[PJUG Javamail] Captcha and Simple web form submission

Mon Feb 2 04:18:08 UTC 2009

Hi,

Thanks, Bill for replying back.

This is what I found after googling.I will be trying the CSS hidden field
approach.

http://urbanoalvarez.es/blog/2008/08/23/best-unobtrusive-anti-spam-technique-not-captcha/

Add CSS <http://en.wikipedia.org/wiki/Cascading_Style_Sheets>-hidden fields
that a user won't see, but a spam-bot will fill. Then using
php<http://www.php.net/>check if they were filled, and if they were:
block the spammer!

The CSS <http://en.wikipedia.org/wiki/Cascading_Style_Sheets> would be
something as simple as:

.noshow { display:none; }

The HTML <http://en.wikipedia.org/wiki/HTML> form should include something
like this:

<label <http://december.com/html/4/element/label.html>
for="leaveblank">Leave this blank</label>
<input <http://december.com/html/4/element/input.html> type="text"
class="noshow" id="leaveblank" name="leaveblank" />
<label <http://december.com/html/4/element/label.html>
for="dontchange">Do not change this</label>
<input <http://december.com/html/4/element/input.html> type="text"
value="http://" class="noshow" id="dontchange" name="dontchange" />

And finally the php <http://www.php.net/> would be simply:

if ($_POST['leaveblank'] == '' && $_POST['dontchange'] == 'http://') {
 // accept form submission
}

The only possible drawback would be that some users with
CSS<http://en.wikipedia.org/wiki/Cascading_Style_Sheets>disabled would
see the "hidden" form fields, and thus would be quite
puzzled.
The good thing is that the percentage of users with
CSS<http://en.wikipedia.org/wiki/Cascading_Style_Sheets>disabled is so
low that I wouldn't even care about that issue

Another way I was thinking about was to position it under the real form
elements using negative top margin. For example under the field Name, we
could place another field that shouldn't be filled…

Hiding your form field with display:none; may not be ideal, lots of bots
will not fill anything with display:none; since they figure if you don't
want visitors to see it, then they don't need to either… Kinda the way input
type=hidden works.

Maybe use a negative margin on the input you want to hide instead?

Maybe an even better way to counter this would be to actually show the field
and ask the user not to enter anything here!!! This way, the "human" genuine
user does not enter anything in that field while the bot does!
 My latest approach takes a couple of hashes and a random number. I hash
their IP and the random number together, then i hash their user agent. Since
most bots don't actually have to use your form for submission, it's a good
idea to try and make your handler force submission through your form. I hash
their user agent because that changes when they start implementing the bots
too. It has to be exactly the same for it to match for a hash. I also flush
the email if I get an empty user agent. In addition I pass the hashes via
GET and the random number via POST.

Vijay

On Fri, Jan 30, 2009 at 5:12 PM, Vijay Balakrishnan <bvijaykr at gmail.com>wrote:

> Hi,
>
> I have a simple web form with 5 input boxes and when it is submitted, an
> email is sent to the receiver.
> Now, we get a ton of spam from these forms.
>
> Captcha(Yahoo) was recommended as a solution but it is very intrusive and
> forces the user to enter an input textfield that has nothing to do with
> their business purpose.
> Has anyone done any other solutions ?
>
> TIA,
> Vijay
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://javac.com/pipermail/javamail/attachments/20090201/21a59c71/attachment-0002.html>