3

I've been doing a lot of research about spam-prevention methods, I do not want to resort to using CAPTCHA.

The form typically sends an email to the user and the webmaster with the contents of the form.

The first thing I've done is to remove the contents of the form in the email sent to the user and simply have a confirmation message.

I have added a row for the persons 'title' and hidden the row using CSS, if the field is filled in. The submission completes without sending any emails.

I'd like to add a couple of other techniques,
Check the time to complete submission - do not send emails if under 5 seconds.
Pass through an unique ID - do not send emails if no match

The problem is that website pages are cached, so directly setting a session variable is useless. I'm considering use ajax to hit a CFC and set the variable, but it would require JavaScript.

Should I restrict submissions to only those with JavaScript enabled? Or are there any alternative suggestions?

Thanks

Daniel Cook
  • 1,033
  • 1
  • 9
  • 19
  • 1
    Here is an older blog post that still has relevant techniques: [Stopping spambots with hashes and honeypots](http://nedbatchelder.com/text/stopbots.html) – Miguel-F Sep 13 '13 at 15:23

2 Answers2

3

Daniel,

I have a similar spam-detection approach that has been in place since last year. I can share what I have seen.

Session based tests: Checking the time it takes someone to fill out the form and checking that the user comes from the right page have been very reliable checks, though somewhat fraught with difficulty. In your case, forcing users to have modern, javascript enabled browsers might be your best option. And it seems like it's becoming a more accepted practice, I guess, right? I don't really know..

Content based tests: Another two fairly helpful practices are to check that form fields contain different values and that no more than a specified number of URLs have been entered. Spammers almost always seem to stick the same trash URL into every field. However, these checks aren't nearly as good as session-based checks.

Our spam-detection heuristic has a few other checks, in addition to the ones above:

  • Basic regex injection tests - bare-bones, but I can share if you are interested
  • Spam Content - pretty useless - a simple library constructed mostly by hand
  • Banned IP Address - also pretty useless..

Some numbers from our heuristic over the last year or so. Total failed tests= 83,356

  • Failed Injection Test = 54 (0 failed this test and no other tests)
  • Failed Too Many URLs In Input Test = 18,935 (2396)
  • Failed Spam Content Test = 3673 (46)
  • Failed Hidden Field Tampering Test = 60,295 (1479)
  • Failed Dubious Time Elapse Test = 64,430 (17,126)
  • Failed Invalid Session Test = 28,706 (140)
  • Failed Fields Contain Same Values Test = 167 (49)
  • Failed Banned IP Address (not implemented) = 0 (0)

I don't want to post too many details about exactly what our criteria are, but if you are interested I'd be happy to share code.

-Ben

bwhet
  • 158
  • 2
  • 12
  • Thanks, I will be finalising development today so I think I will got the JavaScript ajax route. Thanks for your input! – Daniel Cook Sep 16 '13 at 09:04
  • To follow up - I think I might actually just remove the page from being cached - it will be easier this way! If the website is down, then the form won't work anyway. – Daniel Cook Sep 16 '13 at 09:23
1

I suggest you take a look at http://cfformprotect.riaforge.org/ as it works well for me.

Richard Herbert
  • 616
  • 3
  • 5