Shloime Henig Points Out HUGE Error In My Current Anti-Spam Technique : Kinky Solutions : A Student's Perspective by Ben Nadel

Recent Entries Complete Entry List July 2008 June 2008 May 2008 April 2008 March 2008 February 2008 January 2008 December 2007 November 2007 October 2007 September 2007 August 2007 July 2007 June 2007 May 2007 April 2007 March 2007 February 2007 January 2007 December 2006 November 2006 October 2006 September 2006 August 2006 July 2006 June 2006 May 2006 April 2006 AJAX (14) Ask Ben (99) Books (12) ColdFusion (886) Exercise List (17) Flash (3) Health / Fitness (31) HTML / CSS (28) Javascript / DHTML (90) Life (67) Movies (23) Project HUGE (28) Relationships (6) Search Engine Optimization (14) Skin Spider (30) SQL (83) Work (104) XStandard WYSIWYG (21) RSS 2.0 Custom RSS 2.0

Posted February 6, 2007 at 8:56 AM

Shloime Henig contacted me a few days ago to point out a HUGE issue he found with my anti-spam form submissions technique. I use a number of hidden form fields that a standard user will not see to help me separate the good users from the spam bots. The problem, as Shloime pointed out, is that if any one has form auto-fill turned on in their browser (via some Browser plugin or what-have-you), it will alter the hidden fields unbeknown to the user.

Altering these fields, of course, makes my code thing that the form was submitted by a spam bot and rejects them. I am sorry if this has happened to any of you (getting your comments rejected). I am going to be moving to a much more simple technique (version 4) very soon.

Thanks Shloime, you rock!

Comments (6)  |  Post Comment  |  Ask Ben  |  Permalink  |  Other Searches  |  Print Page

• Add To Del.icio.us
• Add To Digg
• Add to Spurl.net
• Add to Wists
• Add to Simpy
• Add to Newsvine
• Add to BlinkList
• Add to Furl
• Add to reddit
• Add to FARK
• Add to BlogMarks
• Add to Yahoo! My Web
• Add to smarking
• Add to Ma.gnolia
• Add to Segnalo

Reader Comments

Looking forward to it! Keep us up to date on where you are heading with that.

Posted by Javier Julio on Feb 6, 2007 at 9:44 AM

It is going to be, in part, based on the stuff Michael Dinowitz did, but not using an application-scoped key. Who knows, we will see.

Posted by Ben Nadel on Feb 6, 2007 at 10:14 AM

Yeah, I thought of that in my own implementation. You should still use the same words in the field names so hopefully the bot or [human] bot configurer will still try to enter data into them. So I was using URL2 and email2 in a test so as to not trigger the autofill of google toolbar or the like...

I've been reading your anti-spam techniques and appreciate them, so I wanted to pass on this related article that I thought had some really interesting techniques too: http://www.nedbatchelder.com/text/stopbots.html

Posted by Doug on Feb 7, 2007 at 11:36 AM

What if you used a textarea with style="display:none;", rather than an input with type="hidden"? Do common autofill apps try to autofill textareas as well as inputs?

Posted by Steve on Feb 11, 2007 at 12:48 PM

Steve,

Yeah, I think I am gonna end up doing something like that. That's how my previous anti-spam technique worked. I just need to tweak and simplify.

Posted by Ben Nadel on Feb 11, 2007 at 5:21 PM

@Dan, @Steve,

Yeah, that is what I have done. In conjunction with the encrypted timestamp, I have added a hidden textarea or two. Dan, it was cool to know those had a name, Honeypot. Good stuff.

Posted by Ben Nadel on Feb 12, 2007 at 3:28 PM

Post Comment  |  Ask Ben