digg

Facebook Connect Join Digg About

Preventing SPAM without using a CAPTCHA

freecodesnippet.com — I hate CAPTCHAs because it discourages lots of users(specially in impulsive mood) if they make a single mistake on first try. Here is how I tackle SPAM attacks on the comment form of my blog without using a CAPTCHA. You can use this technique for any kind of form on your website.

Who dugg this? Made popular Oct 16, 2007

Add a friend

submitted by

freecodesnippet Oct 16, 2007

1241 diggs
digg

180 Comments

Dynamoo, on 10/29/2007, -2/+120One way to prevent spam.. have your site fall over at the first sign of any traffic.
neokoenig, on 10/31/2007, -1/+49This is quite an old idea now, but if used in conjunction with a few other techniques can be good;

I set the time NOW() in a form field and check that the form when submitted is older than 3 seconds, but younger than say 8 hours; that way Spammers can't Cache the form; I also check for the server name being submitted in the Post request; if it's not what I expect, throws an error; again, stops spammers caching the form and submitting the post request from another machine; Add the above technique, and it does help.
swordedge, on 10/20/2007, -2/+49This probably works slightly better than captcha but neither method really works well. What spammers are doing with Captcha is very clever. They own porn sites. When they have their members log in, they display a yahoo captcha to the member. They use the response to create a spam email account.
The method used does involve text and anything involving text, can be seen by the spam bot. It is only a matter of time before they get wise to this trick.... assuming they haven't done so already.
yokes, on 10/17/2007, -5/+45A crashed server is an ingenious method to defeat spam comments.
shockingbird, on 10/30/2007, -3/+34If it goes down again:

This article is based on a simple fact that spam-robots are so dumb they usually put their grand father (their developers) to a shame.
FTA:

Concept:
For people who don’t know this trick already, here is how you do it:
1. Add an input field to your form, with some interesting name, for example ‘URL’.
2. Hide the input box using css so that users(genuine) cannot see it directly.
.style1 {
display: none;
}
3. While processing the form check if the “url” contains any value. If it does, reject the post or put it for moderation.
if (strlen(trim($_POST['url'])) > 0){
//It is a spam, reject this post here
}
4. Didn’t get it? Why this works? Well, it works simply because geniune users cannot see a hidden input box on your form and therefore, they won’t fill it, while robots can.
exomni, on 10/23/2007, -3/+33I just wish that CAPTCHA was slightly more lenient. I mean, if I mess up just one of the letters in a five letter CAPTCHA, I've still proved well enough that I'm not a robot.
funkytaco, on 10/23/2007, -1/+30Ah, I see. The old suspended.page trick.
writh3n, on 10/17/2007, -4/+27speaking of which, I did use it and has been working as close to perfect as one could want for almost a year. Thanks a lot for putting this on digg dick.
dcbebop, on 10/17/2007, -4/+23Smart but only a matter of time before spam bots start to parse html/css docs more intelligently. Any decent coder could have a patch workaround for this in a week or less.
roosterjm2k2, on 10/22/2007, -1/+14Correct, if you're one of the big sites, then there is nothing you can really do to stop it.

However, if you're part of the other 99.9999999999 percent of the internet, then it can be quite useful. There are tons of sites which get great deals of traffic and are still very much "undiscovered" ...

Will this solution stop ALL spam, probably not, but neither does captcha systems, however, this way is much more user friendly, so it takes the win in most circumstances.
spamzor, on 10/22/2007, -5/+18If you wrote a script for that site it would do absolutely nothing to stop a spam bot, so on a blog like that where no one goes it's useful, for a site like youtube useless because people will make the effort to hard code specific scripts to get around little things like this.
jchrome, on 10/17/2007, -6/+18Only a complete doofus would surf the web with a cli browser. Never speak of this again.
inactive, on 10/23/2007, -4/+16Captchas are annoying.

Especially the ones that really morph the letters and numbers to the point where you can't tell what the ***** it is.

Then the idiots who implement it have the gall to say, "4 more tries!"
DarkPrincess74, on 10/23/2007, -2/+13So of the 5 people that saw it, what was it?
DelvarWorld, on 10/23/2007, -1/+12WARNING ABOUT THIS METHOD:
This particular way of filtering spam will also prevent visually impaired people with screen readers from posting ( the screen reader won't know the field should be hidden) as well as anyone browsing with CSS disabled. It also won't prevent human spammers (which are becomming more common) from posting.
karipatila, on 10/16/2007, -2/+13This is nothing new, and it works only if the spammer isn't industrious enough to actually take a look at the form himself.
exomni, on 10/23/2007, -1/+11It is a good idea, until you spread it around.

If I came up with this I'd keep it absolutely secret, or copyright it and sell it to some big website behind closed doors.

The fact is, once many people are using this and it's all around, spammers will catch on and work their way around it.
inactive, on 10/23/2007, -0/+9Most hosts charge for bandwidth. It's usually the most expensive part of any hosting service.
DominicNeagle, on 10/18/2007, -0/+8http://www.omgpotato.com/2007/07/12/transparent-ef ...

That method isn't bad. If the browser doesn't support CSS, and the form is displayed, the user will simply see the words "Leave this field blank". If that confuses you, you probably shouldn't be on the internet.

;)
RichGC, on 10/17/2007, -2/+9I keep hearing this, but im wondering if its just a hoax or pure speculation...

Have you seen this in reality ? If so please provide a link to the site where this is happening.
bovilexia, on 10/16/2007, -3/+10 1. Add an input field to your form, with some interesting name
2. Hide the input box using css so that users(genuine) cannot see it directly.
3. While processing the form check if the “url” contains any value. If it does, reject the post or put it for moderation.
4. Didn’t get it? Why this works? Well, it works simply because geniune users cannot see a hidden input box on your form and therefore, they won’t fill it, while robots can.
ixxy, on 10/23/2007, -5/+12And captchas are?
credence, on 10/16/2007, -1/+7Sure, but even that could be hard coded if a spammer takes the time to answer the random questions that are offered. He just saves those values, checks to see what the current question is and returns that exact answer.
B0SS, on 10/17/2007, -2/+8what if someone wants to launch a direct spam attack to your website?
bluesnowmonkey, on 10/16/2007, -0/+6It could get pretty complicated. You would have to implement practically the entire CSS spec just to know if the field is visible. It might have a "display:none" or "left:-1000px" or anoher element obscuring it or any number of trick to hide it. Don't forget to parse all tags, linked stylesheets, and inline styles. Now implement Javascript because the form could be modified on the fly or even generated from scratch with document.write(). There are so many tricks to stop bots that a normal user would not even notice. I don't know why anyone bothers with captchas.
roosterjm2k2, on 10/16/2007, -2/+8Not to say that I was copied, as im sure others have had the same idea, even before me, but this is old hat to me, thought of it a while ago...

http://www.omgpotato.com/2007/07/12/transparent-ef ...
GreenAlien, on 10/16/2007, -0/+6"Just saying what everybody is thinking"
No, just you and a select few. Anyone with half a brain isn't thinking this because it's utter *****.
koweja, on 10/16/2007, -0/+6That is, genuine users who are using a browser that uses CSS. Those without CSS or who have it disabled for whatever reason will still see it, so you have to make it clear that they should leave it alone. That way it'll just make the page look odd (with a box you shouldn't touch), but not cause accessibility problems.
BassJunkie, on 10/16/2007, -0/+6So it that the spam defense??
sl9sl9, on 10/16/2007, -0/+5Since most spammers are using huge botnets of hijacked machines, bandwidth isn't really a problem for them.
amphoterous, on 10/17/2007, -0/+5Or... have you proved that you're not enough human?
neoform, on 10/17/2007, -0/+5There's no real point in explaining this to digg users. Almost none of them are web programmers, those that are should (if they're any good) already know all this.
h4ppydotcom, on 10/16/2007, -0/+5I don't think so... a robot with image recognition should be able to get an 80% hit rate without too much effort. It's getting to 100% that's difficult.
CMiYC, on 10/16/2007, -3/+7This will only work until the robots get smart enough to check the CSS... until then though, it is a nice solution.
neokoenig, on 10/16/2007, -1/+5But the ultimate problem with Captcha is still that it's inaccessible to assisted technologies; I don't think a braille reader uses javascript, so by using that technique, you're still ultimately saying "blind people can't use this form"...
isntreal, on 10/17/2007, -2/+6more like 15 minutes
inactive, on 10/16/2007, -11/+15What a great way to prevent spam. I would have never thought of this myself. Thanks for hours saved sifting through garbage.
Ignotus, on 10/16/2007, -1/+5"This Account Has Been Suspended. Please contact the billing/support department as soon as possible."
Yep, that works too.
foobr, on 10/16/2007, -1/+5ok so Javascript a CLIENT side language fills in the captcha for the user. So in order for it to do that you must supply it with the answer. As it is CLIENT side you must then send the answer CLIENT side in order for it to be available to Javascript. This defeats the entire purpose of the captcha. Rather than beating the captcha the spammer can just write a script to grab the solution from the same place as your Javascript does.

Your solution has much fail am afraid....
MellerTime, on 10/16/2007, -0/+4That's kinda the point. No, it's not hard to get around this, but the vast majority of spam bots running are just trying to hammer as much stuff into as many sites as possible. Given that goal, it wouldn't be worth the bot owner's time to specialize his bot to any individual site in most cases.

As with anything else, you're playing the odds. Odds are this is going to cut out 99+% of your spam, but it's not a 100% cure, as with anything.
phibit, on 10/16/2007, -0/+4Yeah, Diggnial Of Service is a great way to protect against spam!
neoform, on 10/17/2007, -3/+7Any spammer that has any knowledge at all will be able to overcome this "spam blocking" technique *very* easily.

Captchas are far more difficult to beat.
inactive, on 10/16/2007, -0/+4Nice idea, but now that this idea has been submitted to the entire world, spammers only need to update their bots to look for CSS which hides any box and ignore it.
antdude, on 10/16/2007, -2/+6http://duggmirror.com/programming/Preventing_SPAM_ ... for referrer blockers.
indicas, on 10/16/2007, -0/+3Bandwidth is extremely cheap. One dedicated box could handle 1500+gb a month of transfer, which is plenty.

If this catches on more, it will be broken without a doubt.
Dustin00, on 10/16/2007, -0/+3So move it out of the CSS.

Create an onload event that sets a value that then trips the visibility of that field later in the page.
liaml, on 10/17/2007, -1/+4How about a disabled user with a screen reader?

Unless the form input was labelled appropriately, people using screen readers might fall foul of this method.
Otto, on 10/16/2007, -2/+5Time-honored method? Jesus, people, CAPTCHAS DON'T WORK. They're incredibly easy to circumvent. Sure, if you're trying to block a registration form, then yes, they work fine. But if you're allowing anonymous comments, then CAPTCHAs will prevent spam, but they also prevent REAL people from commenting. Your comment level drops *way* down when you implement a CAPTCHA, or even the simple math problems.

You don't want to stop comments. You want to stop SPAM. Use a proven method, like Akismet or some other spam filtering solution. These work virtually 100% and don't require users to learn your tricky nonsensical system, so you don't lose comments.
neokoenig, on 10/16/2007, -2/+5Yep, you may well be right; but a braille reader can't read a graphic
stomachache, on 10/16/2007, -1/+4Instead of using CSS, wouldn't JavaScript be a safer approach? I mean, JavaScript is not declarative and writing a bot to interpret code would be, I would say, a bit more complex than parsing CSS declarations.
Show 51 - 100 of 180 discussions
Add a Comment

Login or register to comment!
Or, sign-in super fast with your Facebook account ...

Site Links: Home; Take a Tour; Search Digg; Digg Mobile; RSS Feeds; Popular Archive

Help: Frequent Questions; How Digg Works; Report a Website Bug

All About Digg: About Us; Contact Us; Community Guidelines; The Digg Blog; Digg Townhalls & Meetups; Jobs at Digg; Advertise on Digg; Diggnation Podcast

Digg Store: Get hats, shirts, hoodies, stickers, and more at the Digg Store.

Digg Tools & API: All Digg Tools; DiggBar Tools; Firefox Toolbar; Twitter Feeds; Add Digg to Google; Netvibes Widget; Integrate Digg Buttons; Digg Badges; Make a Digg Widget; API for Developers

Digg Dialogg!: Digg Dialogg lets you choose the questions.

Digg Labs: Get a real-time view beneath the surface of Digg.; Digg Labs Home; Arc, Swarm, Stack, Bigspy, Pics

© Digg Inc. 2009 — Content created and posted by Digg users is dedicated to the public domain | Terms of Use Updated | Privacy Policy
DIGG, DIGG IT, DUGG, DIGG THIS, Digg graphics, logos, designs, page headers, button icons, scripts, and other service names are the trademarks of Digg Inc.