Form Spam

~Anders Brownworth - Friday, October 6, 2006 8:00 PM

Allot of people are having problems with spam submissions to web forms so I thought I would mention a few of the things I do to curb the problem. As with anything, there is give and take with each approach, so make sure you are aware of the ramifications before you implement a solution.

One technique in use for some time is to require users leaving messages on a website to login each time they want to comment on a story. The simple "click on this link" email was used when creating users. However as it's popularity grew, automated bots that would click on links in email were created limiting the effect of this method. It also detracts from the user experience because if you just want to leave a message, you have to jump through login hoops. Another idea floated more recently is to require the user to type characters shown in an image. The images continue to get ever more obfuscated as time goes on and quality programs to make these sorts of things are less than trivial. As the user experience suffers as well, we have been putting our heads together to figure out better ways to fight the inevitable tide. One idea was to pick a random string and embed it into the form on a page and also the session on the server side that the browser is using. Every time a hit comes in, the random string is re-chosen. When the user submits a form, the posted string is checked against the one in the session before a new string is picked. If they match, then the post goes through. Obviously this requires the browser to have cookies enabled and does let posts through that correspond with GETs of the form page. However, it kills about 99% of the spam posts at Anders.com while keeping the user experience clean. Another idea is to use a form that is either written with AJAX or uses AJAX to submit the contents. Either way, eventually some spammer will eventually parse this sort of thing out as well and it does require AJAX support. Still another idea is to use a Flash form, but that, of course, requires Flash support. With sites like YouTube, maybe Flash is more prevalent than in the past, but I don't think I'm ready to take that jump just yet. I suppose I probably skipped the option of requiring JavaScript to post forms after doing some simple math and inserting the answer into a hidden field. As the form posts, the potential spammer would have to be able to parse and execute the JavaScript. Tying this method with things like the count of the images on the page or other obscure things you can do in all versions of JavaScript but not in a system that doesn't render the page might be ideas as well. Making the Submit button an image and requiring realistic mouse coordinates to be posted as well might be another avenue. If you were to accept a little user experience interference, you could also show a row of icons and say "Click the Duck to Submit". All other icons wouldn't actually submit the form. But the last suggestion I will mention is some use of all of these strategies. A form that randomly uses different JavaScript methods as well as some session based tracking would probably do the trick for the foreseeable future. Best of luck with your forms and please leave a note if you think of another way to get around form spam.

Tags

Trackbacks

How to protect a Contact-Form from Form-Spam bots

~Ask Michel Komarov | Fri, Feb 9, 2007 02:51 PM

When you have a Contact-Form on your site, you are having problems with spam submissions to the form. Unfortunately, spammers have programs that find forms on the web, and automatically fill them out with spam messages.
The standard way out is the use read more...

To send a trackback, use the URL of this story appending ?page=tb at the end.

Comments (3)

Anders from RTP

#1 | Fri, Dec 8, 2006 12:30 AM

As you have probably seen, I have adopted the "click the duck" method pointed out above. The images are served from a program which I will eventually randomize. I'll get to that when I start seeing spam again.

Dekken from israel

#2 | Thu, Mar 12, 2009 04:49 AM

Hello

Anders from RTP

#3 | Thu, Mar 12, 2009 08:39 AM

Check out JustHumans.com to get "click the duck" type form spam suppression on your website.

Leave a Comment

Name:
Location: (city / state / country)
Email: (not published / no spam)

No HTML is allowed. Cookies must be enabled to post. Your comment will appear on this page after a moderator OKs it. Offensive content will not be published.

Click the puppy to submit your comment.

To create links in comments:

[link:http://www.anders.com/] becomes http://www.anders.com/

[link:http://www.anders.com/|Anders.com] becomes Anders.com

Notice there is no rel="nofollow" in these hrefs. Links in comments will carry page rank from this site so only link to things worthy of people's attention.

Sunday, March 14, 2010

You can subscribe to this technology blog.

What's Here:

About Me:


Name: Anders Brownworth
Location: Boston, USA
Work: Writing iPhone and Android applications.
Play: Technology, World Traveler and Licensed Helicopter Pilot
Follow:
more...

Books:

Lars Brownworth's book on Byzantine History spawned from our 12 Byzantine Rulers podcast:



or get the Audiobook in iTunes

Contact Me:

Name:
Email:

Click the puppy to submit. (Why?)

Want to stop form spam on your website? Try JustHumans.com.
user:
pass: