Voorkom spam berichten zonder extra handelingen

CAPTCHA's zijn een bekend principe om gebruikers te onderschijnen van automatische scripts, zogenaamde bots, die formulieren op het internet automatisch invullen. Echter worden de bots in de loop der tijd slimmer en kunnen ze ook de CAPTCHA's lezen, terwijl ze voor mensen onleesbaar zijn geworden.

Dit artikel (slechts in het Engels beschikbaar) gaat over een betere manier om spam te voorkomen. Gebruikers hebben nergens last van, maar bots kunnen gemakkelijk worden gedetecteerd. Lees hier verder hoe je dit voor elkaar kan krijgen!

The working principle

You'll probably ask how you get this working. That's pretty simple, just hide it. Css is the perfect tool to style your websites, and with css you're able to hide everything you want. When you have a form with two almost alike fields ("name" and "spam", eg), the former is visible and the latter hidden by a css rule "display: hidden;". This is the principle my solution is based upon.

Of course it will be simple for a bot once it knows that your "spam" input field should be left blank. Therefore you can use php to get to a more advanced level. The bot is will determine the fields by id or name, so you should obfuscate those. Instead of naming them "name" and "spam", you can generate two random strings. One for the "name" field and one for the "spam" field. Save them also in a session, so after a form submit you know which one is the good field and which field should have left blank. And of course randomize those two strings each time your form is being displayed.

This is the basic which is working fine for me. I am updating my blog with this principle now (testing the new code is the only thing I have to do now) and I won't get spam messages anymore. Before I used it with other systems as well and those didn't get any spam messages at all.

A very big advantage is the user doesn't have to give more user input that needed. If you need a name and a message, the user can fill those in. No need to investigate a CAPTCHA or something! The argument against it might be it's not working for textual browsers and perhaps not working properly for disabled persons with a special web browser. But as far as I know, special web browsers are nowadays pretty advanced and they can render websites with css. So their users are still able to send a form for asking a question or something.

Even some more advanced usage

I'm not having a high visited website, but if you have bots might be able to overrule you barricade. I'm hiding my spam form by a simple class "hidden". I have also always a consistent order of my fields. Bots can count them and leaving the second input blank.

Those two options are possible to obfuscate as well (it's always obfuscating, there is no other method unfortunately). For the first one, you can randomize the class name. Put some css at the top of your webpage and let php fill in those class names. Create a class with display: inline or display: block and another one with display: hidden. Because of the dynamic class names, it's for bots much more difficult to determine what to do.

And for the second problem the solution isn't difficult either. You can dynamically switch the two fields. Pick a random number. If it's even, your "name" field is on top. Otherwise, the "spam" field is above the "name". All with randomized names and randomized class names it will become very hard for bots to determine your site, while "normal" users have no problem at all and don't even know you have a very advanced spam blocking mechanism.