For the past few days i’ve spent almost 7 hours driving in the car and it’s a great time to clean down on all my podcasts - (View my podcast channels) and in one - Security Now an interesting technique for combatting bot spam was talked about and i thought i’d share it here.
The idea is incredibly simple. Take a form which has fields on it, say email address, repeat email address and message. A bot would discover the form fields, fill them with rubbish and submit the form. But what if you put an extra field in the form but used CSS to hide the field? A Bot would still see the field and fill the field with rubbish but on submit you could check for length in the field, if there is stuff in it - ditch the submission as it’s obviously a bot. You’d need to put a label next to field saying something like ‘don’t type anything in this field’ for those visitors that don’t render CSS.
See, incredibly simply, no funky captchas that are impossible to read…
September 5th, 2007 at 6:00 am
Good stuff. I think this is technically called a HoneyPot (or at least this is one form of low-level honeypot in computing):
http://en.wikipedia.org/wiki/Honeypot_(computing)
September 5th, 2007 at 6:46 am
Hi John -
I’ve been using this ‘honeypot’ technique for quite some time, and yes it works wonderfully. Spam has hit almost zero on the sites with the empty field in place.
I have also borrowed Ray’s list of ‘naughty words’ from the blog_cfc app, and upon submission of the form I loop every field through the list - if there is any match, I show a message and do not process the form. The final step I am using is to check every field for < or > characters, basically eliminating any type of html spam.
September 5th, 2007 at 11:50 am
This feature has been in CFFormProtect (cfformprotect.riaforge.org) since the first release. It does work, but it doesn’t stop the human spammers (the armies of cheap labor from 3rd world countries that manually fill out forms with spam).