Software, your way.
How To Get Good Custom Software
(Download)
(PDF)
burger menu icon
WillMaster

WillMaster > LibraryManaging Website Forms

FREE! Coding tips, tricks, and treasures.

Possibilities weekly ezine

Get the weekly email website developers read:

 

Your email address

name@example.com
YES! Send Possibilities every week!

Relatively Simple Form Spam Prevention

Form spam happens when a robot automatically fills in your form and submits it.

Has it happened to you, yet? Once it starts, it never quits.

This article presents a method of preventing form spam that is relatively simple to implement (compared to some CAPTCHA and other systems I've seen).

JavaScript is used to detect whether or not the form user is human.

If a click in a form field is detected, human is assumed. Otherwise, the form user is assumed to be software.

Some robots load your form every time, then submit it. Others send their stuff directly to the software your form would otherwise submit to, bypassing your form altogether.

Spiders cruise the 'net looking for forms. When they find one, they report home, where the particulars are put into a database.

And then it starts. You get a spam from your own form. The next day, another. Soon, several a day. Then more often.

Once it starts, it doesn't quit.

Knowing that, you realize it would be good to prevent it from starting in the first place, if you can.

Even if your form is already in spammers' databases, spam might still be blockable.

The method presented here is not as sophisticated as that which Master Form V4 uses. It will, however, work for many forms.

How long it will work depends on several things:

  1. When spammer spiders are able to parse JavaScript, this method may no longer work. The method does make use of sophisticated routines to prevent that from happening for as long as possible.

  2. If a spammer should manually inspect your code, it will be vulnerable. While unlikely, it could happen. This method tries to give the spammer no reason to come looking at the source code in the first place.

Are you ready?

A step-by-step for forms not yet compromised is presented first, to protect forms from ever being used to spam. Use this prevention method if your forms are not yet in spammers' databases. (If you're not getting spam from your forms, it is likely that spammers' spiders have yet to find your forms.)

Then, a step-by-step for forms already being used to spam you, to block the spam. It won't work for all forms, but for many it will. This blocking method might also be implemented if the prevention method is bypassed.

The Prevention Steps

When you're done with these prevention steps, this is how it will work.

If the form is used by a human:

  1. Your form is loaded by a person into their browser. The form's action URL is to a decoy.

  2. In the process of filling in the form, the person ends up clicking on a form field that, behind the scenes, changes the form's action URL to the correct one.

  3. The form is submitted to the correct form processing software.

If the form is used by a robot:

  1. Your form is loaded into its memory by the robot. The form's action URL is to a decoy.

  2. The form is submitted to the decoy.

Prevention Step 1, the Decoy —

The first thing to do is make a decoy.

The decoy will trick the automatic submission robots into thinking everything is okay. We want no flags raised at spammer headquarters that might precipitate an inspection of your prevention code.

The decoy can be a PHP page or CGI script. Whatever is used, it is important the decoy is a real page or working script so no status code 404 or 500 or anything other than success is encountered by the robots.

A PHP page can be a regular web page with a .php extension. Your server will need to be configured to process PHP pages.

If you prefer using a CGI script, something like this 3-liner could work.

#!/usr/bin/perl
print "Content-type: text/html\n\n";
print '<html><body>Thank you!</body></html>';

When your decoy is in place and tested to work correctly, make a note of its URL. You will need the URL in the "prevention" and "blocking" sections, below.

Prevention Step 2, the NOSCRIPT tag —

This step is optional. It is a courtesy to implement it.

Near your form's submit button, where it will be predominant for users of JavaScript-disabled browsers, put these three lines:

<noscript>
<h3>NOTE: JavaScript is required to use this form.</h3>
</noscript>

Prevention Step 3, the Human Detector JavaScript —

The JavaScript below is used to detect when a human is using the form. It is designed to detect a click in a form field you specify at a later step of this implementation procedure.

If the click is detected, human is assumed. Otherwise, the form user is assumed to be an automatic submission robot.

The JavaScript needs to be customized.

Copy the JavaScript and paste it somewhere in your web page. It can be in the head area or the body area, above or below the form, away from or near the form. Just don't put it within the form itself.

Then, edit the JavaScript.

Alternatively, you can use the generator embedded in the editing instructions, in the 2 steps below, to automatically insert one or both edits before you copy the JavaScript.

Editing instructions:

  1. Find the URL in your form's current action attribute. Copy one part of it for the value of Chunk1 and the rest of it for the value of Chunk2. (The reason to break it up is to hinder spammer's spiders from automatically determining the URL.)

    To automatically update the JavaScript with the URL, copy and paste it into this form field:

    NOTE: If you use the above form field, the Chunk... variable names will change and they will be shifted around in the script itself. This is to confound spammers' spiders with unexpected variations should they try to read the JavaScript to determine your form's correct action URL.

  2. Specify your form's id for the value of FormID. (If your form doesn't have an id attribute, it will need one. The id="MyForm" attribute in the form tag should work just fine.

    To automatically update the JavaScript with the form's id, copy and paste it into this form field:

Here is the human detector JavaScript:

Prevention Step 4, Marking a Field —

There is a function in the human detector JavaScript that needs to be run when a certain form field is clicked. It doesn't matter which field this is, so long as every human who uses the form will click in this field before the form is submitted.

For example, if the email field is a required field, then that would be a good candidate. If your form is a feedback form, the textarea field where they leave a message might also be a good choice.

Whichever field you decide upon, put these attributes into the tag:

onfocus="CL()"
onclick="CL()"

For example, if it was an email field, the field might now look something like this:

<input 
   type="text" 
   name="email" 
   onfocus="CL()" 
   onclick="CL()" 
   size="27">
   

Prevention Step 5, Implement the Decoy —

Change your form's action URL to the URL of the decoy.

Prevention Step 6, Testing —

Test that everything works as it should.

The Spam Blocking Steps

If your form has already been compromised, it may still be possible to block the spam from continuing. It depends on whether or not everything still works if the file name of your form handling software is changed.

To test it, install a copy of your form handling software with a different name. Make a copy of the web page with the form and change the copy's action URL to the software with the different file name.

If everything works okay with the different form handling software file name, and no other forms use the software with the previous file name, then proceed with the "blocking" implementation.

Blocking Step 1, the Decoy —

Follow the instructions for Prevention Step 1, except make the file name and URL of the decoy the same as the one in the compromised form's action URL.

Please understand that when you do this, no forms can use that URL as its action except as a decoy. It means that if you change one form that uses the software, you'll need to change them all.

Blocking Step 2, the NOSCRIPT tag —

Follow the instructions for Prevention Step 2.

Blocking Step 3, the Human Detector JavaScript —

Follow the instructions for Prevention Step 3 except, in the first of the two editing steps, use the action URL of the form you tested for the software with the different file name — not the URL of the form that is compromised.

Blocking Step 4, Marking a Field —

Follow the instructions for Prevention Step 4.

Blocking Step 5, Implement the Decoy —

Verify that the URL of the decoy is the same as the form's action URL.

Blocking Step 6, Testing —

Test that everything works as it should.

Now, tell your friends and business associates about this article. Send them the URL.

For your convenience, you can click this link to open your email program with the article's URL pre-filled in.

Your friends will thank you.

Will Bontrager

Was this article helpful to you?
(anonymous form)

Support This Website

Some of our support is from people like you who see the value of all that's offered for FREE at this website.

"Yes, let me contribute."

Amount (USD):

Tap to Choose
Contribution
Method

All information in WillMaster Library articles is presented AS-IS.

We only suggest and recommend what we believe is of value. As remuneration for the time and research involved to provide quality links, we generally use affiliate links when we can. Whenever we link to something not our own, you should assume they are affiliate links or that we benefit in some way.

How Can We Help You? balloons
How Can We Help You?
bullet Custom Programming
bullet Ready-Made Software
bullet Technical Support
bullet Possibilities Newsletter
bullet Website "How-To" Info
bullet Useful Information List

© 1998-2001 William and Mari Bontrager
© 2001-2011 Bontrager Connection, LLC
© 2011-2024 Will Bontrager Software LLC