On the internet, I guess everyone is no stranger to spam and I believe neither is any of us is a fan of one. Spam always plague webmasters and our websites, finding difficult to balance the exposure of our emails so that we can still reach out to our intended audiences, but not extent of spam bots reaching us even beforehand.
I’ve been creating websites for more than 10 years, favoring bit of live with spam day in and out in comments and emails sent from form contact. The thing is no matter what you do, spam in inevitable. The bright side is that there is an array of methods which can employ to reduce spam you receive, let be on comments or form submissions through email. Here are few of my favorite useful techniques I’ve developed and picked from others as a webmaster, compiled in quick pointers: (The pointers here assumes that you have a a certain degree of knowledge of HTML form elements).
- Using Catch pa Images
A Captcha is a type of challenge-response test to determine whether the user is human, the server will ask a user to complete a simple test (e.g type the letters of a distorted image, the addition of an obscured sequence of letters or digits) which the computer is able to generate and grade. Any user entering a correct solution is presumed to be human given other computers are unable to solve the it.
However, though widely used and largely effective method against spam, this method is the most shunned by users as it hinders the user processes by adding an additional step before form submission. User entered form field values may be lost if the page refreshes after the user accidentally keys in the wrong value. Whats more, Catch pa is server side intensive on your site (even if you pull the service from an external catch pa provider), having the need to run image manipulation programs each time a form is loaded, not to mention massive memory usage for portals and is not as clean and code efficient as other options listed below.
- Akisnet Verification
Released on October 25, 2005, Akismet, or Automattic Kismet, is a spam filtering service created by Automattic. Akismet attempts to filter link spam from blog comments and spam TrackBack pings and learns from experience from past spam messages to dynamically create future spam rules to block future spam. There are localised versions which stores it’s own “blacklist” in databases when it always refers to as part of the auto moderation process.
The main challenge in Akisnet is the possible blacklisting of rightful comments due to possible strict filtering rules (e.g IP address, signature or domain). Commenters can be wrongfully flagged and it is usually difficult to participate or even get legitimate emails through because all input are sent to moderation before approval or deletion, unless “unbanned” by a human moderator.
- Having hidden input fields
A rather simple but rather effective method is to include hidden < input > fields carrying a fixed particular value which the form processor will run only when that particular value is received, either through $_GET or $_POST events. This works to a large extent (even reducing up to 80% active spam) as most spam bots will only submit form fields and ignore hidden fields which are often assumed to pass redundant server variables.
This method will fail however as the hidden form value is always fixed, so spam bots can always attack your form unless you change your input value time to time as spam bots are able to harvest all hidden field values and submit them wholesale without any changes. A way to counter this is to add some dynamism into your secret hidden value- an example is to send an md5 hash of the month and year string so it auto updates every month, just make sure your form processor you call to runs on the same server/clock so that it can verify it from there without any timelag between months
- Create bait/fake fields and hide with CSS
This idea is based on the fact that spam bots do not see webpages just what how humans do- They skim through webpages by the source code, looking for tell tales code signs are as < form >, < input > or < div > elements with a telltale name such as “name”, “email”, “message” etc. The trick is to name your elements otherwise- e.g. give your true field elements completely unrelated and misleading names to fool the spam bots, like “hedge” for your actual email name field or “dog” as the name of your message textarea (you can always simply just get your form processor to take those values as true name, message, etc). Thereafter create few bait fields with tempting names such as “email”, “name” or “message” and hide them in CSS using the visibility: hidden element tag. The trick is now to get your form processor to ignore any submissions with your bait fields filled as real humans will only submit the fields visible and rendered on the browser.
Using CSS to hide elements however, will not be cross-browser capable, not to mention some CSS tags being incompatible with older browsers, handheld mobile browsers or those users with images and external reference files linking turned off in their browsers, so it’s generally good to have a redirect or a special non-css versions for them upon detecting their browser type. Not doing so will expose all elements such as your intended hidden fields. Unless a human dissects and implements the spam attack, you can always put messages beside those bait fields telling users to leave them blank.
- Get users to do simple math
This method involves the system random generating 2 integers for the user to perform some simple math on it (usually addition) with the answer keyed into an “answer field”, these 2 integers are then also passed onto the form process script where it will be executed only if both submitted values are equal with the sent value in the “answer” field. This method provides for variation and ambiguity to spam bots, lowering their chances of a successful form submission compared to a fixed input field.
However, just like Captcha images, this involves a form of challenge to users which will be big thumbs down to people who may have mental or physical problem working our your challenges, let be even simple math additions. Being an additional step, this also adds to the hassles for submission which is irritating to users who may want to contribute out of courtesy,let be potential clients for business contacts, we definitely do not want to burden them too much with such challenges or frustrate them when they accidentally enter values wrongly or unintentionally.
- Use flash movie elements to submit form
Flash have a nature of containing all it’s form elements in a flash movie itself, being an independent embedded activeX element, it completely shields all your form input values such as your fields and even the path to your form processor. Therefore if your choose an external form processor option, you can name it non-intrusively (like not form_processor.php/cgi, etc…) and place it anywhere on your server to be executed, spam bots are non the wiser and will not be able to find it. It is almost the perfect solution to mask all your values, whats more dynamism with ajax and form validation also can be added in flash without reloading the page at all.
On the contrary, Flash elements (depending on your version of flash) is a nightmare for older browsers and computers, not to mention not fully compatible with mobile devices/handhelds, slower in loading and usually not recommended and uneconomical (overkill) to include in simple websites unless as part of a whole flash enabled website, where it’s intended application are usually more desirable and recommended. The frequent need of updating player versions is also quite a hassle for users and generally, most flash websites do not utilise the power of form handling unless it is a completely thought out one allowing you to “tab” jump fields or Ajax driven, usually flash form sacrifices speed and feedback flexibility with eye candies and looks to boot.
- Cookies to benefit users
Only new users, or say visitors after 2-3 unsuccessful logins to your site will have their cookies reset and be faced with Catch pa or math challenges for all your comments and form. This adds greatly to contribution and rewards feedback and regular participants, especially those who contribute out of goodwill
Ok that is all I have on anti-spam for forms, do note that this is list is completely non-exhaustive, do feel free to add on or critique any points if so. Cheers and take care!