Ben Nadel
On User Experience (UX) Design, JavaScript, ColdFusion, Node.js, Life, and Love.
I am the chief technical officer at InVision App, Inc - a prototyping and collaboration platform for designers, built by designers. I also rock out in JavaScript and ColdFusion 24x7.
Meanwhile on Twitter
Loading latest tweet...
Ben Nadel at CFUNITED 2010 (Landsdown, VA) with: Mike Collins

Shloime Henig Points Out HUGE Error In My Current Anti-Spam Technique

By Ben Nadel on

Shloime Henig contacted me a few days ago to point out a HUGE issue he found with my anti-spam form submissions technique. I use a number of hidden form fields that a standard user will not see to help me separate the good users from the spam bots. The problem, as Shloime pointed out, is that if any one has form auto-fill turned on in their browser (via some Browser plugin or what-have-you), it will alter the hidden fields unbeknown to the user.

Altering these fields, of course, makes my code thing that the form was submitted by a spam bot and rejects them. I am sorry if this has happened to any of you (getting your comments rejected). I am going to be moving to a much more simple technique (version 4) very soon.

Thanks Shloime, you rock!



Looking For A New Job?

100% of job board revenue is donated to Kiva. Loans that change livesFind out more »

Reader Comments

It is going to be, in part, based on the stuff Michael Dinowitz did, but not using an application-scoped key. Who knows, we will see.

Reply to this Comment

Yeah, I thought of that in my own implementation. You should still use the same words in the field names so hopefully the bot or [human] bot configurer will still try to enter data into them. So I was using URL2 and email2 in a test so as to not trigger the autofill of google toolbar or the like...

I've been reading your anti-spam techniques and appreciate them, so I wanted to pass on this related article that I thought had some really interesting techniques too: http://www.nedbatchelder.com/text/stopbots.html

Reply to this Comment

What if you used a textarea with style="display:none;", rather than an input with type="hidden"? Do common autofill apps try to autofill textareas as well as inputs?

Reply to this Comment

Steve,

Yeah, I think I am gonna end up doing something like that. That's how my previous anti-spam technique worked. I just need to tweak and simplify.

Reply to this Comment

@Dan, @Steve,

Yeah, that is what I have done. In conjunction with the encrypted timestamp, I have added a hidden textarea or two. Dan, it was cool to know those had a name, Honeypot. Good stuff.

Reply to this Comment

Post A Comment

You — Get Out Of My Dreams, Get Into My Comments
Live in the Now
Oops!
Comment Etiquette: Please do not post spam. Please keep the comments on-topic. Please do not post unrelated questions or large chunks of code. And, above all, please be nice to each other - we're trying to have a good conversation here.