javascriptcoldfusionspam-preventioncoldfusion-7

Spam-prevention for my contact form


I've been doing a lot of research about spam-prevention methods, I do not want to resort to using CAPTCHA.

The form typically sends an email to the user and the webmaster with the contents of the form.

The first thing I've done is to remove the contents of the form in the email sent to the user and simply have a confirmation message.

I have added a row for the persons 'title' and hidden the row using CSS, if the field is filled in. The submission completes without sending any emails.

I'd like to add a couple of other techniques,
Check the time to complete submission - do not send emails if under 5 seconds.
Pass through an unique ID - do not send emails if no match

The problem is that website pages are cached, so directly setting a session variable is useless. I'm considering use ajax to hit a CFC and set the variable, but it would require JavaScript.

Should I restrict submissions to only those with JavaScript enabled? Or are there any alternative suggestions?

Thanks


Solution

  • Daniel,

    I have a similar spam-detection approach that has been in place since last year. I can share what I have seen.

    Session based tests: Checking the time it takes someone to fill out the form and checking that the user comes from the right page have been very reliable checks, though somewhat fraught with difficulty. In your case, forcing users to have modern, javascript enabled browsers might be your best option. And it seems like it's becoming a more accepted practice, I guess, right? I don't really know..

    Content based tests: Another two fairly helpful practices are to check that form fields contain different values and that no more than a specified number of URLs have been entered. Spammers almost always seem to stick the same trash URL into every field. However, these checks aren't nearly as good as session-based checks.

    Our spam-detection heuristic has a few other checks, in addition to the ones above:

    Some numbers from our heuristic over the last year or so. Total failed tests= 83,356

    I don't want to post too many details about exactly what our criteria are, but if you are interested I'd be happy to share code.

    -Ben