A simple trick to help prevent form spam
If you have a blog or a webpage with a guestbook facility, you will have certainly experienced automated posts known as comment/form spam.
There is a simple thing you can try to prevent spammers from posting to your blog: make it more difficult for them to find how to post to your site using automated means. The HTML code for submitting a form looks as follows:
<form method="post" action="http://www.example.com/bin/comment">...</form>
The action attribute above specifies the web address (URL) of the executable used to process the form results. Simply remove it and add an onsubmit attribute as shown below.
<form method="post"
onsubmit="this.action='http://www.example.com/'+'bin/post-a-comment'">
...</form>
I have made two changes. I now use a trivial JavaScript snippet to build the URL of the executable, and I have renamed it. The reason for using JavaScript is because comment-spamming programs are most unlikely to be sophisticated enough to understand it. Since once spammers have found a comment posting URL they will keep it and reuse it every now and then, I have also renamed the executable to start with a fresh URL.
Update: The code above is shown for demonstration purposes only. if you are thinking of implementing this setting, you should use a more serious procedure. It doesn't involve much more work.
Update: You can now get free comment spam protection with FormSmarts.
Comments
Good suggestions I will try it and see how it works.
I have a reply to what Mehdi said. You mention "browser not supporting JavaScript". Do you know of anyone that actually uses these browsers anymore? I run several different sites with traffic ranging from a few dozen hits per week to several hundred thousand per day and I have not seen and browsers in my visitor stats that does not support JavaScript in years.
Do you have any actual analytics to show that people still use these antique browsers?
Just curious because as I said, I have not seen anything to support this.
Thanks,.
Posted by: Michael | April 2, 2007 09:07 PM
JavaScript has a "noscript" tag that will be visible to any client not supporting JavaScript. Using this feature of HTML, we can inform those users or present them with another challenge (e.g. reading characters on a picture).
That means at least that only a minority of users will have to take an explicit challenge, the others won't notice anything.
Posted by: JM | November 18, 2006 04:05 PM
I stumbled upon your blog through Google, while looking for ways to make it harder for blog spammers to do their thing... the one thing about your system I worry about, though, is this: what happens when people who have a JavaScript-challenged browser (like Lynx or older versions of Netscape) try to submit a comment? Basically, you're crippling your system for legitimate users to block the illegitimate ones.
Posted by: Mehdi | November 18, 2006 03:28 PM
It seems to work fine for me (no spam for over a week). Thanks.
Posted by: Lee | January 10, 2006 09:26 PM