No user interaction SPAM prevention?

1 view
Skip to first unread message

nickW+

unread,
Aug 18, 2010, 5:05:33 AM8/18/10
to Professional PHP Developers
Hello All,

So i've spent about 6 hours now searching all over to find an elegant
solution for SPAM prevention on forms.

Asking customers to enter a captcha is 100% out of the question.

So this has lead me to the input field solution where the field is
hidden with CSS or Javascript (likely the later).

Are there other more advanced methods of doing this? I don't want the
user to have to do anything I just want the form to have some level of
spam protection since the form takes email addresses and we want to
avoid a robot coming in and providing us with a ton of spam trap
emails.

Would having a log to record someone when they come then have the log
id submitted with the form and then checked against the DB to see if
it's a valid log entry work? This would require a "hidden" field on
the form. I could even do this with a $_SESSION['sexy']['log_id'] =
'123' instead of a hidden form field. I probably don't understand the
specifics behind bot logic, so if it would load the page before
submitting it then obviously that' won't really help much but it will
help with stats.

Thank in advance for any help!

Nick

Jack Timmons

unread,
Aug 18, 2010, 6:50:00 AM8/18/10
to professi...@googlegroups.com
On Wed, Aug 18, 2010 at 4:05 AM, nickW+ <ni...@weeklyplus.com> wrote:
> So i've spent about 6 hours now searching all over to find an elegant
> solution for SPAM prevention on forms.

This has been discussed here a couple of times.

There's placing a hidden input that should be left blank with a name
like "Email_Address".

The issues with these are if automatic password fields fill these
hidden fields out. I think the best method is to put in something a
human can recognize in a moment but a computer can't:

What's next in the pattern? 1, 2, 3, 2, 1, 2, 3, _
Easier: What's 2 + 3? _

--
Jack Timmons
@_Codeacula
Feel free to contact me on GTalk.

Joe Williams

unread,
Aug 18, 2010, 8:11:36 AM8/18/10
to professi...@googlegroups.com
I always just do the basic math one myself. Just have it dynamic.


-------
Twitter: @mrstatic
Website: https://www.speakservers.com

Sent on the Sprint® Now Network from my BlackBerry®
--
This group is managed and maintained by the development staff at 360 PSG. An enterprise application development company utilizing open-source technologies for todays small-to-medium size businesses.

For information or project assistance please visit :
http://www.360psg.com

You received this message because you are subscribed to the Google Groups "Professional PHP Developers" group.
To post to this group, send email to Professi...@googlegroups.com
To unsubscribe from this group, send email to Professional-P...@googlegroups.com
For more options, visit this group at http://groups.google.com/group/Professional-PHP

nickW+

unread,
Aug 18, 2010, 3:04:33 PM8/18/10
to Professional PHP Developers
Unfortunately the requirement is spam protection with NO user
interaction.

Right now there is no protection at all so i'm sure anything will be
an improvement.

The form when submitted does check the email address to make sure it's
valid and checks if the MX record is valid.

Would the hidden field be realistically the only solution in this
case?

On Aug 18, 6:11 am, "Joe Williams" <joseph.s.willi...@gmail.com>
wrote:
> I always just do the basic math one myself. Just have it dynamic.
>
> -------
> Twitter: @mrstatic
> Website:https://www.speakservers.com
>
> Sent on the Sprint® Now Network from my BlackBerry®
>
> -----Original Message-----
> From: Jack Timmons <codeac...@gmail.com>
>
> Sender: professi...@googlegroups.com
> Date: Wed, 18 Aug 2010 05:50:00
> To: <professi...@googlegroups.com>
> Reply-To: professi...@googlegroups.com
> Subject: Re: [Pro. PHP Dev.] No user interaction SPAM prevention?
>

Joe Williams

unread,
Aug 18, 2010, 3:06:43 PM8/18/10
to professi...@googlegroups.com
Realistically no form with email capabilities or db placing should be used without some form of captcha. But yes in your case this seems to be the only option.

nickW+

unread,
Aug 18, 2010, 3:08:16 PM8/18/10
to Professional PHP Developers
In doing some more research today I came accross this link:

http://webaim.org/blog/spam_free_accessible_forms/

It mentions other options like the timer and referrer which would be a
nice addition to the hidden field.

And I think it will make Jack happy because it covers accessibility.

nickW+

unread,
Aug 18, 2010, 3:43:44 PM8/18/10
to Professional PHP Developers
I mentioned this before but I'm curious if it would be of any use
aside from logging.

When someone loads the form insert a new log record and include the
log id in a hidden field. When the form is submitted check if the log
id is valid. This also helps with double submissions since it will
discard the second if the log entry is already marked as "complete".

I could also implement the other 3 options... timer, field (hidden
with Javascript), validate the submission is coming from my server.

Thoughts?

nickW+

unread,
Aug 19, 2010, 2:42:34 AM8/19/10
to Professional PHP Developers
Maybe I could just enter the log id in the session. When I go to
submit the form I check if the SESSION is active. Since this all takes
place on the server the spammer won't have any idea this field exists.
Obviously if the script is smart and loads the page then this won't
really work lol.

The log id needs to be valid for the form to be submitted.

Regardless there is no bullet proof system. If someone really wants to
mess with your form they will find a way even if they have to do it
manually.

A great previous thread regarding the topic is here:

Protecting PHP Form from Attack/Spam/Hacker on May 21st.

Thanks in advance.
Reply all
Reply to author
Forward
0 new messages