A better technique to stop spam?
Posted: 2 February 2008
A couple of weeks ago I wrote an entry on how to outsmart comment spam with javascript. Although this is a good technique, it has a drawback - code maintenance. If there is a change to the mark up of the form, it is more time consuming to alter the javascript than the HTML.
To overcome this problem and still out smart spam, I've been testing a new method which uses javascript to change the form action. In it's simplest form the javascript can look like this:
<script type="text/javascript" charset="utf-8">
function redirectForm(form){
form.action = '';
form.submit();
}
</script>
<form action="/no-javascript" onsubmit="redirectForm(this);" method="post" accept-charset="utf-8">
<p><input type="text" name="test" /></p>
<p><input type="submit" value="Submit" /></p>
</form>N.B. The default action for Symphony forms is to submit to the same page, which is why the action is set to empty string.
If you use multiple forms that have different actions, you could expand the javascript to handle those as well:
<script type="text/javascript" charset="utf-8">
function redirectForm(form, action){
form.action = action;
form.submit();
}
</script>
<form action="/no-javascript/" onsubmit="redirectForm(this, '');" method="post" accept-charset="utf-8">
<p><input type="text" name="test" /></p>
<p><input type="submit" value="Submit" /></p>
</form>This is just a start, there's more you can do to make this JS smarter (but I'll let you figure that out). So far this technique has worked great for me. Remember to setup a real page for the fake submission url, so that authentic users of your site without JS enabled are alerted that there submission was unsuccessful.
To get an idea on how much spam you've stopped, check your server logs to see for the number of requests to your fake submission url.
Please leave a comment with your thoughts on this technique vs the previous one, or if you know of another solution to stop spam.
Post a comment
Comment Guidelines
- You can subscribe to the comments on this entry via RSS.
- Have no more than 2 links, otherwise your comment will be flagged as spam.
- Links are automagically generated.
- <em>text</em> to make text italic.
- <strong>text</strong> to make text bold.
JavaScript needs to be enabled to comment.
Your comments (subscribe)
John R 19 Feb 08 at 11:58am
good post, I have seen this technique elsewhere, the idea of having a valid page for the fake submission url is a good one so users without java script will know their form submission didn't go through.
John 1 Oct 08 at 5:01am
How long before bots/robots start executing JS code and this technique is extinct?
Neil 1 Oct 08 at 6:21pm
@John There is no method that is 100%, even captcha's can be bypassed by some bots. My experience with this technique has been very positive. The solution has been working effectively for me since Janurary this year, and only requires visitors to use a modern web browser to prove that they are human.
However, in the future spambots may become more intelligent and start processing JS. So when the spammers start building better bots, of course developers everywhere will need to improve their detection methods.
If you are concerned with bots bypassing this now, you can use this technique along with others (e.g. Akismet) to improve security.
tinviet 3 Nov 08 at 6:57pm
I'm looking for similar script but detect the human action ( no use captcha) like moving of mouse + type speed + certain amount of char typed in ,, then affter testing will be alow to post or rederect user to other url instead of posting urls any one have idea