Recently I heard of a nice, simple way to thwart spammers. Basically you push out a bogus input type=text field on a contact (or other) form, css it to display:none and check for its value on submit. If there is a value entered, then that means a non-human has been blanketing form fields, and the form post can be ignored as spam (and not handled).

I would like to turn this into a module, but I wouldn't know where to begin. It should be able to hook in to any module and federate form posts like the captcha module does, and it should not give the same text field label each time.. A random string would be fine, I think. Also, since spam bot authors love to target specific anti-spam workarounds like this one, maybe the field shouldn't generate display:none but rather jquery it in on load.

thoughts?

Comments

NancyDru’s picture

Use hook_form_alter on the contact form and use the #prefix and #suffix tags to specify the CSS class that will be hidden.

This may also work on the comment form to stop those spam entries as well.

Interesting idea.

Nancy W.
Drupal Cookbook (for New Drupallers)
Adding Hidden Design or How To notes in your database

NancyDru’s picture

I guess you don't need to turn it into a module -- I already did. If you'd like to test it, use my contact form.

Nancy W.
Drupal Cookbook (for New Drupallers)
Adding Hidden Design or How To notes in your database

Xano’s picture

Neat idea, there's only one little problem: accessibility. People using a non-graphical browser might enter a value, because their browser doesn't support CSS and therefore displays the form input.

NancyDru’s picture

So I set the color to white... And besides, the module is OPTIONAL; no one is forced to use it.

Nancy W.
Drupal Cookbook (for New Drupallers)
Adding Hidden Design or How To notes in your database

texas-bronius’s picture

Another option is to make some user instructions in the label just like on a captcha: "If you enter a value in this anti-spam field, the system will think your message is spam and will not send it."

Anxiously awaiting Nancy's module offered above, but already having some self-doubts. The spam I am plagued with appears to be very much Drupal specific.. I am using the captcha module that presents a simple math problem, and I suspect that all the spam bot is doing is hammering integers at that field: it's a popular enough module that someone cared to make a bot specifically target that captcha method. Is there any reason to believe that such a bot would care to fill out ALL fields in a form when it knows that a drupal comment or contact form consists of specifically x, y, z fields?

--
..happiness is point and click..

--
http://drupaltees.com
80s themed Drupal T-Shirts

NancyDru’s picture

They could very well have written code to handle the math problem.

Nancy W.
Drupal Cookbook (for New Drupallers)
Adding Hidden Design or How To notes in your database

hgmichna’s picture

The module's description has this sentence: "Unfortunately, most of the spam was still getting through." This seems to mean, install the module at your peril, it doesn't work most of the time.

I've pondered this idea to prevent bots from creating accounts. Have a profile field "gender" with the following three choices, obligatory filling, and a remark that this is a required field:

Select your sex:
male
female

The bots, not knowing about this field, will leave it at its default, "Select your sex:". So just delete any account with this wrong sex entry automatically after a short time.

This doesn't work for comments, but one could disallow write access to users without an account.

Bot authors could conceive counter-measures, but this same method could be used on any field, not just gender, and the admin could be given the right to determine the choices and which ones are not acceptable. This would be an extension of the profiles function.

As each admin could conceive of a different field to use, counter-measures would be somewhat difficult to devise.

Hans-Georg

jason342’s picture

Hey Nancy,

I've used your Contact form and sent you an email on a subject that i needed help with. Nothing to do with thsi topic.

NancyDru’s picture

I feel somehow vindicated. I've finally caught three "bot" emails.

Nancy W.
Drupal Cookbook (for New Drupallers)
Adding Hidden Design or How To notes in your database

hgmichna’s picture

What did you use to catch them? Did you mean Drupal postings when you wrote emails?

The Captcha module seems to work very well for me, by the way. I use it only on the registration form, and unregistered users cannot post.

Hans-Georg

NancyDru’s picture

The Gotcha module caught them (Contact form emails). It's been catching lots of spam emails, but it finally caught the bots too.

Nancy W.
Drupal Cookbook (for New Drupallers)
Adding Hidden Design or How To notes in your database

hgmichna’s picture

I'm still scratching my head over how effective the Gotcha module all by itself is. The main article at the stop is still saying that much of the spam got through and was caught only by the Spam module.

I'm happy with Captcha, by the way. Have that on the registration form, and unregistered users cannot write, so no problems any more.

Hans-Georg

NancyDru’s picture

The original module (i.e. without Spam) wasn't all that useful; I'll be the first to admit that (actually I was). However, once I added the use of the Spam module filters, it has been completely effective. So far it has not blocked a non-spam message and has blocked all spam messages. As always YMMV.

I personally try to avoid all sites that use validation codes like Captcha.

Nancy W.
Drupal Cookbook (for New Drupallers)
Adding Hidden Design or How To notes in your database

rogledi’s picture

A good solution to avoid using captcha is http://keypic.com