Stopping Spam Via Web Forms Without Using a CAPTCHA

May 18th, 2010 - Posted by Steve Marks to (X)HTML / CSS, Web Development.

Reduce spam from web forms

Personally I hate spam (who doesn’t!), but I also have a strong disliking towards methods used on site’s forms to stop it. CAPTCHA’s, questions like ‘1+1’ or ‘Is water wet or dry’, they’re all in place to separate the genuine Human Being users from the spam bots. I find them time consuming and an inteference to my browsing, especially when presented with an unreadable collection of letters and numbers that I’m then meant to re-input. It makes me wonder if some people don’t even want any enquiries, human or not.

Okay… *takes a few deep breaths*… Rant over, I wanted to share with you today a couple of methods I use when building forms on websites that do not require any extra “I’m a human” validation but that have significantly reduced, if not stopped, the spam received. I recently introduced the below methods onto one of my enquiry forms and the spam submissions went from three received every hour to absolutely zero.

Method 1 – Changing field names
When a spam bot completes a form it looks at a field name and inputs a value according to what it believes should go there. If it sees a textbox with the name something like ’email’ or ’email_address’ for example it will input an email address. Go ahead, take a look at some spam you’ve received and you’ll probably see what I mean.

The first approach I take is to rename all the fields on my form and give them names that mean literally nothing to make them unrecognisable to bots. For example:

Name: <input type="text" name="ndewf786v8" value="" />
Email: <input type="text" name="ffs76fc3f4f" value="" />

The bots now know nothing about what is expected in the fields due to an unrelated naming convention and if validating on the type of input received (eg. Ensuring a valid email address exists in the ‘Email’ field) you’re already well on your way to reducing spam.

Method 2 – Tricking the bots with hidden fields
The second technique I use is actually quite sneaky and involves trying to trick the spam bots into filling in a field when really, it should be left blank were it a genuine submission. It involves adding a hidden textbox that would otherwise be hidden from the user but that a bot would probably fill in. Still using Method 1 from above I’ll show you what I mean:

Name: <input type="text" name="ndewf786v8" value="" />
Email: <input type="text" name="ffs76fc3f4f" value="" /> <div style="display:none"><input type="text" name="email" value="" /></div>

As you can see, the last input looks like a genuine field that by being called something common (and normally mandatory) like ’email’ would normally be completed by bots. It is however hidden to any genuine users completing the form. A simple bit of validation on this disguised field to ensure it is actually empty will help us to distinguish if the submission is genuine or not.

So there you have it; Two simple changes with no additional tests required to try and catch those pesky bots. Please also note that all validation should be server-side rather than, or as well as, Javascript as most bots (and the very rare user) will not have Javascript enabled.

Tags: ,
This entry was posted on Tuesday, May 18th, 2010 at 10:16 pm by +Steve Marks and is filed under (X)HTML / CSS, Web Development. You can follow any responses to this entry through the RSS 2.0 feed.

Fear not, we won't publish this

Comments (0)

No comments have been left yet. Be the first