1

I'm about to implement a web form that requires some form of spam prevention. I'd like to avoid spam prevention techniques involving user input, and integrating with Akismet is overkill for this situation (it's ok if a small amount of spam does get through). I'd also prefer to avoid techniques involving javascript - again the user experience is the top priority and I don't want to discount users on devices without javascript.

A common technique is a honeypot form field which is hidden with CSS so that it is invisible to the end user but seen by spambots. Ideally this should have an enticing name like "name" or "email_address". However I'm concerned that these may be filled out by browser (or other 3rd party) form auto-complete tools, hence identifying legitimate submissions as spam.

This got me thinking about form elements that auto-complete tools will ignore, but spambots will attempt to use. A checkbox input was the first thing to come to mind - many forms include a checkbox along the lines of "Please accept our terms & conditions". Surely spambots would attempt to mark this as checked? So, perhaps a hidden checkbox would be an acceptable solution:

<div class="hidden">
  <label>
    Are you not a human?
    <input type="checkbox" name="accept_terms" value="1" />
  </label>
</div>

Users without CSS will see the field, which isn't so great, but that's going to be a very small proportion of users, and the label should explain that they should not tick the box.

My main concern though is that I'm not sure how most spambots interact with checkboxes. Will this technique work?

Please note: this isn't to trigger a discussion on various spam prevention techniques - just to get feedback on this technique in particular.

Thanks!

Edit: <div class="hidden"> could just as easily be <div class="abc">, provided .abc { display: none; }

6twenty
  • 822
  • 5
  • 11
  • A related question would be: is there a robust method for testing a web form against spam attacks, other than putting a test form online and waiting for spambots to attempt an attack? – 6twenty Sep 09 '12 at 08:09

3 Answers3

0

I honestly don't think someone writing a spam-bot would try to interact with hidden fields. They are trying to mimic human behavior, with normal browsers, and those don't see anything "hidden".

m4573r
  • 992
  • 7
  • 17
  • How will the spambot know it's hidden? Seems like they'd have to write a fairly sophisticated program to handle identifying which fields are hidden or not (other than by type="hidden"). Also remember that this technique doesn't have to block ALL spambots - just the majority. – 6twenty Aug 31 '12 at 08:25
  • I'm writing bots myself (not spam bots, but bots anyway), and with the software I use, it's extremely easy to just filter out any tag with attributes having the value "hidden" when analyzing the loaded page. – m4573r Aug 31 '12 at 08:30
  • That's easily circumvented. Change the div's class to "abc", and in your stylesheet, define `.abc { display: none; }` – 6twenty Aug 31 '12 at 08:33
  • This would already be better. However this software I use offers an option to apply or not the css when loading the page. In which case the rendered page would still not display your hidden element. But I agree that this requires already some more thought on the bot-programmer level... and my experience with spam bots is after all really limited, so I don't really know how sophisticated "the majority" of them is. – m4573r Aug 31 '12 at 08:42
  • Thanks, this is good to know. The more sophisticated spambots could discard fields hidden with CSS - hopefully then, these sophisticated bots aren't very common. – 6twenty Aug 31 '12 at 09:00
0

I use that method myself but the SpamBots have gotten wise to it lately.

Another method I just saw, although harder to implement is a TIMER. So if they don't take at least some minimum amount of time filling it out then it's probably a spambot. Although, if they use something to autofil, then they might fill it in very quickly.

Here's how that method works: http://pageaffairs.com/notebook/contact-form-honeypots

Clay Nichols
  • 11,848
  • 30
  • 109
  • 170
0

I know this is an old question, but I think it's increasingly relevant because (in my experience) the honeypot techniques are effective. I just offered feedback on a similar question yesterday, so rather than repeat that I'll drop that link here.

The trick, I think, is to understand how bots work. For example: They're built for efficiency, and that means speed, and that means they will fill and submit a form far more quickly than a human can. ANYTHING like this that differs from human behavior can be targeted to thwart them. However they may evolve, this is the key understanding to maintain.

Jeff Seager
  • 91
  • 1
  • 4