Preventing SPAM on my contact form

  • natas
  • PHP Ninja
  • Proficient
  • natas
  • Posts: 308
  • Loc: AFK

Post 3+ Months Ago

I read up on this and found a couple of articles that suggest I add a hidden field and run a check to see if it is empty. According to the articles, most bots will enter data in every field thus if the hidden field has any value, it is from a bot.

I tried this and it seems to be working so far. Is this a good solution to my problem? I hate using CAPTCHA.
  • Bigwebmaster
  • Site Admin
  • Site Admin
  • User avatar
  • Posts: 9099
  • Loc: Seattle, WA & Phoenix, AZ

Post 3+ Months Ago

I think it might stop some bots, but smarter bots should realize that you should only use the values that are given with a hidden field, and if that field is blank by default then it should use the same value.

This made me think of an idea though, but it would require that all your users allow the use of JavaScript. If you were to add a hidden field like you said with an empty value, you could use some dynamic JavaScript that uses AJAX to obtain a value from the server and to assign to the hidden field. Then once the form is submitted you can verify with the script that the value matches. That might be enough to trick most bots, unless the bot is smart enough to execute JavaScript. The major downside here though are for users who have JavaScript disabled.
  • Bogey
  • Genius
  • Genius
  • Bogey
  • Posts: 8416
  • Loc: USA

Post 3+ Months Ago

How about a captcha? That seems to work pretty well in most cases.
  • Bigwebmaster
  • Site Admin
  • Site Admin
  • User avatar
  • Posts: 9099
  • Loc: Seattle, WA & Phoenix, AZ

Post 3+ Months Ago

He said he didn't want to use a CAPTCHA :)
  • Bogey
  • Genius
  • Genius
  • Bogey
  • Posts: 8416
  • Loc: USA

Post 3+ Months Ago

Bigwebmaster wrote:
He said he didn't want to use a CAPTCHA :)

Ahhh... didn't notice that. Why though?
  • natas
  • PHP Ninja
  • Proficient
  • natas
  • Posts: 308
  • Loc: AFK

Post 3+ Months Ago

Because I hate filling out captchas when I have to fill out forms. And I imagine I'm not the only one. I want a better solution.
  • WritingBadCode
  • Graduate
  • Graduate
  • User avatar
  • Posts: 214
  • Loc: Sweden

Post 3+ Months Ago

Some ideas (unsure if they would help):

1) Have a clock on the side (hidden or visible), if the user sends the "form" eg faster than 10 secs. Then see it as a spam bot sending. Or set it to some other time. (Use a time that makes it highly unlikely that a human could have filled "all" the info there already)

2) Randomize the forms fields position and when the user want to "final" his/her message/registration have 3 buttons there. 2 dummy buttons and one "real" add a question like "press the biggest button to register/send" or "press the button that says xxx".

3) Add a bunch of easy to answer questions (rotating) with two SELECT buttons (true/false), clicking should not take the user to a new site. Questions can be like: "green is a color" (TRUE/FALSE), "This sites name is ****" (TRUE/FALSE). And so on.
  • Bogey
  • Genius
  • Genius
  • Bogey
  • Posts: 8416
  • Loc: USA

Post 3+ Months Ago

natas wrote:
Because I hate filling out captchas when I have to fill out forms. And I imagine I'm not the only one. I want a better solution.

The way I see a CAPTCHA is not a security image that you have to decipher into letters... although that is what it probably is. To me, the word CAPTCHA has a broader meaning.

A CAPTCHA could be a mathematical question like "What is 2+6?" or something to that affect...


I don't know if you can do this and I don't know if it helps, but disabling the use of the 'Enter' key could help.
  • Sogo7
  • Newbie
  • Newbie
  • User avatar
  • Posts: 6
  • Loc: UK

Post 3+ Months Ago

1. Obfustication: Dynamically creating the form input fields name tags using a random number or word each time the page loads and storing those values server side so the page recieving the form knows whats going on. This should stop all bots in thier tracks as the page no longer conforms to what it expects.

2. Validation: Applying regex to the message contents looking for certain keywords and SQL injection attempts.

3. Tracking: Check the referer, session , cookies etc have they come through the site or just appeared out of nowhere? If the spammer is particulary persistant I'd look at using EVER COOKIES or client side storage to tag visitors.

4. look at the traffic logs and see if they can be blocked by IP

Post Information

  • Total Posts in this topic: 9 posts
  • Users browsing this forum: No registered users and 1 guest
  • You cannot post new topics in this forum
  • You cannot reply to topics in this forum
  • You cannot edit your posts in this forum
  • You cannot delete your posts in this forum
  • You cannot post attachments in this forum
 
 

© 1998-2014. Ozzu® is a registered trademark of Unmelted, LLC.