Shloime Henig Points Out HUGE Error In My Current Anti-Spam Technique

Posted February 6, 2007 at 8:56 AM by Ben Nadel

Shloime Henig contacted me a few days ago to point out a HUGE issue he found with my anti-spam form submissions technique. I use a number of hidden form fields that a standard user will not see to help me separate the good users from the spam bots. The problem, as Shloime pointed out, is that if any one has form auto-fill turned on in their browser (via some Browser plugin or what-have-you), it will alter the hidden fields unbeknown to the user.

Altering these fields, of course, makes my code thing that the form was submitted by a spam bot and rejects them. I am sorry if this has happened to any of you (getting your comments rejected). I am going to be moving to a much more simple technique (version 4) very soon.

Thanks Shloime, you rock!




Reader Comments

Javier Julio
Feb 6, 2007 at 9:44 AM // reply »
92 Comments
1 Points

Looking forward to it! Keep us up to date on where you are heading with that.


Ben Nadel
Feb 6, 2007 at 10:14 AM // reply »
11,238 Comments
75,337 Points

It is going to be, in part, based on the stuff Michael Dinowitz did, but not using an application-scoped key. Who knows, we will see.


Doug
Feb 7, 2007 at 11:36 AM // reply »
2 Comments
1 Points

Yeah, I thought of that in my own implementation. You should still use the same words in the field names so hopefully the bot or [human] bot configurer will still try to enter data into them. So I was using URL2 and email2 in a test so as to not trigger the autofill of google toolbar or the like...

I've been reading your anti-spam techniques and appreciate them, so I wanted to pass on this related article that I thought had some really interesting techniques too: http://www.nedbatchelder.com/text/stopbots.html


Steven Levithan
Feb 11, 2007 at 12:48 PM // reply »
172 Comments
105 Points

What if you used a textarea with style="display:none;", rather than an input with type="hidden"? Do common autofill apps try to autofill textareas as well as inputs?


Ben Nadel
Feb 11, 2007 at 5:21 PM // reply »
11,238 Comments
75,337 Points

Steve,

Yeah, I think I am gonna end up doing something like that. That's how my previous anti-spam technique worked. I just need to tweak and simplify.


Ben Nadel
Feb 12, 2007 at 3:28 PM // reply »
11,238 Comments
75,337 Points

@Dan, @Steve,

Yeah, that is what I have done. In conjunction with the encrypted timestamp, I have added a hidden textarea or two. Dan, it was cool to know those had a name, Honeypot. Good stuff.


Post A Comment

Comment Etiquette: Please do not post spam. Please keep the comments on-topic. Please do not post unrelated questions or large chunks of code. And, above all, please be nice to each other - we're trying to have a good conversation here.

Please review the following issues:

Author Name:
Author Email:
Author Website:
Comment:
Supported HTML tags for formatting: <strong>bold</strong>   <em>italic</em>   <code>code</code>







  • Help Wanted - Find Your Next ColdFusion Job
Ben Nadel's Company - Epicenter Consulting Recent Blog Comments
Chris Hubert
May 17, 2013 at 7:42 PM
HashKeyCopier - An AngularJS Utility Class For Merging Cached And Live Data
Ben - thanks so much for posting these Angular articles and findings, they've been a huge help towards learning one of the more 'complex' JavaScript frameworks out there (IMO). I have been using Angu ... read »
sgeorge
May 16, 2013 at 5:01 PM
UPDATE: Parsing CSV Data Files In ColdFusion With csvToArray()
Your code was the closest thing I've found to obtaining some direction for converting ISO fields to values that CF can translate properly. Thank you for posting! ... read »
shah
May 15, 2013 at 10:37 PM
Very Simple Pusher And ColdFusion Powered Chat
hi id making plz easy ... read »
Chris B.
May 15, 2013 at 6:07 PM
Making SOAP Web Service Requests With ColdFusion And CFHTTP
Ben, you once again saved my bacon at work. Thank you, thank you, thank you! ... read »
Jonah
May 15, 2013 at 4:15 PM
What If All User Interface (UI) Data Came In Reports?
@Josh, Thanks! @Ben, I definitely recommend the David West book "Object Thinking" I've been quoting from. It goes deeply into the philosophy and history of OO programming. His breadth ... read »
Alex
May 15, 2013 at 11:36 AM
Ask Ben: Print Part Of A Web Page With jQuery
I found this helpfull when you need to keep (refresh) the original parent page after closing the iframe child print dialog (Hoping you're not using a form at this time so it won't submit again): On ... read »
Ben Nadel
May 14, 2013 at 7:13 PM
What If All User Interface (UI) Data Came In Reports?
@Jonah, If there's any books you'd recommend on the subject of domain modelling, I'd love to hear it. I just downloaded the free PDF of "Domain Driven Design Quickly". Figured I'd give it ... read »
Ben Nadel
May 14, 2013 at 6:57 PM
The UX Of Prototyping: Low-Fidelity Is The New High-Fidelity
@Phillip, I'm not sure I follow what you mean? Are you saying that you looked at the list of widgets provided by the jQuery UI and let that be your style guide? ... read »
InVision App - Prototyping Made Beautiful With Prototyping Tools