When Written: Oct 2013
I had an interesting problem a couple of weeks ago, a web site that we had written some years ago had become the target of the spammers. A simple web page on the site enabled users to request further information and this had worked fine for years but recently the customer started getting a large number of spam type requests for it. They rang me and asked what could be done about it because whilst it was not a huge problem they felt that there could be a danger of a genuine enquiry email being missed in amongst the hundreds of spammed requests. It was obvious that these requests were being generated by ‘bots automatically filling in and submitting the web form.
My first suggestion was to add a CAPTCHA element to the form. You know the sort of thing, it displays a series of characters and numbers as a distorted image that you have to type in. The theory being that only a human can read and make sense of these images, but such is the distortion applied that often users can’t make sense of these particularly if they have any eyesight problem. Because of this, and because of a mutual deep hatred for such things, my client asked if there was a different solution. I had seen sites where they showed a simple sum and asked for the answer or showed an image and asked what it was, both of which seem like possible solutions, but whilst talking to the client I had an idea and I asked if I could try something out and get back to him.
It occurred to me that these bots simply fill in all the fields and then submit the page; perhaps there would be a simple way to confuse them? If we put an extra field on the form that was not used, then hid this field from humans using CSS ‘visibility: hidden’ then a user would not see the field and so would not enter anything whereas a ‘bot would be fooled and fill in the field. All we then had to do would be to test to see if this field did contain anything, if it did then we could simply ignore it as it must have come from a ‘bot. I wasn’t sure if this technique would work as it depended on the ‘bots not using the web page’s style sheet to render, as it turned out I needed have worried as it worked like a dream, five minutes of coding and the spam submissions stopped and have stayed stopped, a useful technique that you are free to use on your sites, my usual 5% commission applies!
Article by: Mark Newton
Published in: Mark Newton