Prove you are a robot
I am trying out a new design in my email forms that will prove that the user filling in the form is a robot rather than having the user type in funny looking letters from an image to prove that they are indeed a human. This allows you to get rid of those annoying looking "type in the letters on this image" images and clean up your forms. Plus the "proving you are robot" function goes on behind the scenes.
In your CSS file set up a class called ".email_address" that looks like this:
.email_address {
visibility: hidden;
}
The CSS visibility property sets if an element should be visible or invisible. You can assign this to most all HTML objects, and is typically used for rollover javascripts. However, here you want to assign this class to one of your email form entries:
<input type=text value="Your Email Address" onblur="if(this.value=='') this.value='Your Email Address';" onfocus="if(this.value=='Your Email Address') this.value='';" name="eml" maxlength=80 size=35><br>
<input type=text name="subject" maxlength=80 size=20><br>
Your Message: <textarea name=message rows=8 cols=40></textarea><br>
<input type=submit value="Submit" name="submit"><br>
<input type=text name="email_address" maxlength=80 size=20 class=email_address><>
I include the last input entry (the 'hidden' entry) after the submit button because even though it is hidden, the space where it would exist remains, so you would have a gap between your other form entries and the submit button.
Now, when a human fills out this form they should fill everything out except the hidden form entry. Then when it is sent to your php page you would check to see if there is any value in that hidden entry. If there is then you know the user is a spambot or other robot that is just parsing through your code and submitting your form with all the entries filled out, not realizing that one of the entries is actually hidden on the actual web page. Now you have just proven the user is a robot without the user taking time out to prove they are human.
This is only in theoretical stage so far. I have my php page that handles the variables that are submitted via the form to email me if the hidden form field ever catches something trying to fill it out, but have yet to receive anything. On the other hand, I haven't received any spam yet either.
I imagine spambots and other robots will get smarter in the future and will download a web site's CSS file before parsing the code of a particular site, and thus can check the class properties before determining what to mess with, but there will probably be future ways of encrypting your CSS file and protecting your code as well. Especially if spammers are getting this sophisticated.
Bud
This seems like a sweet idea! I can't think of any fault to the theory unless a spambot, like you say, checks for the visibility property.
A question, Akismet seems to do a great job, and lets you submit spam/ham to its central DB, is that not an option for you?
Ahh whatever bud who needs thatI don't need that crVIAGRA C1ALLIS PR0N PARIS HILTON CHEAP PHARMCYCHEAP
Ah, good point. I've only really used Akismet to check blog comments, but I suppose they can check your submitted emails from your email form pages as well. I was speaking more from your own web development standpoint. However, I believe all Akismet is doing is checking to see if the submitted email is indeed spam, but a robot could use your form for several other reasons, especially if you have an "Email This Page to friend" page where a user inputs both a "to" & "from" email address and the admin never actually sees the email being sent. All the hidden entry is doing is proving that the user is a human. However, used in conjunction with Akismet and I think you would have an even more robust email form.
LOL Colin. Well, I never said this was a spam filter. It's only purpose is to prove you are not a robot. I mean why even have the "Prove you are a human" silly image letters at all then? Human's can still send spam manually even if they get past the image letters. That's where Akismet would then come in handy I suppose, or write your own script to filter spam words or block all URLs in your comments/emails from your form.
If you already have a login account, why bother proving you are a human or a robot when your comment says "On April 12th, 2007 colin says:". Guess, we already know who you are. If you are logged into a site with a login account and use the email form, the web developer could set it to automatically fill in the 'visible' email address box since the site already knows who you are and what your email address is. But if the user is not logged in then you'd want to know if the user filling in the form is a bot or human.
with one drupal site that i am managing, there was a bot that automatically signed up and started populating all the forms with pr0n. it was SO annoying. hence, the captcha, which I have as a little simple math problem, e.g. what is 1+2? easier than the strange goofy text...
bwahahahaahahahaha!!!
this is some of the funniest, smartest shit talk i've heard lately!
you guys f%^king RULE.
=
w
I checked into Akismet more and it looks like it is only designed to be used as a plugin for your blogging software, which is fine. I use it in wordpress. I guess I was confused because I thought you meant it could be used on our own HTML form pages that we write ourselves. Maybe that is the case, but from what I can tell at akismet.com that is not the case.
No I was confused and thought the form submission was getting posted to your site.
Hey bud I just implemented this in a tool I have here - will let you know how many robot submissions I catch.
So I've caught some submissions! So far so good Bud, thanks.
Excellent. Well, I'm glad someone has received some working results that can prove the theory about how spambots gather information and submit their crap. Now I'm interested in if anyone ever discovers any "smart" spambots that can discover the hidden entry field. I guess that would be hard to ever determine when you suppose that only the humans know not to or physically can't fill in the hidden field. Cool, glad I could offer something that's useful that works.
One other thing I do if you really want to safeguard your email form from spambots is only allow the email form page to be accessed from within your site. At the top of your email.php you could add some code to determine if the page is being accessed only from a link from within your site or externally, or merely typed into a URL bar. If it is from a specific location in your site that you want the page to be accessed from then you would process the info accordingly, but if being accessed externally or if you just type the URL address into the URL bar it will block the info and spit the user back out to the home page or a special "no access" page:
For a Specific page:
<?$refer = $_SERVER['HTTP_REFERER'];
if ($refer != 'http://colins-site.com/access_page.php' && $refer != 'http://www.colins-site.com/access_page.php') {
header("Location:http://colins-site.com");
exit;
}
?>
For an Entire site:
<?$refer = $_SERVER['HTTP_REFERER'];
if (!strstr($refer, 'http://colins-site.com') && !strstr($refer, 'http://www.colins-site.com')) {
header("Location:http://colins-site.com");
exit;
}
?>
There really is no reason to access your email form page from anywhere except from the page (or your entire site if you have a type of "Email This" link on every page) you want it to come from, so you block out any other type of method it shouldn't be accessed from. Since I haven't received any of my hidden field spam submissions and i work on a couple sites with heavy traffic, I wonder if the above method is blocking the spambots from getting to the form page in the first place, before they can ever submit a form with the hidden field. Colin, you should allow a few more hidden form submissions to come through and get an idea of what kind of spam is coming in, and then add the above code and see if that kills it.
So, what about the spam postings making it onto akgeeks the last few days? Mortgages and calculators oh my!
Those are actually only the tip of the iceberg. The antispam engine (akismet) catches dozens every day. Lastnight I messed up and made a bunch of you users "spam moderators" but I've undone that so you shouldn't be receiving those mails from www-data anymore.
why not just disable anonymous posting, or put a captcha on it? Drupal has http://drupal.org/project/captcha a standard image captcha plus a simpler math feature. I know that this thread is about not using captcha's, but they seem to be somewhat effective, and the framework is already there. People who view blogs, web 2.0 stuff, etc, expect to have to use them.
Akismet does a superb job, I don't see any need for Captcha or anything else as of yet.