digg

Facebook Connect Join Digg About

Fighting Form Spam with CSS

modernbluedesign.com Step by step guide using CSS to eliminate automated robots and spam fillers from getting through your forms.

Who dugg this? Made popular Jun 26, 2007

Digg DudeWhat is Digg?

Digg is a place for people to discover and share content from anywhere on the web. Digg surfaces the best stuff as submitted and voted on by the community. Take the Tour to learn more.

112 Comments

show profanity settings
expand all
  • riverrunner, on 10/11/2007, -1/+30This has worked for me also - but I am reluctant to digg it cause the spammers will figure out a way around it if they realize too many people are using it!
  • phantom42, on 10/11/2007, -0/+14i've been using this method for a few months now, and we've yet to get any spam. one suggestion though. instead of applying the class to the input box, create a div/span with the hidden class and give instructions to leave the box blank. this way, users with browsers that don't render css aren't left completely confused.
  • phantom42, on 10/11/2007, -0/+9that works for some types of sites, but requiring flash doesn't work for sites which need to be 508 compliant.
  • noahhoward, on 10/11/2007, -0/+8Bet the deaf people use your site all the time. That is too complicated, the whole point of this method is that you don't inconvenience the user at all but you stop spam. The user shouldn't have to prove they are a user the spammers should have to prove they aren't spamers.
  • jriggall, on 10/11/2007, -0/+8I've had success with a different method which may not be possible for some of you to implement without server side scripting ability.

    First, I assume that since the form is being filled out by a robot that it is going to be submitted rather quickly. When the form is first loaded I set the current time in a hidden form field. When the page is submitted I compare the new current time with the one from the hidden form field and if it took less than 3 seconds from page load to submit then I just disregard the message and don't follow through with the send email script.

    This method has cut out nearly 95% of my form spam.
  • rodrigomuniz, on 10/11/2007, -0/+7what about accessibility?
  • lollercopters, on 10/11/2007, -4/+11I don't want to fight spam with CSS. I want to fight counter-terroists.
  • LoudNoise, on 10/11/2007, -0/+6If I ever saw a flash form, I'd leave the site immediately.

    Actually, I wold probably be confused as hell, seeing as how I use Flashblock. WHERE DOES THE DATA GO?!
  • phantom42, on 10/11/2007, -0/+6according to w3schools statistics, 6% of users browse with either no javascript support, or javascript disabled. by way of comparison, their statistics put mac users at 3.8% while mozilla (not FF) + opera + safari users total up to 4.4%. thats a large number of people who won't be able to use your form at all.
  • coolspray, on 10/11/2007, -0/+6The spammers could pretty easily find if it has certain attributes (such as visibility hidden). Probably just move on to easier targets though.
  • greydiode, on 10/11/2007, -1/+6Would it help to set the tabindex to -1? Or would the browser skip the input field anyway since it's hidden?
  • HarryBauzonia, on 10/11/2007, -0/+5Thanks for posting this.
    I've been looking for something like that.
  • FiP0, on 10/11/2007, -0/+5Even "type in this word" (always the same) is enough :

    CAPTCHA effectiveness :
    http://www.codinghorror.com/blog/archives/000712.html
    "The comment form of my blog is protected by what I refer to as "naive CAPTCHA", where the CAPTCHA term is the same every single time. This has to be the most ineffective CAPTCHA of all time, and yet it stops 99.9% of comment spam. I can count on two hands the number of manually entered comment spams I've gotten since I implemented "
  • modernblue, on 10/11/2007, -1/+6It wouldn't actually make a difference. The tabindex doesn't include hidden elements. Good thought though.
  • boxxa, on 10/11/2007, -0/+4Very good idea for simple spam!
  • Cl1mh4224rd, on 10/11/2007, -1/+5You pretty handily screw over people, like me, who have JavaScript disabled by default...
  • willemmulder, on 10/11/2007, -1/+5so how did you put that comment here without javascript?
  • tpv2066, on 10/11/2007, -0/+4and now every spammer has updated their crawlers to match
  • DuctTape31, on 10/11/2007, -1/+5This looks interesting, i will have to see if i can use it to filter the spam on my photoblog. Anyone know if this will work with the posting in a pixelpost photoblog?
  • SmileyChris, on 10/11/2007, -0/+3So what if people with CSS off/broken type "no"?
    (reminds me of Homer causing Lisa to lose due to writing "ok" in the space marked "Do not write under this line")
  • inactive, on 10/11/2007, -0/+3A little bit of text in the division made invisible to most of us by CSS, could explain to those using browsers without CSS to leave the box empty. Actually with a short message making the box invisible wouldn't be strictly necessary.
  • emehrkay, on 10/11/2007, -0/+3change visibility to display: none; so that the hidden input doesnt take up any space. maybe this trick would work for a while
  • ElectricSpeed, on 10/11/2007, -0/+3You can prevent form spam and "read books" with Carnegie Mellon University's reCAPTCHA (http://recaptcha.net/), and you can see a demo here: http://jamesthornton.com/james/contact.html
  • aboyd, on 10/11/2007, -0/+3Not 100% useless, because of variation. Someone wraps the element in a DIV, and sets THAT to hidden. So now the spam script needs to go through the entire hierarchy of the page, to see if any parent's visibility is hidden. Then, you can also use display: none. So now the spam script needs to check for that. Then, you can do it in JavaScript, so now the spam script needs to parse JavaScript too. Then, you can do other "prove you're human" things, such as a field that is 2 + 2 = _____ (fill in the blank). And you can vary that. And so on. There are a million little variations that you can do, and the spammers will have hell trying to catch what every individual on Earth is doing. The idea is simple: customize the trick a little bit to your site, and the spammers have a higher bar to get over not just for you but for everyone else that customized it differently.
  • mcm297, on 10/11/2007, -3/+6This fails for those who don't "browse happy." The best way to deal with spam comments is to do as digg does with the "are you human?" input. When in Rome, do as the Romans do...
  • kevsedg, on 10/11/2007, -1/+3http://www.duggmirror.com/ sorry
  • noahhoward, on 10/11/2007, -0/+2What exactly do you mean? I can't think how this would fail.
  • cybe, on 10/11/2007, -0/+2More great resources:

    http://nedbatchelder.com/text/stopbots.html
    http://projecthoneypot.org/home.php
  • silly110671, on 10/11/2007, -0/+2"For deaf people I have the option to send a text message over their mobile phone"

    I don't know many deaf people with mobile phones... but that's just me.
  • eanbowman, on 10/11/2007, -2/+4You know what? This is damn brilliant.

    For all of the lines of PHP I've coded just for this purpose - this is the quickest and likely most effective solution.

    This combined with combing comments for malformed HTML and excessive links could be a really great solution.

    Thanks for the, "Duh, you should have known!"
  • dotlizard, on 10/11/2007, -0/+2yeah, and when i'm browsing on my PDA, being a human, i recognize the extraneous spambot-catcher fields, and i don't fill them in.

    if you really need to dumb it down for PDA surfers, give it a really silly name, and hide some text with that same hiding CSS that 'splains what you're doing. But, most of them can figure it out on their own.
  • smackhero, on 10/11/2007, -0/+2i don't see how that would matter at all to the bot. it'll still see the forum elements and method in the page. it doesn't have to parse any javascript or even html, just use basic regexp pattern matching. you don't honestly think that spambots actually try to parse and render the page do you?
  • mcm297, on 10/11/2007, -0/+2Technically this won't "fail", however for some users who browse using non-CSS compatible browsers, they'll be confused by seeing the extra "special" input element.
  • dotlizard, on 10/11/2007, -0/+2well then, make the label less confusing. say, 'fill in this box if you are a spamming bot, but if you are a human please leave it blank", the label will show whether the css is broken or missing, and hopefully the user can work out that that means not to type in the box.

    however i would recommend finding clever synonyms for 'spam', 'bot', etc, because bots trying to bypass this would look for those terms in proximity to the field.
  • mraustin1337, on 10/11/2007, -0/+2Spammers are too lazy to figure out how css works and make their bots understand it. Not only that but you can do this in a lot of ways so if a bot figures out one, do another (perhaps javascript based) and confuse it more. Very very intelligent solution.
  • abandonedhero, on 10/11/2007, -0/+2Did you read his comment? He was addressing the comment regarding using a flash form for commenting and the article. Good try.
  • mcm297, on 10/11/2007, -0/+2≤label for="spam_trap">Are you a spammer?≤/label>
  • Otto, on 10/11/2007, -0/+2That is a good method, but I would also suggest that you filter obviously bad inputs: like anything older than a day, or anything in the future, etc. Comment spammers don't have to pull your form at the same time they submit it.
  • btgarner, on 10/11/2007, -0/+2The method that I have found effective is to simply look for "http://" in the comment, and if it finds it, flag it as inappropriate and tell the person to try again. Since I did this, I have not received a single spam comment on any of the 5 web comment forms that I have up on various sites.
  • j3one, on 10/11/2007, -0/+2http://www.duggmirror.com really sorry
  • jasg, on 10/11/2007, -0/+1u r scum
  • j3one, on 10/11/2007, -0/+1nub FTL
  • phantom42, on 10/11/2007, -0/+1unfortunately, every statistic anyone could pull up is going to be skewed in some way. i would have preferred to get stats from thecounter.com, but for some reason its not coming up for me from my office.

    honestly, the fact that 6% of web developers don't have javascript enabled should be discouraging enough - these are generally the tech savvy people we WANT commenting.
  • j3one, on 10/11/2007, -1/+2But they look so cute in their little blue outfits.. ah screw it, kill the hosties...
  • CraigJ, on 10/11/2007, -0/+1did you read the article? HTML, PHP, CSS...
  • Cl1mh4224rd, on 10/11/2007, -0/+1This is an extremely old technique. Do you really think spammers take their cues based on what makes it to Digg's front page?
  • jkramlich, on 10/11/2007, -1/+2For those who dislike CAPTCHA try HumanAuth ( http://www.gigoit.org/humanauth/ ). Basically you just click on pictures matching a theme to prove you are not a spam bot. It's open source and easily customizable.
  • gauthierm, on 10/11/2007, -0/+1Unless you are using a strong Turing test (ie a CAPTCHA) anyone who wants to automate form submission on your blog will find a way to do it. Obfuscating your form elements is bad for accessibility and is not difficult to detect, or to work-around.
  • kiddailey, on 10/11/2007, -0/+1Why couldn't you, instead of telling the spammer to go away, just pretend like the form actually worked even with the extra field populated? How would the spammer know if it really was sent or not?
  • phantom42, on 10/11/2007, -0/+1not every browser HAS javascript.
  • Fetching more discussions...
    Show 51 - 100 of 112 discussions

  • Add a Comment

    Login or register to comment!
    Or, sign-in super fast with your Facebook account ...


© Digg Inc. 2009 — Content created and posted by Digg users is dedicated to the public domain | Terms of Use Updated | Privacy Policy
DIGG, DIGG IT, DUGG, DIGG THIS, Digg graphics, logos, designs, page headers, button icons, scripts, and other service names are the trademarks of Digg Inc.