A better technique to stop spam?
Posted: 2 February 2008
A couple of weeks ago I wrote an entry on how to outsmart comment spam with javascript. Although this is a good technique, it has a drawback - code maintenance. If there is a change to the mark up of the form, it is more time consuming to alter the javascript than the HTML.
To overcome this problem and still out smart spam, I've been testing a new method which uses javascript to change the form action. In it's simplest form the javascript can look like this:
<script type="text/javascript" charset="utf-8">
function redirectForm(form){
form.action = '';
form.submit();
}
</script>
<form action="/no-javascript" onsubmit="redirectForm(this);" method="post" accept-charset="utf-8">
<p><input type="text" name="test" /></p>
<p><input type="submit" value="Submit" /></p>
</form>N.B. The default action for Symphony forms is to submit to the same page, which is why the action is set to empty string.
If you use multiple forms that have different actions, you could expand the javascript to handle those as well:
<script type="text/javascript" charset="utf-8">
function redirectForm(form, action){
form.action = action;
form.submit();
}
</script>
<form action="/no-javascript/" onsubmit="redirectForm(this, '');" method="post" accept-charset="utf-8">
<p><input type="text" name="test" /></p>
<p><input type="submit" value="Submit" /></p>
</form>This is just a start, there's more you can do to make this JS smarter (but I'll let you figure that out). So far this technique has worked great for me. Remember to setup a real page for the fake submission url, so that authentic users of your site without JS enabled are alerted that there submission was unsuccessful.
To get an idea on how much spam you've stopped, check your server logs to see for the number of requests to your fake submission url.
Please leave a comment with your thoughts on this technique vs the previous one, or if you know of another solution to stop spam.
Post a comment
Comment Guidelines
- You can subscribe to the comments on this entry via RSS.
- Have no more than 2 links, otherwise your comment will be flagged as spam.
- Links are automagically generated.
- <em>text</em> to make text italic.
- <strong>text</strong> to make text bold.
JavaScript needs to be enabled to comment.
Your comments (subscribe)
John R 19 Feb 08 at 11:58am
good post, I have seen this technique elsewhere, the idea of having a valid page for the fake submission url is a good one so users without java script will know their form submission didn't go through.
John 1 Oct 08 at 5:01am
How long before bots/robots start executing JS code and this technique is extinct?
Neil 1 Oct 08 at 6:21pm
@John There is no method that is 100%, even captcha's can be bypassed by some bots. My experience with this technique has been very positive. The solution has been working effectively for me since Janurary this year, and only requires visitors to use a modern web browser to prove that they are human.
However, in the future spambots may become more intelligent and start processing JS. So when the spammers start building better bots, of course developers everywhere will need to improve their detection methods.
If you are concerned with bots bypassing this now, you can use this technique along with others (e.g. Akismet) to improve security.
tinviet 3 Nov 08 at 6:57pm
I'm looking for similar script but detect the human action ( no use captcha) like moving of mouse + type speed + certain amount of char typed in ,, then affter testing will be alow to post or rederect user to other url instead of posting urls any one have idea
Wade 26 Feb 09 at 1:03pm
Hello Neil,
Seems to be excellent.
However, not being a script guru I am somewhat confused about how to use it in a html form. Could you explain a bit further?
Neil 26 Feb 09 at 1:13pm
@Wade In your form you want to set a fake action attribute. At the moment spambots do not execute JavaScript commands and will submit the form to the fake action specified.
When a real user submits a form, it will execute the JavaScript method (through the onsubmit attribute) which changes where it submits to (i.e. make it submit to the real form processor).
To make things easier to read, look at it like this:
<form action="/fakeaddress" onsubmit="this.action='/realaction'" method="post">
Wade 1 Mar 09 at 0:54am
Hello Mr. Ang,
I really appreciate your prompt response to my earlier inquiry, but unfortunately it left me with even more unanswered questions — excuse my coding ignorance.
I created the "fake" page with no problems.
[CURRENTLY ON THE NON-WORKING TEST FORM]
<head>
</script>
<script type="text/javascript" charset="utf-8"> function redirectForm(form){ form.action = ''; form.submit(); } </script>
</head>
[CURRENT POST ACTION] <form method="post" action="/cgi-bin/ezcommunicator.pl" onsubmit="return formCheck(this);">
[WHERE (or HOW) do I ADD THE CODE (below?)]
<form action="/no-javascript" onsubmit="redirectForm(this);" method="post" accept-charset="utf-8">
[If it replaces the current form action this would seem to ignore the form processor script (above) — resulting in no form results whatsoever.]
[WHAT'S THIS? (below) — Where does it go? It produces only a blank window space.]
<p><input type="text" name="test" /></p> <p><input type="submit" value="Submit" /></p>
</form>
Perhaps I should pay more attention to your statement that you are a developer for developers. But your solution seemed to add more promise for defeating spambots than anything I have found through extensive research. It would certainly be appreciated if you would explain (in detail) EXACTLY how to use your technique for the benefit of all the less-advance. Thank you very much.
<p><input type="text" name="test" /></p> <p><input type="submit" value="Submit" /></p>
</form>
Neil 1 Mar 09 at 9:04pm
@wade I sent a sample solution to the email address you provided.
العاب 13 Mar 10 at 6:48pm
hi neil, i appreciate your sharing and have a basic question as im new guy in form and i use a word press can i know if this be possible to be used on that ?? and which kind of information do you ant to know ?