Relatively Simple Form Spam Prevention
Form spam happens when a robot or other remote software
automatically fills in the fields of your form and submits
it.
Has it happened to you, yet? Once it starts, it never quits.
This article presents a method of preventing form spam that
is relatively simple to implement (compared to some CAPTCHA
and other systems I've seen).
JavaScript is used to detect whether or not the form user
is human.
If a click in a form field is detected, human is
assumed. Otherwise, the form user is assumed to be software.
Some robots load your form every time, then submit it.
Others send their stuff directly to the software your form
would otherwise submit to, bypassing your form altogether.
Spiders cruise the 'net looking for forms. When they find
one, they report home, where the particulars are put into a
database.
And then it starts. You get a spam from your own form. The
next day, another. Soon, several a day. Then more often.
Once it starts, it doesn't quit.
Knowing that, you realize it would be good to prevent
it from starting in the first place, if you can.
Even if your form is already in spammers' databases, spam
might still be blockable.
The method presented here is not as sophisticated as that
which Master Form V4 uses. It will, however, work for many
forms.
How long it will work depends on several things:
-
When spammer spiders are able to parse JavaScript,
this method may no longer work. The method does make
use of sophisticated routines to prevent that from
happening for as long as possible.
-
If a spammer should manually inspect your code, it
will be vulnerable. While unlikely, it could happen.
This method tries to give the spammer no reason to
come looking at the source code in the first place.
Are you ready?
A step-by-step for forms not yet compromised is presented
first, to protect forms from ever being used to spam. Use
this prevention method if your forms are not yet in
spammers' databases. (If you're not getting spam from your
forms, it is likely that spammers' spiders have yet to find
your forms.)
Then, a step-by-step for forms already being used to spam
you, to block the spam. It won't work for all forms, but for
many it will. This blocking method might also be implemented
if the prevention method is bypassed.
The Prevention Steps
When you're done with these prevention steps, this is how it
will work.
If the form is used by a human:
-
Your form is loaded by a person into their browser.
The form's action URL is to a decoy.
-
In the process of filling in the form, the person
ends up clicking on a form field that, behind
the scenes, changes the form's action URL to the
correct one.
-
The form is submitted to the correct form processing
software.
If the form is used by a robot:
-
Your form is loaded into its memory by the robot.
The form's action URL is to a decoy.
-
The form is submitted to the decoy.
Prevention Step 1, the Decoy —
The first thing to do is make a decoy.
The decoy will trick the automatic submission robots into
thinking everything is okay. We want no flags raised at
spammer headquarters that might precipitate an inspection
of your prevention code.
The decoy can be a PHP page or CGI script. Whatever is used,
it is important the decoy is a real page or working script
so no status code 404 or 500 or anything other than success
is encountered by the robots.
A PHP page can be a regular web page with a .php extension.
Your server will need to be configured to process PHP pages.
If you prefer using a CGI script, something like this
3-liner could work.
When your decoy is in place and tested to work correctly,
make a note of its URL. You will need the URL in the
"prevention" and "blocking" sections, below.
Prevention Step 2, the NOSCRIPT tag —
This step is optional. It is a courtesy to implement it.
Near your form's submit button, where it will be predominant
for users of JavaScript-disabled browsers, put these three
lines:
Prevention Step 3, the Human Detector JavaScript —
The JavaScript below is used to detect when a human is using
the form. It is designed to detect a click in a form field
you specify at a later step of this implementation procedure.
If the click is detected, human is assumed. Otherwise, the
form user is assumed to be an automatic submission robot.
The JavaScript needs to be customized.
Copy the JavaScript and paste it somewhere in your web page.
It can be in the head area or the body area, above or below
the form, away from or near the form. Just don't put it
within the form itself.
Then, edit the JavaScript.
Alternatively, you can use the generator embedded in the
editing instructions, in the 2 steps below, to automatically
insert one or both edits before you copy the JavaScript.
Editing instructions:
Prevention Step 4, Marking a Field —
There is a function in the human detector JavaScript that
needs to be run when a certain form field is clicked. It
doesn't matter which field this is, so long as every human
who uses the form will click in this field before the form
is submitted.
For example, if the email field is a required field, then
that would be a good candidate. If your form is a feedback
form, the textarea field where they leave a message might
also be a good choice.
Whichever field you decide upon, put this attribute into the
tag:
onclick="CL()"
For example, if it was an email field, the field might now
look something like this:
<input
type="text"
name="email"
onclick="CL()"
size="27">
Prevention Step 5, Implement the Decoy —
Change your form's action URL to the URL of the decoy.
Prevention Step 6, Testing —
Test that everything works as it should.
The Spam Blocking Steps
If your form has already been compromised, it may still be
possible to block the spam from continuing. It depends on
whether or not everything still works if the file name of
your form handling software is changed.
To test it, install a copy of your form handling software
with a different name. Make a copy of the web page with the
form and change the copy's action URL to the software with
the different file name.
If everything works okay with the different form handling
software file name, and no other forms use the software
with the previous file name, then proceed with the "blocking"
implementation.
Blocking Step 1, the Decoy —
Follow the instructions for Prevention Step 1, except make
the file name and URL of the decoy the same as the one in
the compromised form's action URL.
Please understand that when you do this, no forms can use
that URL as its action except as a decoy. It means that if
you change one form that uses the software, you'll need to
change them all.
Blocking Step 2, the NOSCRIPT tag —
Follow the instructions for Prevention Step 2.
Blocking Step 3, the Human Detector JavaScript —
Follow the instructions for Prevention Step 3 except, in the
first of the two editing steps, use the action URL of the
form you tested for the software with the different file
name — not the URL of the form that is compromised.
Blocking Step 4, Marking a Field —
Follow the instructions for Prevention Step 4.
Blocking Step 5, Implement the Decoy —
Verify that the URL of the decoy is the same as the form's
action URL.
Blocking Step 6, Testing —
Test that everything works as it should.
Now, tell your friends and business associates about this
article. Send them the URL.
For your convenience, you can
click this link to open your
email program with the article's URL pre-filled in.
Your friends will thank you.
Question:
Did you find this article interesting and understandable? How can it be improved?
Your response is anonymous.
When done typing, click anywhere outside the box. [more info]
Will Bontrager
©Copyright 2007 Bontrager Connection, LLC Bontrager Connection, LLC
Please note:
Articles on this website are presented "as is". However -
If you have a question about a CGI script, HTML, CSS, PHP, or JavaScript
Ask one of our Experts and you'll have your answer!
Click here for details.
