Avoid spam messages without additional user input

August 2009

CAPTCHAs are a well known phenomena for any kind of webform. Reactions for blogs, contact forms for companies and registration forms for social websites, they all got it. The problem is the automated injection from bots to enter messages with links to all kind of websites. Using CAPTCHA is likely to force a human for some input which is likely not to happen with bots. Unfortunately bots are getting smarter and even the worst readable CAPTCHA images can be read by bots.

Another invention came: simple questions like “what is two times three”. That would be “six”, isn’t it? The problem is this is working for small websites. If Google uses this question (e.g. automated with different questions), bots will fetch all the options and are still able to continue.

One thing many people missed is the likelihood a bot will try to fill in all the input fields available inside the form, so it can enter the most information. But you can validate all the user input; you can try placing an input field which won’t be filled in by human beings. Bots will fill the field and you know it’s a bot.

The working principle

You’ll probably ask how you get this working. That’s pretty simple, just hide it. Css is the perfect tool to style your websites, and with css you’re able to hide everything you want. When you have a form with two almost alike fields (“name” and “spam”, eg), the former is visible and the latter hidden by a css rule “display: hidden;”. This is the principle my solution is based upon.

Of course it will be simple for a bot once it knows that your “spam” input field should be left blank. Therefore you can use php to get to a more advanced level. The bot is will determine the fields by id or name, so you should obfuscate those. Instead of naming them “name” and “spam”, you can generate two random strings. One for the “name” field and one for the “spam” field. Save them also in a session, so after a form submit you know which one is the good field and which field should have left blank. And of course randomize those two strings each time your form is being displayed.

This is the basic which is working fine for me. I am updating my blog with this principle now (testing the new code is the only thing I have to do now) and I won’t get spam messages anymore. Before I used it with other systems as well and those didn’t get any spam messages at all.

A very big advantage is the user doesn’t have to give more user input that needed. If you need a name and a message, the user can fill those in. No need to investigate a CAPTCHA or something! The argument against it might be it’s not working for textual browsers and perhaps not working properly for disabled persons with a special web browser. But as far as I know, special web browsers are nowadays pretty advanced and they can render websites with css. So their users are still able to send a form for asking a question or something.

Even some more advanced usage

I’m not having a high visited website, but if you have bots might be able to overrule you barricade. I’m hiding my spam form by a simple class “hidden”. I have also always a consistent order of my fields. Bots can count them and leaving the second input blank.

Those two options are possible to obfuscate as well (it’s always obfuscating, there is no other method unfortunately). For the first one, you can randomize the class name. Put some css at the top of your webpage and let php fill in those class names. Create a class with display: inline or display: block and another one with display: hidden. Because of the dynamic class names, it’s for bots much more difficult to determine what to do.

And for the second problem the solution isn’t difficult either. You can dynamically switch the two fields. Pick a random number. If it’s even, your “name” field is on top. Otherwise, the “spam” field is above the “name”. All with randomized names and randomized class names it will become very hard for bots to determine your site, while “normal” users have no problem at all and don’t even know you have a very advanced spam blocking mechanism.