Preventing spam on your website without using captcha

16 Oct

Posted by guru in October 16th, 2007
Published in Security

This article is based on a simple fact that spam-robots are so dumb they usually put their grand father (their developers) to a shame.

Concept:
For people who don’t know this trick already, here is how you do it:

  1. Add an input field to your form, with some interesting name, for example ‘URL’.
    <input name="url" type="text" value=""/>
  2. Hide the input box using css so that users(genuine) cannot see it directly.
    <style>
    .style1 {
      display: none;
    }
    </style>
    <p class="style1"><input name="url" type="text" value=""/></p>
  3. While processing the form check if the “url” contains any value. If it does, reject the post or put it for moderation.
    if (strlen(trim($_POST['url'])) > 0){
    //It is a spam, reject this post here
    }
  4. Didn’t get it? Why this works? Well, it works simply because geniune users cannot see a hidden input box on your form and therefore, they won’t fill it, while robots can.


Applying it on Wordpress:
I was having a rough time dealing with some spams on this blog itself, but since I applied this trick I’ve not had any spam at all so far.
I’ve applied this on the comment form, you can see the HTML source of my page if you like (right-click> viewsource on this page),
Here is my code on server side (wp-comments-post.php):

29 comments so far.

Follow-up this post comment rss or leave a trackback
mygif
matthew wrote,

Clever! I like this idea. Thanks for posting it.

mygif
balle balle wrote,

oie guru tusi great karta ji, balle balle…

mygif
nasir wrote,

good why didn’t i ever think about it before ?-) :-)

mygif
Rob wrote,

Its simply great idea, its so simple to make that, I’m afraid it works!

mygif
Stephan Beal wrote,

A similar trick would be to hide the form element and use JavaScript to populate it with some known value. Then, if the form element contains that specific value, allow the post. This of course requires the client to have JS enabled, but most do. Most bots, on the other hand, aren’t likely to have JS support.

mygif
spam wrote,

Spam

mygif
xavice wrote,

THIS IS GENIUS! Thank you!

mygif
Kevin wrote,

I like it, great idea.

mygif
PMP wrote,

i like milk

mygif
dddsxz wrote,

wdwwwe

mygif
Free poker online wrote,

Free poker online

—Reply from admin—
Now that’s funny :D

mygif
Jason wrote,

Why not just use Flash-based forms? The one-thing that some dislike most about Flash (that it can’t be “seen” by bots) is most helpful against spamming.

Virtually everyone has Flash player installed in their browser and a Flash form can be published at Flash 6 or under decreasing chances it won’t render properly.

Of course, browser-based Flash blocker plug-ins can all be configured to allow for specific instances of SWFs (e.g., a form) to be unblocked.

mygif
Judah wrote,

Heheh, how ironic, then, that a “Free poker online” spam comment made it to this post. DOH!

mygif
nasir wrote,

Judah, are you kidding? The topic here is about automated bots not human bots.

mygif
Domeny wrote,

This is neat, thanks.

mygif
divotdave wrote,

As an alternative to CAPTCHA and hidden fields for a website I worked on we added an arithmetic question at the end of any form to be submitted. Simply ask “what is one plus one” - filter the answer on the POST request for the right answer. Amazingly, bots don’t know simple math too well.

You can even use bad answers to try and direct bots to a honey pot where you can log them and block them from the site…

mygif
Extricated G. Malingerer wrote,

Yes, I agree, but for a limited time only, you can get V*gra and ci*is for cheap!!!1

mygif
Bogdan wrote,

I’ve tried it, but still have spam.

mygif
David Mackey wrote,

Good tip, though I am sure many spam code authors would revise their code should this change be made. Not that it shouldn’t be implemented for now, but long-term we need significant governmental legal action versus the spammers, as we have seen what happens when corporations attempt to take them on (e.g. BlueFrog).

mygif
BannedGuy wrote,

Great, it reduced these f*king spams on my blog. Although this might not work in all cases - but we know that.

Nice article, Th@nks!

mygif
gowri wrote,

By the way check this company MDFI. Their stock is set to increase because of their association with Apple iphone and Complete Care Medical. Find more about this company and stock http://www.growurmoney.com/medefile/

mygif
multippt wrote,

This may work, until they found out about this trick.
It does not prevent all spam, since spam still get submitted anyway (or sent for moderation).
It definately does not prevent “deliberate” spam typed out individually by users who want to proof this wrong.

mygif
niyazlife wrote,

Good idea.
But only till somebody finds out.
You cannot use CAPTCHA also too reliably.
Read my article

mygif
mark wrote,

Cool…

mygif
Nev wrote,

Hi @ll

this methode is nice, also you can create a timestamp, when is formular ordered and when it was send.
if timedif is to short, you know it comes from a bot.

at my systems i have many spam-attacks per day, and i see, some dont fill all the fields.

Sorry about my simple english

Cu
Nev

mygif
mgroves wrote,

The honey pot method has worked well for me. One tip though: use the same css classes on your input block elements (div’s, p’s, whatever), but use one *extra* class on the honeypot input. For instance: class=”input honeypot”. If the bot is clever enough to ignore inputs with different classes, this could fool him.

mygif
rhino13 wrote,

this is a creat way of stopping spam bots!

mygif
N@te wrote,

Thank you so much. That worked great.

Bots can’t select options on your form so if you already have an area where the person is supposed to choose something, then you can Exit from processing the form in your Action Script. Great stuff. http://www.prepaidlegalplans.ws

mygif
N@te wrote,

Thanks a lot. That worked great.
Bots can’t select options on your form so if you already have an area where the person is supposed to choose something, then you can Exit from processing the form in your Action Script. Great stuff.

Leave A Reply Below

for "Preventing spam on your website without using captcha"

 Username (*required)

 Email Address (*hidden)

 Website (*optional)

 Website (*optional)

Social Feeds

Topics Search

Main Translator

French

German version

Spanish version

Italian version

Categories

Recent Articles

Recent Posts

Recent Commentes

August 2008
M T W T F S S
« Oct    
 123
45678910
11121314151617
18192021222324
25262728293031

Blogroll

Navigation

Share!

Add to Technorati Favorites
Add to Google Add to Windows Live