Joined on 02-07-2005
TechSoup Member
I want to stop the spam that bots generate in my webforms. My site is run on ColdFusion, so I have been unable to implement CAPTCHA or Form Armor solutions. I'm looking at commercial webform protection products such as Web Form SPAM Protection. Has anyone used a commercial product they can recommend? Is there a review site somewhere?
Thanks,
I develop in ColdFusion, so I hear your pain.
My solution was to implement a simple math question. What is three plus two? If the answer provided on the form is correct, allow the submission to continue.
The question that you use is going to have to be tailored to your audience, of course. Consider things like "What sound does a duck make?" with possible answers of "Quack, Moo, Oink".
As trivial and simplistic as this sounds, it flat out works. And if the user of the form cannot answer the question, then you probably do not want them posting to your forum or site anyway!
If you insist on a Captcha approach, there are actually several avaliable. Here is one for example:
http://www.emerle.net/programming/display.cfm/t/cfx%5Fcaptcha/
I see the simple math problems on forms quite often and think that works well. On one of my sites I have "Please enter the opposite of hot:"
cold
Most English-impared form spammers are not going to pass this test, where most children and seniors can. :-)
But for most of our site we now use forms built in Flash using a program from
CoffeeCup Software. They have a free full-function trial and the cost is only $39 if you want to remove their small ad from the forms.
It has completely stopped the automated spam on about 5 sites that were getting hammered. Another option that can help is to block most of the countries that are the source of this junk. If you only deal with US visitors then this is an option. Linux server users can contact me for the block list we use.
Joined on 02-07-2005
TechSoup Member
Many thanks for this suggestion. Why didn't I think of this? Because it is absurdly simple?
The simplistic nature of the solution kept me from considering it for a long time. It was not until I "thought like a bot" that the epiphany settled in.
If you really want to increase the odds that bots won't circumvent it, put the question in a graphic, that way the text that comprises the "question" cannot be parsed.
Just a reminder that if you use a graphic, you block more than just the spybots. You block handicapped users who can't see the graphic.
CAPTCHA has issues with blocking people who use screen readers, have dyslexia, etc., and is a big accessibility issue. With a graphic you need an alternative like sound, or a way to contact you to let you know they can't use the form, which logically circles back to "How are they going to contact you that doesn't let in Bots"...
Some people are using sound bites, some are putting the graphic in the alternate text (which many Bots read so it's not effective).
So you need to ask yourself, who is my audience, and who do I not mind blocking out from my web forms. And when you're a non-profit that's a real touchy subject.
No answers here - though I've several links to proposed solutions, etc. to help you decide what your tact should be.
Just food for thought.
Accessible Content
Wikipedia
Standards View
Joined on 02-18-2008
TechSoup Member
There is also a very nice method how to prevent spams without using Captcha or any questions whatsoever.
If you study how it works, you'll ask yourself, how could something so simple work :-)
In reality it works 99% on my 3 websites.
Here's the method explained:
http://duggmirror.com/programming/Preventing_SPAM_without_using_a_CAPTCHA/
Let me know, if you need any help.
Joined on 02-07-2005
TechSoup Member
I've tried this, but it hasn't stopped the spam. I have my validation set to "integer" with range limited to the sum of the question. My webhost has CF 5, and I wonder if the validation works on that version.
Wouldn't the use of the ALT tag for the image allow the image to be understood by the visually impaired?
I do not know the answer. Anyone?
Yes, the alt tag would make the image accessible sometimes. There can still be issues with mixed case letters in the CAPTCHA.
More to the point is that the Bots also read the alt text.... So it's not a solution
I know the bot can read the alt text, but I don't know that they would understand what to DO with that information.
We are trying to figure out a way to deceive a bot that cannot actively read the screen. The problem, as we are discussing right now, is that blind people and others with disabilites have that very same problem of not being able to 'read' the screen.
Fortunately (or unfortunately) I am in a position where the vast majority of my work is for an intranet where I *KNOW* that none of my 'customers' is visually impaired. For this reason I have not had to deal with this challenge.
I also *KNOW* that all of my customers are using IE 6.x, and they have javascript enabled and Flash installed. So I dont have to deal with cross browser support. This has spoiled me to a great extent. If I had to get a job creating sites for the general public I would have a great deal of learning to do, but I would be a better webmaster because of it!
The alt text might work, but at what point would it be read and what would it say?
The problem is not so much that bots can read it as it is that the spammer can program the bot to read it. If they really look at any form they may be able to program around many methods. The capcha is one of the best since it's to hard to program for.
We are currently testing the hidden empty field method on sites that don't use the Coffee Cup Flash Forms. We have created two fields in two places and are going to see if either one get's filled in, but we notice that some spam does not fill in all fields.