An alternative to irritating CAPTCHAs
by Jean du Plessis
We have all been faced with the sometimes daunting task of having to guess what those little numbers/letters are at the bottom of the form, that will classify you as a human being. Some people seem to be less human than others, since they either have trouble understanding the concept of what to do, or have trouble reading it.
So that leaves us with the question:
"What can we do to make it easier/less annoying for the visitor to fill in our forms and at the same time prevent our inbox (or comments box) from being filled with those nasty spam messages."
After reading Darren's post on CAPTCHAs, I decided to write about a method that we here at Quirk have been evaluating and will now, with the publishing of this post, be implementing on GottaQuirk, to determine if we can do away with the need for a CAPTCHA.
First, I have to give credit to an article that appeared at Internet Storm Center, from where this solution was born. Our solution is based on checking two things that do not require any human input:
- Get a spambot to fill in a field in the form that is not visible to a human and do a check to see whether that field was filled in
- Work out the time that it took for the form to be submitted
Here is how you can implement the two checks:
1. Get a spambot to fill in a field in the form that is not visible to a human and do a check to see whether that field was filled in
- Add a text input field to your form and give it a name that makes sense, like "subject" or "telephone", or any other name, as long as it does not already occur in the form.
- Then with some CSS hide the table row or div that the input field is in by using the "display:none;" style.
- Lastly add some code that checks that the hidden field was not filled in.
- If this is an existing form that has already been spammed then you will want to change the form's action to something new. The reason for this being that spambots tend to cache your form and by changing the action name you force them to at least re-cache the modified form with the hidden field.
- The code that checks whether the hidden field has been filled in cannot be a client side script like some javascript function as spambots will hit the form's action url with the parameters directly.
- Also, if for some reason the visitor's browser ignores the CSS that hides the field, add a message in the form that explains that the field should not be filled in and that it is used for spambot detection. Of course make sure that this message is in the table row or div that you hide.
- Don't just ignore the form submission if it is submitted with the hidden field filled in. Rather return to the form with an error message that explains that the form field should not be filled in.
- In your form, add a hidden variable and set its value to the time stamp of when the form was loaded. This is easy to achieve with PHP or Java.
- Then, once the form has been submitted, get a new time stamp value and compare the two values.
- If the new value is less than say about 5 seconds (or how ever long you estimate it will take a human to fill in your form, remembering that spambots will do it almost instantaneously) then you can return to the form with a error message stating that the form was submitted in too short a time period.
There probably are some shortcomings with these methods, and I don't for one moment try to say that they are 100% spam proof - especially if the spammer is not a bot but a human that actually goes to your page and submits the form, but this should keep you ahead of those spammers for a while and keep your inbox or your blog clean of "Cheap Viagra" specials.
If anyone has any suggestions that might improve these methods, please feel free to share them. Who knows, maybe we can someday come up with a complete solution that will rid us of these spam messages for good.
Comments
post a commentGreat post Jean! I have to agree with Andrew though, false positives worry me too. Perhaps we could send suspected bots to a captcha? That way if they really are just an incredibly fast human with disabled stylesheets then they can still get through.
Posted by Rob on 2006/12/07
@andrew - They would still have to fill in field clearly marked "Do not fill in".
Posted by Craig on 2006/12/07
@andrew, @rob - regarding the style sheet question - I didn't put the rule in a style sheet but actually used an inline-style so the problem of a style sheet not loading is eliminated. And if a visitor somehow submits the form in less than 5 seconds it does give him a warning and asks him to slow down a bit
Posted by Jean on 2006/12/07
It's easy enough to create a bot that reads inline styles and ignores hidden fields. Once that happened you'd be writing obfuscated css to hide the field trying to confuse the bot. Also, putting the form creation time in another hidden field just invites posting the form with that time changed! If you want to store the form creation time you are going to need to store it in the server-side session. If you are going to have a minimum time before the form can be entered, why not show a little JS countdown? I will admit if I saw that on a form I would find it a bit odd. I second the idea of sending suspected bots to a captcha. Users are already used to captcha's, so only being required to use one in special circumstances is not too burdensome. In the end, there's not going to be any future-proof way of preventing bots. This battle against spam bots is the ultimate Turing test.
Posted by Gavin on 2006/12/07
The only problem with the comment above is that it uses non-broken English with punctuation marks. Haven't seen a spambot do that before ;-)
Posted by Jean on 2006/12/08
Sheesh, you had me at hello. Not being a script kiddi, could you do this rather... http://sethgodin.typepad.com/seths_blog/2006/12/commercializing.html then use the data recieved to sell to companys as a measure of their brand awareness on the net. You will have the demographic etc huh? hows dem apples!
Posted by Smith on 2006/12/08
Subscribe
RSS to Email
Get our latest blog posts delivered straight to your inbox.
eMarketing News
Subscribe to our fortnightly newsletter which is packed with interesting eMarketing news, views and other quirky titbits.
September
| S | M | T | W | T | F | S |
|---|---|---|---|---|---|---|
| 1 | 2 | 3 | 4 | 5 | 6 | |
| 7 | 8 | 9 | 10 | 11 | 12 | 13 |
| 14 | 15 | 16 | 17 | 18 | 19 | 20 |
| 21 | 22 | 23 | 24 | 25 | 26 | 27 |
| 28 | 29 | 30 | ||||
Archives
Categories
- General (543)
- PPC & Affiliates (27)
- Search Engine Marketing (83)
- WebPR (37)
- Online Reputation Management (33)
- Email Marketing (9)
- Design (15)
- Viral Marketing (167)
- Conversion Optimisation (13)
- Website Development (32)
- Industry Events (58)
- Quirky Stuff (90)
- Social Media (82)
- Work at Quirk (3)
- Friday Fact Box (12)
- Interviews (7)
- Guest Posts (2)
Recent Posts
- The Most Influential People Online
- Most Wanted Wiener
- The Bear Trap
- Friday Fact Box - Podcasts
- Guest Post - eHealth Revolutionising Health Systems
Recent Comments
- Claire on The Bear Trap
- reenasally on Orangina: Animals Behaving Badly
- SuperSanti on Hello The World
- Sarah Manners on Orangina: Animals Behaving Badly
- Kat on Orangina: Animals Behaving Badly
More photos of the QuirkStars At Play
Name:
Friends of Quirk
Websites:
www.quirk.biz
It seems like a great idea. My only concern is that if the stylesheet doesn't load properly, or has been disabled, then a user would fill in the first, hidden field. The plus side is that this method seems a lot more accessable than normal captchas, as they no longer rely on vision for the visitor to prove their 'human-ness'
Posted by andrew on 2006/12/07