Shloime Henig Points Out HUGE Error In My Current Anti-Spam Technique

Posted February 6, 2007 at 8:56 AM by Ben Nadel

Shloime Henig contacted me a few days ago to point out a HUGE issue he found with my anti-spam form submissions technique. I use a number of hidden form fields that a standard user will not see to help me separate the good users from the spam bots. The problem, as Shloime pointed out, is that if any one has form auto-fill turned on in their browser (via some Browser plugin or what-have-you), it will alter the hidden fields unbeknown to the user.

Altering these fields, of course, makes my code thing that the form was submitted by a spam bot and rejects them. I am sorry if this has happened to any of you (getting your comments rejected). I am going to be moving to a much more simple technique (version 4) very soon.

Thanks Shloime, you rock!




Reader Comments

Javier Julio
Feb 6, 2007 at 9:44 AM // reply »
92 Comments
1 Points

Looking forward to it! Keep us up to date on where you are heading with that.


Ben Nadel
Feb 6, 2007 at 10:14 AM // reply »
10,640 Comments
69,065 Points

It is going to be, in part, based on the stuff Michael Dinowitz did, but not using an application-scoped key. Who knows, we will see.


Doug
Feb 7, 2007 at 11:36 AM // reply »
2 Comments
1 Points

Yeah, I thought of that in my own implementation. You should still use the same words in the field names so hopefully the bot or [human] bot configurer will still try to enter data into them. So I was using URL2 and email2 in a test so as to not trigger the autofill of google toolbar or the like...

I've been reading your anti-spam techniques and appreciate them, so I wanted to pass on this related article that I thought had some really interesting techniques too: http://www.nedbatchelder.com/text/stopbots.html


Steve
Feb 11, 2007 at 12:48 PM // reply »
168 Comments
63 Points

What if you used a textarea with style="display:none;", rather than an input with type="hidden"? Do common autofill apps try to autofill textareas as well as inputs?


Ben Nadel
Feb 11, 2007 at 5:21 PM // reply »
10,640 Comments
69,065 Points

Steve,

Yeah, I think I am gonna end up doing something like that. That's how my previous anti-spam technique worked. I just need to tweak and simplify.


Ben Nadel
Feb 12, 2007 at 3:28 PM // reply »
10,640 Comments
69,065 Points

@Dan, @Steve,

Yeah, that is what I have done. In conjunction with the encrypted timestamp, I have added a hidden textarea or two. Dan, it was cool to know those had a name, Honeypot. Good stuff.


Post A Comment

Comment Etiquette: Please do not post spam. Please keep the comments on-topic. Please do not post unrelated questions or large chunks of code. And, above all, please be nice to each other - we're trying to have a good conversation here.

Please review the following issues:

Author Name:
Author Email:
Author Website:
Comment:
Supported HTML tags for formatting: <strong>bold</strong>   <em>italic</em>   <code>code</code>







  • Help Wanted - Find Your Next ColdFusion Job
InVision App - Prototyping Made Beautiful With Prototyping Tools Ben Nadel's Company - Epicenter Consulting Recent Blog Comments
Bartezz
Feb 10, 2012 at 7:21 PM
jQuery AJAX Strips Script Tags And Inserts Them After Parent-Most Elements
Update! Instead of $(eval(options.insertAfter)).after(data['insertData']); I now use: var ajaxNode = document.createElement('span'); var parent = $(eval(options.insertAfter))[0].parentNode; ... read »
Bartezz
Feb 10, 2012 at 6:18 PM
jQuery AJAX Strips Script Tags And Inserts Them After Parent-Most Elements
encountered this same, what I consider, jQuery bug last week. I'm building a site in which I load some content via AJAX. This content contains Linkedin share button placeholders which Linkedin API ne ... read »
Drew Wells
Feb 10, 2012 at 11:30 AM
Cross-Origin Resource Sharing (CORS) AJAX Requests Between jQuery And Node.js
After you understand the concepts here, this is an awesome cheatsheet for enabling CORS in just about anything http://enable-cors.org/ ... read »
JM
Feb 10, 2012 at 9:10 AM
My Safari Browser SQLite Database Hello World Example
@Amy, Here is a very good tutorial on how to use JOIN: http://www.sqltutorial.org/sqljoin-innerjoin.aspx ... read »
Stefan Richter
Feb 10, 2012 at 4:42 AM
Building A Twitter-Inspired RESTful API Architecture In ColdFusion
This is great, very useful Ben. I spotted a small typo in the api.cgm listing: <cfthrow type="Unauthroized" /> Cheers Stefan ... read »
Hugh
Feb 9, 2012 at 10:35 PM
CFDirectory Filtering Uses Pipe Character For Multiple Filters (Thanks Steve Withington)
I was wondering if there would be a filter you could apply so that you got everything but what you included in the filter. As in show me all docs that are not a .pdf. ... read »
Stephen
Feb 9, 2012 at 10:29 PM
Learning ColdFusion 9: Application-Specific Data Sources
@Ben, No offence, but if people were really wanting advanced features they would be using a platform like ASP.NET MVC. CFML is so structurally compromised as a tag-based scripting language that ... read »
Nathan
Feb 9, 2012 at 10:03 PM
Subversion - Cleanup Failed To Process The Following Paths
@Leviaguirre, do you still have problems with this? ... read »