So that leaves us with the question:
"What can we do to make it easier/less annoying for the visitor to fill in our forms and at the same time prevent our inbox (or comments box) from being filled with those nasty spam messages."
After reading Darren's post on CAPTCHAs, I decided to write about a method that we here at Quirk have been evaluating and will now, with the publishing of this post, be implementing on GottaQuirk, to determine if we can do away with the need for a CAPTCHA.
First, I have to give credit to an article that appeared at Internet Storm Center, from where this solution was born. Our solution is based on checking two things that do not require any human input:
- Get a spambot to fill in a field in the form that is not visible to a human and do a check to see whether that field was filled in
- Work out the time that it took for the form to be submitted
Here is how you can implement the two checks:
1. Get a spambot to fill in a field in the form that is not visible to a human and do a check to see whether that field was filled in
- Add a text input field to your form and give it a name that makes sense, like "subject" or "telephone", or any other name, as long as it does not already occur in the form.
- Then with some CSS hide the table row or div that the input field is in by using the "display:none;" style.
- Lastly add some code that checks that the hidden field was not filled in.
- If this is an existing form that has already been spammed then you will want to change the form's action to something new. The reason for this being that spambots tend to cache your form and by changing the action name you force them to at least re-cache the modified form with the hidden field.
- Also, if for some reason the visitor's browser ignores the CSS that hides the field, add a message in the form that explains that the field should not be filled in and that it is used for spambot detection. Of course make sure that this message is in the table row or div that you hide.
- Don't just ignore the form submission if it is submitted with the hidden field filled in. Rather return to the form with an error message that explains that the form field should not be filled in.
- In your form, add a hidden variable and set its value to the time stamp of when the form was loaded. This is easy to achieve with PHP or Java.
- Then, once the form has been submitted, get a new time stamp value and compare the two values.
- If the new value is less than say about 5 seconds (or how ever long you estimate it will take a human to fill in your form, remembering that spambots will do it almost instantaneously) then you can return to the form with a error message stating that the form was submitted in too short a time period.
There probably are some shortcomings with these methods, and I don't for one moment try to say that they are 100% spam proof - especially if the spammer is not a bot but a human that actually goes to your page and submits the form, but this should keep you ahead of those spammers for a while and keep your inbox or your blog clean of "Cheap Viagra" specials.
If anyone has any suggestions that might improve these methods, please feel free to share them. Who knows, maybe we can someday come up with a complete solution that will rid us of these spam messages for good.