Comments on: Prevent Form Spam Without CAPTCHA

By: Danny Mustafic

Danny Mustafic — Mon, 23 Aug 2010 13:56:18 +0000

I like this a lot. Ever since you did this and i have implemented on clients sites, i’m not hearing back from them.

By: nic

nic — Mon, 23 Aug 2010 13:39:09 +0000

@Sunriser that’s what I meant by more elaborate, love it. Anything that gets us away from CAPTCHA is a step in the right direction.

Thanks for the heads up on Six Revisions, that’s great.

By: Sunriser

Sunriser — Mon, 23 Aug 2010 13:25:41 +0000

What I ment was that the “visibility: hidden” can easily be captured by a bot. Assigning some css to it is harder to capture I believe, especially if there is no attribute “visibility: hidden” or “display:none” in that class. For example, if your form has a black background, you could have this class assigned to the input field:
.specialclass{
width: 1px;
border: 0px;
background-color: #000000;
}

The activity on this post is thanks to sixrevisions, who posted this article on twitter

By: nic

nic — Mon, 23 Aug 2010 13:06:41 +0000

Thanks all for the comments, I hadn’t seen activity on this post in a while.
I agree that this is a very simplistic approach, but it was intended as a starting point for other ideas. And it seems that it worked as many of the proposed improvements sound very interesting.

@Sunriser that is exactly what this is doing, the field is not of hidden type, it’s in essence “blending” with the design. I’d really like to see some variants where the blending is more elaborated.

By: Sunriser

Sunriser — Mon, 23 Aug 2010 12:20:55 +0000

I agree with baha. Just a matter of days before bots are adapted to ignore the hidden fields. I also agree that we should search for alternatives!
Just a thought: perhaps assigning a class to the input field so the input field is not “hidden” in script, but hidden for a human user: extremely small or styled to blend in with the design?

By: Max Luzuriaga

Max Luzuriaga — Sun, 22 Aug 2010 23:26:26 +0000

Nice! Really smart idea, would love to see how this affects real-life spambots…
Max Luzuriaga recently posted..The Web From a Child’s Perspective

By: Ast Derek

Ast Derek — Sun, 22 Aug 2010 23:21:55 +0000

If you wanted to avoid target-specific scripts, you could encrypt the field names, use javascript/css to target the hidden fields (or the visible ones), and send a timestamp/identifier to validate the input fields.

Encrypt the fields using a secret key, a timestamp, and the name of the field. Propagate the timestamp to be able to check the name of the field, and if invalid names are retrieved, or the incorrect fields are filled, consider it as a bot.

By: Ray

Ray — Sat, 05 Dec 2009 17:58:07 +0000

Smart, simple and I will use it
thanks

By: Chris

Chris — Wed, 28 Oct 2009 13:55:21 +0000

Excellent simple idea, just implemented it on my site, will see how it goes. Cant Stand CAPTCHA’s so glad to try any alternative!!

By: nasj2009

nasj2009 — Mon, 07 Sep 2009 09:48:23 +0000

This is not effective if the spammer used something like iMacros