Quirk is a marketing agency. Born digital. Driven by creativity. Disciplined by results.

  • Home
  • Authors
  • Blog roll
  • Contact us

A blog on the convergence of marketing and technology from the minds of Quirk

Pencil
9 comments
Jean du Plessis

An alternative to irritating CAPTCHAs

by Jean du Plessis

2006/12/07

We have all been faced with the sometimes daunting task of having to guess what those little numbers/letters are at the bottom of the form, that will classify you as a human being. Some people seem to be less human than others, since they either have trouble understanding the concept of what to do, or have trouble reading it.

So that leaves us with the question:

"What can we do to make it easier/less annoying for the visitor to fill in our forms and at the same time prevent our inbox (or comments box) from being filled with those nasty spam messages."

After reading Darren's post on CAPTCHAs, I decided to write about a method that we here at Quirk have been evaluating and will now, with the publishing of this post, be implementing on GottaQuirk, to determine if we can do away with the need for a CAPTCHA.

First, I have to give credit to an article that appeared at Internet Storm Center, from where this solution was born. Our solution is based on checking two things that do not require any human input:
  1. Get a spambot to fill in a field in the form that is not visible to a human and do a check to see whether that field was filled in
  2. Work out the time that it took for the form to be submitted

Here is how you can implement the two checks:

1. Get a spambot to fill in a field in the form that is not visible to a human and do a check to see whether that field was filled in
  • Add a text input field to your form and give it a name that makes sense, like "subject" or "telephone", or any other name, as long as it does not already occur in the form.
  • Then with some CSS hide the table row or div that the input field is in by using the "display:none;" style.
  • Lastly add some code that checks that the hidden field was not filled in.
Some things to keep in mind:
  • If this is an existing form that has already been spammed then you will want to change the form's action to something new. The reason for this being that spambots tend to cache your form and by changing the action name you force them to at least re-cache the modified form with the hidden field.
  • The code that checks whether the hidden field has been filled in cannot be a client side script like some javascript function as spambots will hit the form's action url with the parameters directly.
  • Also, if for some reason the visitor's browser ignores the CSS that hides the field, add a message in the form that explains that the field should not be filled in and that it is used for spambot detection. Of course make sure that this message is in the table row or div that you hide.
  • Don't just ignore the form submission if it is submitted with the hidden field filled in. Rather return to the form with an error message that explains that the form field should not be filled in.
2. Work out the time that it took for the form to be submitted
  • In your form, add a hidden variable and set its value to the time stamp of when the form was loaded. This is easy to achieve with PHP or Java.
  • Then, once the form has been submitted, get a new time stamp value and compare the two values.
  • If the new value is less than say about 5 seconds (or how ever long you estimate it will take a human to fill in your form, remembering that spambots will do it almost instantaneously) then you can return to the form with a error message stating that the form was submitted in too short a time period.
We have used these two methods separately with great success in each case. Together, they should keep you ahead of those spambots for just a while longer...till they get more advanced.

There probably are some shortcomings with these methods, and I don't for one moment try to say that they are 100% spam proof - especially if the spammer is not a bot but a human that actually goes to your page and submits the form, but this should keep you ahead of those spammers for a while and keep your inbox or your blog clean of "Cheap Viagra" specials.

If anyone has any suggestions that might improve these methods, please feel free to share them. Who knows, maybe we can someday come up with a complete solution that will rid us of these spam messages for good.
Back to toptop Make a comment 9 comments
Make a comment Make a comment

Comments

It seems like a great idea. My only concern is that if the stylesheet doesn't load properly, or has been disabled, then a user would fill in the first, hidden field. The plus side is that this method seems a lot more accessable than normal captchas, as they no longer rely on vision for the visitor to prove their 'human-ness'

Posted by andrew on 2006/12/07

Great post Jean! I have to agree with Andrew though, false positives worry me too. Perhaps we could send suspected bots to a captcha? That way if they really are just an incredibly fast human with disabled stylesheets then they can still get through.

Posted by Rob on 2006/12/07

@andrew - They would still have to fill in field clearly marked "Do not fill in".

Posted by Craig on 2006/12/07

@andrew, @rob - regarding the style sheet question - I didn't put the rule in a style sheet but actually used an inline-style so the problem of a style sheet not loading is eliminated. And if a visitor somehow submits the form in less than 5 seconds it does give him a warning and asks him to slow down a bit

Posted by Jean on 2006/12/07

It's easy enough to create a bot that reads inline styles and ignores hidden fields. Once that happened you'd be writing obfuscated css to hide the field trying to confuse the bot. Also, putting the form creation time in another hidden field just invites posting the form with that time changed! If you want to store the form creation time you are going to need to store it in the server-side session. If you are going to have a minimum time before the form can be entered, why not show a little JS countdown? I will admit if I saw that on a form I would find it a bit odd. I second the idea of sending suspected bots to a captcha. Users are already used to captcha's, so only being required to use one in special circumstances is not too burdensome. In the end, there's not going to be any future-proof way of preventing bots. This battle against spam bots is the ultimate Turing test.

Posted by Gavin on 2006/12/07

The only problem with the comment above is that it uses non-broken English with punctuation marks. Haven't seen a spambot do that before ;-)

Posted by Jean on 2006/12/08

Sheesh, you had me at hello. Not being a script kiddi, could you do this rather... http://sethgodin.typepad.com/seths_blog/2006/12/commercializing.html then use the data recieved to sell to companys as a measure of their brand awareness on the net. You will have the demographic etc huh? hows dem apples!

Posted by Smith on 2006/12/08

Give please. A wise man can see more from the bottom of a well than a fool can from a mountain top . Help me! It has to find sites on the: Credit score ratings. I found only this - bankruptcy credit score. When it's time to look at your finances, most people are concerned about their savings, retirement, and their credit score. Powerful tips for legally improving your credit score. Best regards :-(, Gates from Ethiopia.

Posted by Gates on 2009/07/18

Great idea, one new issue: How can this be adapted to deal with Google Chrome's auto-fill in (and equivalent plug-ins for Firefox, etc?). If a Chrome auto-fill has a 'telephone' field, will it not fill that in, display: none; or not?

Posted by Alan S on 2010/10/18

Back to toptop

Make a comment

To prevent GottaQuirk from becoming spam central, we block the use of certain words like porn, sex etc. We apologise for any inconvenience, but can't spend our lives deleting messages left by spammy friends.
Captcha
 
Back to toptop

The Latest News

Subscribe to our fortnightly newsletter which is packed with interesting news, views and other quirky titbits.

Subscribe

RSS

RSS to Email

Get our latest blog posts delivered straight to your inbox.

Follow us on Twitter

Follow us on Twitter

Quirk

What's on offer?

Latest Posts

Recent Comments

Categories

Quirk E-Marketing Website

A Little About Us

The writers of this delicious content all work at Quirk, Africa's largest full service digital agency. The QuirkStars are obsessed with digital and discuss everything from ORM and PPC to Design and Development on GottaQuirk.

Get your online presence sorted

You can also find us here

Facebook
Facebook
Flickr
Flickr
creative commons home | authors | blog roll | contact us | view: full | minified

© 1999 - 2013 Quirk. All Rights Reserved.