Preventing SPAM on my contact form

I read up on this and found a couple of articles that suggest I add a hidden field and run a check to see if it is empty. According to the articles, most bots will enter data in every field thus if the hidden field has any value, it is from a bot.

I tried this and it seems to be working so far. Is this a good solution to my problem? I hate using CAPTCHA.

I think it might stop some bots, but smarter bots should realize that you should only use the values that are given with a hidden field, and if that field is blank by default then it should use the same value.

This made me think of an idea though, but it would require that all your users allow the use of JavaScript. If you were to add a hidden field like you said with an empty value, you could use some dynamic JavaScript that uses AJAX to obtain a value from the server and to assign to the hidden field. Then once the form is submitted you can verify with the script that the value matches. That might be enough to trick most bots, unless the bot is smart enough to execute JavaScript. The major downside here though are for users who have JavaScript disabled.

How about a captcha? That seems to work pretty well in most cases.

He said he didn't want to use a CAPTCHA

Ahhh... didn't notice that. Why though?

Because I hate filling out captchas when I have to fill out forms. And I imagine I'm not the only one. I want a better solution.

Some ideas (unsure if they would help):

1) Have a clock on the side (hidden or visible), if the user sends the "form" eg faster than 10 secs. Then see it as a spam bot sending. Or set it to some other time. (Use a time that makes it highly unlikely that a human could have filled "all" the info there already)

2) Randomize the forms fields position and when the user want to "final" his/her message/registration have 3 buttons there. 2 dummy buttons and one "real" add a question like "press the biggest button to register/send" or "press the button that says xxx".

3) Add a bunch of easy to answer questions (rotating) with two SELECT buttons (true/false), clicking should not take the user to a new site. Questions can be like: "green is a color" (TRUE/FALSE), "This sites name is ****" (TRUE/FALSE). And so on.

The way I see a CAPTCHA is not a security image that you have to decipher into letters... although that is what it probably is. To me, the word CAPTCHA has a broader meaning.

A CAPTCHA could be a mathematical question like "What is 2+6?" or something to that affect...


I don't know if you can do this and I don't know if it helps, but disabling the use of the 'Enter' key could help.

1. Obfustication: Dynamically creating the form input fields name tags using a random number or word each time the page loads and storing those values server side so the page recieving the form knows whats going on. This should stop all bots in thier tracks as the page no longer conforms to what it expects.

2. Validation: Applying regex to the message contents looking for certain keywords and SQL injection attempts.

3. Tracking: Check the referer, session , cookies etc have they come through the site or just appeared out of nowhere? If the spammer is particulary persistant I'd look at using EVER COOKIES or client side storage to tag visitors.

4. look at the traffic logs and see if they can be blocked by IP