CodeCharge Studio
search Register Login  

Web Reports

Visually create Web Reports in PHP, ASP, .NET, Java, Perl and ColdFusion.
CodeCharge.com

YesSoftware Forums -> CodeCharge Studio -> Tips & Solutions

 Simple Alternative to CAPTCHA

Print topic Send  topic

Author Message
JimmyCrackedCorn

Posts: 583
Posted: 02/18/2009, 11:05 AM

I found this idea online several years ago but cannot remember where I saw it. Anyway, it goes like this...


add this line inside your form to create a SPAM-trap field,

<textarea id="txtOtherInfo" name="txtOtherInfo" rows="4" cols="45"></textarea>


add this line inside the HEAD of your page to hide the SPAM-trap field from your normal site visitors,

<style>#txtOtherInfo {display: none;}</style>


now in your form handler simply test to see if there is any content in the SPAM-trap field. If there is then this was sent by a SPAM-bot and you can safely ignore it.

we have used this on lots of forms and it has helped out a lot. it reduces SPAM without the annoyance of CAPTCHA. of course, it won't help for human-submitted SPAM.


=================
UPDATE 03/03/09
=================
We continue to use the technique explained above to reduce or eliminate SPAM on our forms without resorting to CAPTCHA. Since posting this I've read more on this topic and found more insights to share.

CAPTCHA is being widely used to reduce the flood of SPAM posting to forms and it can be very effective at doing that. However, if you have ever used it you know it can be very annoying. And why in the world would we choose to annoy our prospects and customers? Some sites I read about have reported substantial drops in legitimate form submissions after adding CAPTCHA!

Furthermore CAPTCHA is not just an annoyance. According to the WC3 Working Group, CAPTCHA "comes at a huge price to users who are blind, visually impaired or dyslexic" making it "impossible for users with certain disabilities to create accounts, write comments, or make purchases". (http://www.w3.org/TR/turingtest/)

As with all technologies CAPTCHA is neither good nor bad. But it can be used well or poorly. Recognize that CAPTCHA represents a compromise to user-friendliness and accessibility and avoid it if possible. Try a more user-friendly alternative before resorting to CAPTCHA. If your site is not getting millions of hits a day (and be honest here...most are not!) then a non-CAPTCHA approach may be the best way to go at least until you get that huge traffic bump we are all seeking!

Below are some interesting thoughts...

http://www.arraystudio.com/as-workshop/the-captcha-alternatives.html

http://dmytry.pandromeda.com/texts/captcha_and_saptcha.html

http://www.thepcspy.com/kittenauth

http://www.adesblog.com/2008/03/01/wp-plugin-captcha-alternative-quesion/

http://labs.mininova.org/passclicks/

=================

_________________
Walter Kempees...you are dearly missed.
View profile  Send private message
mentecky

Posts: 321
Posted: 02/18/2009, 4:13 PM

JCC,

Since most automated programs don't actually use the form retrieved, or even a browser for that matter. That won't work in most situations. SubmitWolf for example uses templates and submits the GET or POST. Captcha, which can be annoying is still the best answer because it involves a server side session var and a client response.

Captcha is without a doubt the best defense because none of us is running Google or MSN. So no one is going to spend time breaking it on our sites. Using code similar to:
http://forums.yessoftware.com/posts.php?post_id=96638
I have reduced Guestbook abuse from 30-100 a day to maybe 3-4 a month.

Rick
_________________
http://www.ccselite.com
View profile  Send private message
JimmyCrackedCorn

Posts: 583
Posted: 02/18/2009, 5:44 PM

Quote mentecky:
Since most automated programs don't actually use the form retrieved, or even a browser for that matter. That won't work in most situations.

regardless of how the automated program gets my form, when they submit to my form handler they are using my form variables stuffed with their crap. so if they submit all the form variables I know they are not legit since actual users would have never seen the SPAM-trap field and could not have inserted any value in that field.

or, are you saying that their software will not submit a value for the SPAM-trap field? if so, please explain further!

we have used this technique on many forms and seen SPAM drop almost to zero overnight.
_________________
Walter Kempees...you are dearly missed.
View profile  Send private message
JimmyCrackedCorn

Posts: 583
Posted: 02/18/2009, 5:51 PM

another technique we have used on other forms is to simply disallow any HTML code at all in any form field. check for "http", "<a href" or other code and then dump the form if they are present. that too works very well for preventing SPAM on our forms.

for us, the bottom line is CAPTCHA is a big pain in the ass and if we can eliminate most of the SPAM without using it we are happy! since we are not doing any public postings (blog, forum, etc.) when some SPAM sneaks in it is just an annoyance of having extra email to delete.
_________________
Walter Kempees...you are dearly missed.
View profile  Send private message
mentecky

Posts: 321
Posted: 02/18/2009, 6:09 PM

JCC,

Yes. The real problem with these SPAM softwares like SubmitWolf is they analyze your page once then sell it to 1000's of customers. It will submit the form without your field. I tried a similar method once with some success. It was to set the value of your hidden field to a random value and set a session var to the same value. Then compare those before the insert.

The main problem with IP blocking is once these tools get your page template, you're fighting 1000's of IP's not just one spammer. IP is a good tool for problem users, but is not effective as an anti-spam tool.

I tried many methods and I finally came to the conclusion that a 3-5 character captcha was significant enough to stop, or incredibly slow, SPAM without deterring legit users from posting. More than 5 characters and yes, users were annoyed.

Rick
_________________
http://www.ccselite.com
View profile  Send private message
JimmyCrackedCorn

Posts: 583
Posted: 02/18/2009, 7:10 PM

Rick, I appreciate the discussion. As I mentioned before, this technique has worked for us many times so I know it works! But it may not always work or in all situations so I'm still picking your brain! :)

are you saying my forms are analyzed by a real person and then sold with software as a template to 1000's? if so, then simply changing the field names on a semi-regular basis would resolve this since those 1000's would always have the wrong field names. in fact, it would be fairly trivial to write a script to rename the form fields in all my pages along with their form handlers on a daily basis.

or, are you saying the software they use is smart enough to read my page, detect that a field is hidden with CSS and then reject that field as one of those to submit? if so, then it seems there would be additional ways to "fool" their software into submitting the SPAM-trap field along with the valid ones.
_________________
Walter Kempees...you are dearly missed.
View profile  Send private message
JimmyCrackedCorn

Posts: 583
Posted: 02/18/2009, 7:12 PM

Quote mentecky:
The main problem with IP blocking is once these tools get your page template, you're fighting 1000's of IP's not just one spammer. IP is a good tool for problem users, but is not effective as an anti-spam tool.

hmmm. I agree with IP blocking being ineffective but I never suggested that! What I suggested is simply don't accept any field containing any HTML.

_________________
Walter Kempees...you are dearly missed.
View profile  Send private message
mentecky

Posts: 321
Posted: 02/18/2009, 7:36 PM

JCC,

I did not mean to imply your method won't or doesn't work. I was simply pointing out there are times it may not for specific uses. For example a guestbook which are heavy targets for all the SpamWare out there. In those cases if they want to add your page to their confirmed HIT LIST... they'll work around it.

Quote JimmyCrackedCorn:
Quote mentecky:
The main problem with IP blocking is once these tools get your page template, you're fighting 1000's of IP's not just one spammer. IP is a good tool for problem users, but is not effective as an anti-spam tool.

hmmm. I agree with IP blocking being ineffective but I never suggested that! What I suggested is simply don't accept any field containing any HTML.


Too be honest that's my bad. I thought this was a continuation of a post you had sent previously in the thread:
http://forums.yessoftware.com/posts.php?post_id=104264

It had a similar topic and I just followed the email link here. Eventhough it is technically in the wrong topic, mentioning IP blocking fails for the solution you are trying to provide is still valid. In fact it makes your solution more valid.

Take care. Enjoy swapping ideas with you!

Rick
_________________
http://www.ccselite.com
View profile  Send private message
JimmyCrackedCorn

Posts: 583
Posted: 02/18/2009, 8:16 PM

in your first response to my tip you said "That won't work in most situations." and in your last post you said "I did not mean to imply your method won't or doesn't work." do you still feel this will not work?

I value your opinion but I'm heavily influenced by the fact that this approach has worked for us and the impact on our users is far less than making them use CAPTCHA.
_________________
Walter Kempees...you are dearly missed.
View profile  Send private message
mentecky

Posts: 321
Posted: 02/18/2009, 8:58 PM

JCC,

We may be in fact discussing different attacks by bots, SpamWare or whatever. Perhaps in the instances you've encountered the hidden field works for you and is enough, and perhaps to many here.

I have run many sites that had "open to post" forms that have been attacked and there are always different considerations when countering them. I once inherited a site that had a "Contact Us" form that sent out thousands of emails before I found it and killed it. The source of the email was a SPAM software using hundreds of IP addresses. To me, the best fix was CAPTCHA and a few other security changes, but I have never seen a SPAM email from that page again.

Again, I only use CAPTCHA for pages that do not require a user account. I use IP blocking and account cancellation for any sites I run where a user name and password are needed.

My concern with your method is that it assumes a Bot will fill in all fields it sees and I know that not to be the case with software like SubmitWolf and others. They use scripts and templates to circumvent any protection like that. Where, a simple 3 character Captcha will thwart 90%+ of SPAM attempts and not upset users too much, if at all. Raising that level to 5 characters and I almost never see spam and rarely ever get a complaint that a user couldn't get a post to work.

If your pages get any decent view on Google or any other search engine, this does become a problem. SubmitWolf claims to update their scripts and templates daily. If your site isn't highly rated then you probably can make things easier for your users.

I just put the protections in place now by instinct because my sites get pretty descent search hits by design. That in itself makes me a target if I leave a hole open.

I hope that explains my thinking on Captcha,

Rick

_________________
http://www.ccselite.com
View profile  Send private message
JimmyCrackedCorn

Posts: 583
Posted: 02/18/2009, 9:43 PM

well, most of our work is for community sites that have a local audience only so maybe that is why we have not been bothered. and, we never have any pages where posts are allowed. our forms all result in an email sent to an admin only. that too could be a reason we are not targetted much since there is not much point in submitting your SPAM somewhere that it can never be posted online!

For anyone following along at home I guess my final thoughts on this would be as follows,

1) try the technique I explained in the first post in this thread and add checks in your form handler code to reject anything that looks like HTML in the fields (or try chriscripps suggestion here if you understand it http://forums.yessoftware.com/posts.php?post_id=104264)

2) if you are still getting SPAM add CAPTCHA

I have no doubt that CAPTCHA works but I personally do not like to have such obstacles placed in front of me and if I am only casually interested I'll bail on a form rather than fool with it! And I always worry that just because no one complains does not mean they are happy. So my preference is to use CAPTCHA as a last resort.
_________________
Walter Kempees...you are dearly missed.
View profile  Send private message
feha


Posts: 712
Posted: 03/08/2009, 6:15 PM

Here some tips:
http://www.vision.to/antispam-techniques.php
_________________
Regards
feha

www.vision.to
feedpixel.com
View profile  Send private message
JimmyCrackedCorn

Posts: 583
Posted: 03/09/2009, 12:04 AM

that''s a nice technique but I still don't like asking my users to participate in the SPAM trapping unless I absolutely have to. maybe I have inexperienced end-users but I can just imagine a bunch of emails asking "what is that robot field there and why do I have to click it?" :)

we have seen complete elimination of SPAM on most of our sites using the hidden field trick.
_________________
Walter Kempees...you are dearly missed.
View profile  Send private message

Add new topic Subscribe to topic   


These are Community Forums for users to exchange information.
If you would like to obtain technical product help please visit http://support.yessoftware.com.

MS Access to Web

Convert MS Access to Web.
Join thousands of Web developers who build Web applications with minimal coding.

CodeCharge.com

Home   |    Search   |    Members   |    Register   |    Login


Powered by UltraApps Forum created with CodeCharge Studio
Copyright © 2003-2004 by UltraApps.com  and YesSoftware, Inc.