Shloime Henig Points Out HUGE Error In My Current Anti-Spam Technique

Posted February 6, 2007 at 8:56 AM by Ben Nadel

Shloime Henig contacted me a few days ago to point out a HUGE issue he found with my anti-spam form submissions technique. I use a number of hidden form fields that a standard user will not see to help me separate the good users from the spam bots. The problem, as Shloime pointed out, is that if any one has form auto-fill turned on in their browser (via some Browser plugin or what-have-you), it will alter the hidden fields unbeknown to the user.

Altering these fields, of course, makes my code thing that the form was submitted by a spam bot and rejects them. I am sorry if this has happened to any of you (getting your comments rejected). I am going to be moving to a much more simple technique (version 4) very soon.

Thanks Shloime, you rock!




Reader Comments

Javier Julio
Feb 6, 2007 at 9:44 AM // reply »
92 Comments
1 Points

Looking forward to it! Keep us up to date on where you are heading with that.


Ben Nadel
Feb 6, 2007 at 10:14 AM // reply »
11,247 Comments
75,427 Points

It is going to be, in part, based on the stuff Michael Dinowitz did, but not using an application-scoped key. Who knows, we will see.


Doug
Feb 7, 2007 at 11:36 AM // reply »
2 Comments
1 Points

Yeah, I thought of that in my own implementation. You should still use the same words in the field names so hopefully the bot or [human] bot configurer will still try to enter data into them. So I was using URL2 and email2 in a test so as to not trigger the autofill of google toolbar or the like...

I've been reading your anti-spam techniques and appreciate them, so I wanted to pass on this related article that I thought had some really interesting techniques too: http://www.nedbatchelder.com/text/stopbots.html


Steven Levithan
Feb 11, 2007 at 12:48 PM // reply »
172 Comments
105 Points

What if you used a textarea with style="display:none;", rather than an input with type="hidden"? Do common autofill apps try to autofill textareas as well as inputs?


Ben Nadel
Feb 11, 2007 at 5:21 PM // reply »
11,247 Comments
75,427 Points

Steve,

Yeah, I think I am gonna end up doing something like that. That's how my previous anti-spam technique worked. I just need to tweak and simplify.


Ben Nadel
Feb 12, 2007 at 3:28 PM // reply »
11,247 Comments
75,427 Points

@Dan, @Steve,

Yeah, that is what I have done. In conjunction with the encrypted timestamp, I have added a hidden textarea or two. Dan, it was cool to know those had a name, Honeypot. Good stuff.


Post A Comment

Comment Etiquette: Please do not post spam. Please keep the comments on-topic. Please do not post unrelated questions or large chunks of code. And, above all, please be nice to each other - we're trying to have a good conversation here.

Please review the following issues:

Author Name:
Author Email:
Author Website:
Comment:
Supported HTML tags for formatting: <strong>bold</strong>   <em>italic</em>   <code>code</code>







  • Help Wanted - Find Your Next ColdFusion Job
Ben Nadel's Company - Epicenter Consulting Recent Blog Comments
Ben Nadel
May 25, 2013 at 10:01 PM
My Experience With AngularJS - The Super-heroic JavaScript MVW Framework
@Avi, Really glad to help! @Jaredwilli, I'm finding a this image hits home with a lot of people :) Hopefully we can all work through the rough patches together! @Prateek, AngularJS has error ... read »
Ben Nadel
May 25, 2013 at 9:53 PM
Nested Views, Routing, And Deep Linking With AngularJS
@Mrsean2k, I'm glad I could help! I haven't been able to keep up with the ui-router stuff. I keep saying that I'll carve out time, but I just haven't gotten to it :( ... read »
Ben Nadel
May 25, 2013 at 9:49 PM
What If All User Interface (UI) Data Came In Reports?
@Jonah, Thanks for the book recommendations. I am looking them up right now. I can see that Object Thinking is available for the Kindle App - sweet! Also, I just recently heard Martin Fowler on the ... read »
Ben Nadel
May 25, 2013 at 9:41 PM
HashKeyCopier - An AngularJS Utility Class For Merging Cached And Live Data
@Chris, I'm super excited to hear that my posts are helpful. I am also loving AngularJS; but, it definitely has some caveats and some odd behaviors and some things that just don't seem to "wor ... read »
Ben Nadel
May 25, 2013 at 9:36 PM
Ask Ben: Manually Enforcing Basic HTTP Authorization In ColdFusion
@Adam, @Jason, After reading these comments, I double-checked my latest implementation and I am happy to report that I am using listFirst() and listRest(). ... read »
Ben Nadel
May 25, 2013 at 9:31 PM
Using "//" And ".//" Expressions In XPath XML Search Directives In ColdFusion
@Daxesh, I am not sure I understand the question about the current node. If you already have a reference to the current node, why would you need to query for it? As for parent node, I believe that ... read »
daxesh
May 25, 2013 at 10:08 AM
Using "//" And ".//" Expressions In XPath XML Search Directives In ColdFusion
@Ben, my question is that i want the current node with its tag and its parent node. i just want only that data. So, give me the solution for that. and remember solution is working on " xpath 1.0 ... read »
daxesh
May 25, 2013 at 10:01 AM
Using "//" And ".//" Expressions In XPath XML Search Directives In ColdFusion
hey ben, i want get my current node tag and also want the root node tag withing. So, how can i fix it.. ! ... read »
InVision App - Prototyping Made Beautiful With Prototyping Tools