An anti comment spam bot technique without using captchas or extra user input

Yesterday I was using a support forum to post some messages and one of the antispam measures they had was the usual reCaptcha AND another text field to enter the two words next to that field. This means I have to enter 4 words for every post. I don't understand why the need for the second field. The forum is not popular at all with just a few posts belonging to the company's customers. While the forum is public, it's meant for the customers only. Are they getting hit so much by spam bots that the bots cracked reCaptcha and they had to use another field? Highly unlikely. This is adding extra friction to the user. It's enough I have to keep refreshing the reCaptcha to get two legible words.

Here's an idea for an anti spam bot measure without using any captchas and without adding any extra work for the user:

First I want to say I don't take any credits for this idea. I read it somewhere long time ago and always wondered how many sites use it knowing reCaptcha and other captchas are so ubiquitous these days. (Unless the sites use both methods.. and more. Good for them). Technically a spam bot, ignoring the sophisticated ones which hopefully are rare, is pretty dumb. A spam bot is an automated script or program which goes to web sites, follows all the links looking for pages which contain forms. Once it finds one, it fills all the form fields. It also specially takes note of text area type of fields. The gold nugget. That's usually the form post or comment which the bot wants to use to unload its message with the spammy urls. The urls which they hope the user clicks on or just for the sake of upping their page ranks (An SEO practice).

Now you can take advantage of the fact that they blindly fill ALL the form fields. The counter measure is that you hide one of the fields, an extra field which has no use to the user. Visually hide it through css or JavaScript as in giving it a "display: none" for example. A dumb bot doesn't know it's hidden and it fills it with data as usual. In your code, you test for that field. If it's not empty, you know the field was filled by a spam bot. If it's empty, you know a human posted the form because they can't see that field.

Even if the form was submitted by a bot, play the innocent and let the form submit successfully and send out a Thank You message without any errors. In the backend, send the form's contents to a black hole! :)

blog comments powered by Disqus