submitted, if hidden field unique ID is the same and number code you typed is correct it submits the info and deletes the record, otherwise it will assume spam and not submit info. Again, it can be broken but that come into how complex I display the 5-7 digit code. Visit: http://www.atksolutions.com/contact.php

..for an example.
So far it has worked
Anthony
http://www.atksolutions.com

Response from: Clips (05/07/08 8:16am)

I have been reading up on several ways to prevent spambots from spamming web forms. I came up with a simple technique

Response from: Mark (05/28/08 3:12pm)

Be careful when selecting the names for fake fields. "Subject" might be ok, but "Name" will be populated by the AutoFill feature of the Google Toolbar if used and thus cause real entries to be blocked as SPAM.

Web Development by Innovative Technology Solutions, Inc.
http://www.innovativetechsolutions.net

Response from: wagner (09/10/08 7:12am)

Just added it to my site, let see how it goes, it is also good practice to have a form validation checking if telephone numbers are actual numbers, and email addresses are email addresses, but i personally don't like CHAPTCHA as it can cause frustration to the user.

Response from: amittarin (12/21/08 1:44pm)

need a chaptcha data entry job earn for money for breathI''ve no money .can u give me the work .i will paid u when u give me my selary i want a job for food for my child ,my morher my waif for my family plz help meI have no money no credit card