CAPTCHA Alternatives

S.M.B.

I'm just about to develop a basic php/mysql site which will invlove users adding a small amount of information to a database.

What are the best options for avoiding spam?

Having a members area seems like it would have a major negative effect on those willing to contribute.

Even a CAPTCHA seems a little user-unfriendly.

Is there any other options out there?

Goodshape

Not entirely fool-proof but using 'dummy' fields, hidden from view with css, seems to stop a lot of spam for me, while the user gets a clean and simple form-filling-out experience.

Essentially, you've got your basic fields -- name, email, subject, enquiry -- and then add another one, call it something like "full_name", wrap it in a span or div and hide that span or div using css ("display : none; visibility : hidden;").

A user won't see that field at all so it'll be submitted blank. Most spam bots will scan the html and will fill it up with junk same as the other fields.

In the backend simply say "if full_name is not empty, we've got a spambot".

I'm not sure of the longevity of this sort of fix (if I was writing a spambot today I'd probably instruct it to scan the css files for any hidden element shinanigans) but this is working for me at the moment on a number of sites.

Chardee MacDennis

Goodshape wrote: »

Not entirely fool-proof but using 'dummy' fields, hidden from view with css, seems to stop a lot of spam for me, while the user gets a clean and simple form-filling-out experience.

Essentially, you've got your basic fields -- name, email, subject, enquiry -- and then add another one, call it something like "full_name", wrap it in a span or div and hide that span or div using css ("display : none; visibility : hidden;").

A user won't see that field at all so it'll be submitted blank. Most spam bots will scan the html and will fill it up with junk same as the other fields.

In the backend simply say "if full_name is not empty, we've got a spambot".

I'm not sure of the longevity of this sort of fix (if I was writing a spambot today I'd probably instruct it to scan the css files for any hidden element shinanigans) but this is working for me at the moment on a number of sites.

i like that idea, but instead of using visibility could you position it off the page or even behind an element, so the spambot wouldnt know you had hidden it?

Goodshape

BastardPrince wrote: »

i like that idea, but instead of using visibility could you position it off the page or even behind an element, so the spambot wouldnt know you had hidden it?

ah! hadn't thought of that!

CSS hidden fields seems to be working for now but might try alternating the method if (or when?) they start copping on. Good idea.

S.M.B.

Cheers lads,

I'll probably go with positioning the hidden field off the page. Sounds like it should do the job.

Eoin

S.M.B. wrote: »

Cheers lads,

I'll probably go with positioning the hidden field off the page. Sounds like it should do the job.

Make sure you set your tab index on the field so the user can't tab to it. Could be confusing. You could also use JavaScript to set the style for the textbox, I can't see a spambot being able to figure that out.

S.M.B.

tabindex = 0 would solve that problem wouldn't it?

Maybe the css hidden field is a better option.

I think I'll be avoiding any sort of captcha anyway.

Eoin

I think tabindex='' will mean it can't get focus (other than through scripting), but not too sure.

DJB

Recently been implementing that hidden dummy field solution on a number of sites that have been getting hit with "generic spam" as opposed to "specific spam". Until any of these sites get really big... this solution seems to be doing the trick.

I should really track how many spam attacks are actually being stopped by this method.

What I like about this method is that it's seemless to the user. Fingers crossed is serves us well for the forceable future.

Dave

Eoin

I reckon it would have to be a very intelligent spambot to figure it out given that you could use JavaScript to write out more JavaScript to hide the field.

Another thing occurred to me though - in general, would it be an idea to use a form field name that would never be populated by the auto-complete feature of some browsers / toolbars?