6

I'm setting up an e-mail form and I need to be able to check for bots and filter them quietly. The site runs ASP.NET MVC. I'd like to avoid CAPTCHA. Any ideas?

craigmoliver
  • 6,499
  • 12
  • 49
  • 90

3 Answers3

11

Add a new input field, label it "Please leave blank", hide it using CSS, and ignore the post if that field is filled in. Something like this:

<style type='text/css'>
#other_email_label, #other_email {
    display: none;
}
</style>
...
<form action='mail'>
<label id='other_email_label' for='other_email'>Please leave blank:</label>
<input type='text' name='other_email' id='other_email'>
...
</form>

So a human being won't see that field (unless they have CSS turned off, in which case they'll see the label and leave it blank) but a spam robot will fill it in. Any post with that field populated must be from a spam robot.

(Copied from my answer to this related question: "What is a good invisible captcha?")

Community
  • 1
  • 1
RichieHindle
  • 272,464
  • 47
  • 358
  • 399
  • 4
    This, of course, will not work if someone tries to create a bot to spam your site specifically, but it does work great otherwise. – Matthew Groves Jul 13 '09 at 12:51
2

IIRF can do blacklisting based on user-agent or IP address (or other things). Works with ASP.NET, PHP, anything. Runs on IIS5, 6, 7. Fast, easy, free.

You can browse the doc here.

Cheeso
  • 189,189
  • 101
  • 473
  • 713
1

I saw a solution to this with forms, the premise was using JavaScript to count keystrokes and time the distance from page_load to form submission. It then guessed if it was a bot based on that time and a typical expectation boundary for keystrokes/second as bots (that use the browser) tend to dump text very quickly without strokes (just a ctrl-v).

Bots just sending POST or GET data without loading the page just get filtered too.

I don't know the details of the implementation, but might be an idea.

Aiden Bell
  • 28,212
  • 4
  • 75
  • 119
  • 1
    A bit risky I'd say. There are fast typers, you know. And what if the bot writers suddenly figure this out and add a sleep(10000) command? – synhershko Jul 12 '09 at 22:26
  • Indeed, just depends on the scale of the project and if you envision bot-writers customizing their spam machines to your site. – Aiden Bell Jul 13 '09 at 10:54
  • 1
    @synhershko, I think it'd be unlikely for the bot programmer to add a sleep command, that's a pretty big reduction in the amount of spam to spread, unless they're programming specifically for your website in which case these bot detection techniques are going to need to keep evolving. – Nathan Koop Jul 15 '09 at 19:13
  • If a bot wants to program specifically for your website (which it doesn't) then it will get in. Sorry. However, you can make the bar high enough that he doesn't want to waste cycles on it. – Christian Mann Oct 16 '10 at 21:49