[thelist] Hidden fields don't stop spam

Lee Kowalkowski lee.kowalkowski at googlemail.com
Thu Oct 29 04:46:55 CDT 2009


2009/10/29 Chris Price <chris.price at choctaw.co.uk>:
> Was it here that I got the idea that if you put a hidden field in your form
> then spammers will irresistably fill it? So if you get anything in that
> field, junk the form?

Yeah, I think that's been discussed on here before.  You really can't
rely on a single technique though, you probably need more than just a
honeypot.

> I tried that today and have been spammed big time.

There are other measures you might want to try in parallel, you need
to analyse your logs ideally, for instance, if they are not requesting
your form before submitting it, put a random validated session
variable (or cookie value) into a hidden field to force them to fetch
your form first.  A more extreme technique is to give your form fields
random names - although your fields will probably appear in a constant
order.

If they are requesting your form before submitting it, you might like
to throttle them, e.g. if you think 10 seconds is too fast to read
your post, author a comment and submit it, reject any submissions that
you consider too soon.  You can make this user freindly by showing a
countdown timer by the submit button.

It's also an idea to make your rejection response look exactly like
the success response if you can.

-- 
Lee
www.webdeavour.co.uk



More information about the thelist mailing list