Relatively Simple Form Spam Prevention
Form spam happens when a robot automatically fills in your form and submits it.
Has it happened to you, yet? Once it starts, it never quits.
This article presents a method of preventing form spam that is relatively simple to implement (compared to some CAPTCHA and other systems I've seen).
JavaScript is used to detect whether or not the form user is human.
If a click in a form field is detected, human is assumed. Otherwise, the form user is assumed to be software.
Some robots load your form every time, then submit it. Others send their stuff directly to the software your form would otherwise submit to, bypassing your form altogether.
Spiders cruise the 'net looking for forms. When they find one, they report home, where the particulars are put into a database.
And then it starts. You get a spam from your own form. The next day, another. Soon, several a day. Then more often.
Once it starts, it doesn't quit.
Knowing that, you realize it would be good to prevent it from starting in the first place, if you can.
Even if your form is already in spammers' databases, spam might still be blockable.
The method presented here is not as sophisticated as that which Master Form V4 uses. It will, however, work for many forms.
How long it will work depends on several things:
-
When spammer spiders are able to parse JavaScript, this method may no longer work. The method does make use of sophisticated routines to prevent that from happening for as long as possible.
-
If a spammer should manually inspect your code, it will be vulnerable. While unlikely, it could happen. This method tries to give the spammer no reason to come looking at the source code in the first place.
Are you ready?
A step-by-step for forms not yet compromised is presented first, to protect forms from ever being used to spam. Use this prevention method if your forms are not yet in spammers' databases. (If you're not getting spam from your forms, it is likely that spammers' spiders have yet to find your forms.)
Then, a step-by-step for forms already being used to spam you, to block the spam. It won't work for all forms, but for many it will. This blocking method might also be implemented if the prevention method is bypassed.
The Prevention Steps
When you're done with these prevention steps, this is how it will work.
If the form is used by a human:
-
Your form is loaded by a person into their browser. The form's action URL is to a decoy.
-
In the process of filling in the form, the person ends up clicking on a form field that, behind the scenes, changes the form's action URL to the correct one.
-
The form is submitted to the correct form processing software.
If the form is used by a robot:
-
Your form is loaded into its memory by the robot. The form's action URL is to a decoy.
-
The form is submitted to the decoy.
Prevention Step 1, the Decoy —
The first thing to do is make a decoy.
The decoy will trick the automatic submission robots into thinking everything is okay. We want no flags raised at spammer headquarters that might precipitate an inspection of your prevention code.
The decoy can be a PHP page or CGI script. Whatever is used, it is important the decoy is a real page or working script so no status code 404 or 500 or anything other than success is encountered by the robots.
A PHP page can be a regular web page with a .php extension. Your server will need to be configured to process PHP pages.
If you prefer using a CGI script, something like this 3-liner could work.
#!/usr/bin/perl print "Content-type: text/html\n\n"; print '<html><body>Thank you!</body></html>';
When your decoy is in place and tested to work correctly, make a note of its URL. You will need the URL in the "prevention" and "blocking" sections, below.
Prevention Step 2, the NOSCRIPT tag —
This step is optional. It is a courtesy to implement it.
Near your form's submit button, where it will be predominant for users of JavaScript-disabled browsers, put these three lines:
<noscript> <h3>NOTE: JavaScript is required to use this form.</h3> </noscript>
Prevention Step 3, the Human Detector JavaScript —
The JavaScript below is used to detect when a human is using the form. It is designed to detect a click in a form field you specify at a later step of this implementation procedure.
If the click is detected, human is assumed. Otherwise, the form user is assumed to be an automatic submission robot.
The JavaScript needs to be customized.
Copy the JavaScript and paste it somewhere in your web page. It can be in the head area or the body area, above or below the form, away from or near the form. Just don't put it within the form itself.
Then, edit the JavaScript.
Alternatively, you can use the generator embedded in the editing instructions, in the 2 steps below, to automatically insert one or both edits before you copy the JavaScript.
Editing instructions:
Prevention Step 4, Marking a Field —
There is a function in the human detector JavaScript that needs to be run when a certain form field is clicked. It doesn't matter which field this is, so long as every human who uses the form will click in this field before the form is submitted.
For example, if the email field is a required field, then that would be a good candidate. If your form is a feedback form, the textarea field where they leave a message might also be a good choice.
Whichever field you decide upon, put these attributes into the tag:
onfocus="CL()" onclick="CL()"
For example, if it was an email field, the field might now look something like this:
<input type="text" name="email" onfocus="CL()" onclick="CL()" size="27">
Prevention Step 5, Implement the Decoy —
Change your form's action URL to the URL of the decoy.
Prevention Step 6, Testing —
Test that everything works as it should.
The Spam Blocking Steps
If your form has already been compromised, it may still be possible to block the spam from continuing. It depends on whether or not everything still works if the file name of your form handling software is changed.
To test it, install a copy of your form handling software with a different name. Make a copy of the web page with the form and change the copy's action URL to the software with the different file name.
If everything works okay with the different form handling software file name, and no other forms use the software with the previous file name, then proceed with the "blocking" implementation.
Blocking Step 1, the Decoy —
Follow the instructions for Prevention Step 1, except make the file name and URL of the decoy the same as the one in the compromised form's action URL.
Please understand that when you do this, no forms can use that URL as its action except as a decoy. It means that if you change one form that uses the software, you'll need to change them all.
Blocking Step 2, the NOSCRIPT tag —
Follow the instructions for Prevention Step 2.
Blocking Step 3, the Human Detector JavaScript —
Follow the instructions for Prevention Step 3 except, in the first of the two editing steps, use the action URL of the form you tested for the software with the different file name — not the URL of the form that is compromised.
Blocking Step 4, Marking a Field —
Follow the instructions for Prevention Step 4.
Blocking Step 5, Implement the Decoy —
Verify that the URL of the decoy is the same as the form's action URL.
Blocking Step 6, Testing —
Test that everything works as it should.
Now, tell your friends and business associates about this article. Send them the URL.
For your convenience, you can click this link to open your email program with the article's URL pre-filled in.
Your friends will thank you.
Will Bontrager
