Recently I’ve been incorporating alternative techniques to Captcha to prevent automated form submission on websites, which is typically spam, or something else you don’t want happening. I added our routines to the new iBegin’s submission system today, and thought that I’d share with the world what we’re doing. I’m also curious as to what everyone else does to solve these problems, without burdening the user.
On Curse we implemented a middleware, which on any POST request, would confirm that a user had filled in a Captcha box within the last N hours, or had verified themselves as a human being in some other fashion (a text message was our method).
Now in iBegin, and my websites, we use two different methods to prevent spam. One is the honeypot method, which insert a text field with no value. This field is hidden with CSS, and if a value is passed on submission we assume that it’s a bot or something else trying to submit the form.
The second method, requires the user have JavaScript enabled, but is very similar. We insert another text field, and set the value to ‘hello’. This field is also hidden with CSS, and on submission, we verify the value is still ‘hello’.
If either of this fail, the form will throw a validation error, and of course log the attempt. So far, in all of my use-cases, it has worked very well, and the only “spam” I’ve seen are real users doing it themselves.
So for a more technical look, here’s a sample of the code from our submission page for business listings:
<div style="display:none;"> <p>These fields are present to prevent automated submission systems. If you see it, please do not fill in a value.</p> <script type="text/javascript">var varname='nospam1';document.write('<inp'+'ut name="'+varname+'" type="text" value="1"/>');</script> <input type="text" name="nospam2" value=""/> </div>
And our Django form validation:
if request.method == 'POST': form = BusinessForm(request.POST, initial=initial, hidden=hidden) if request.POST.get('nospam1', None) != 'hello': logging.info('`nospam1` value not set properly on form submission form %s' % (request.META.get('REMOTE_ADDR', '<noip>'),)) form.errors['__all__'] = 'There was an unknown error submitting your request.' elif request.POST.get('nospam2'): logging.info('`nospam2` value set on form submission form %s' % (request.META.get('REMOTE_ADDR', '<noip>'),)) form.errors['__all__'] = 'There was an unknown error submitting your request.' if form.is_valid():
6 Responses to "Dealing with Automated Form Submission (Spam)"
i’ve been having a similar problem with a newsletter submission form (where the user signs up for a newsletter). I will either have to implement one of your methods above or have an authentication method where an email is sent to their email address and the click on a token to authenticate.
Automated bots seem to be a big problem now, what i don’t get is why would they submit to a newsletter form with only name and email address?
Similar measure is implemented in new comments framework in Django. I wasn’t sure if this has any preventive value, but if you say so…
Check the method I implemented some time ago http://fi.am/entry/preventing-spam/. It doesn’t require javascript and my comment spam went from hundreds a day to one in almost four months.
On my blog I stop accepting comments 2 weeks after a post has been published: http://www.omh.cc/2008/may/24/how-do-you-fight-spam/
I came up with a site-specific captcha that has pretty much eliminated spam comments on my blog: http://www.nextthing.org/archives/2005/07/16/a-few-upgrades
The only ones I still get seem to originate from manual-labor spammers in India (I can tell from the IP addresses), and the occasional referrer spam which usually gets caught by Akismet.
Genius! This is a perfect way to separate yourself from the easy, “low hanging fruit” that the Form-Bots seem to go for.
The problem is, if everyone was as proactive as you, there would be no more low-hanging fruit and the Form-Bots would have to get smarter!
Leave A Reply