TECH Form Spam

[schmack]

I've successfully stopped form spam for years on one of my sites using a hidden honeypot field. In about the last 2 months, form spam has started trickling in again. I guess the bots are getting smarter.

Any thoughts on new techniques? I'd prefer not to use a captcha. I put Recaptcha on one of our forms and got nothing but complaints about it.

 

[Swerve]

Could you just use a simple question, like "What is 2 plus 2?"

 

[retorq]

Form spam or forum spam??

 

[schmack]

Form spam or forum spam??

Form spam.

I thought about a basic question. I would prefer a technique that is invisible to the user though like the honeypot.

 

[Slid.]

You could try hiding a field through javascript onLoad.

My guess is that the 'smart' bots just ignore type="hidden" fields but I doubt they'd catch a javascript hide.

 

[ge0]

Why not make a java script where it detects the mouse cursor on the screen then sets the variable as true.

 

[schmack]

You could try hiding a field through javascript onLoad.

My guess is that the 'smart' bots just ignore type="hidden" fields but I doubt they'd catch a javascript hide.

I'm not using type="hidden". It's a text field that I'm hiding using CSS. You may be onto something though. If I hide it using jQuery instead of CSS, it could be enough to confuse the bots.

 

[schmack]

Why not make a java script where it detects the mouse cursor on the screen then sets the variable as true.

I imagine that would break the form on tablets. Our entire executive staff have iPads

 

[retorq]

Maybe a drop down box that has an invalid default setting ... or scan all input for a web address when you know there shouldn't be any??

 

[OT Addict]

If you use JS like that, people with JS disabled or in browsers that don't support it won't be able to use your form.

What kind of spam are you getting? If it all comes from one place, or has something in common that they submit you could block that out with php.

 

[schmack]

What kind of spam are you getting? If it all comes from one place, or has something in common that they submit you could block that out with php.

It's about three different types. One is just random characters, which I'm assuming is just searching for vulnerabilities. The second seems like it was written by a human. It's more conversational with a link to whatever it is they are trying to sell. Last is just a metric shit ton of links.

In the past, I have denied all form posts with URLs in them, but I've run into issues with valid submissions which included URLs.

 

[schmack]

If you use JS like that, people with JS disabled or in browsers that don't support it won't be able to use your form.

Actually, if I hid the field with JS, I could just label it "Don't put anything here" for people with JS disabled. Come to think of it, I wonder if most bots run in a JS disabled mode?