Hi,

I have two sites with feedback forms - simply a textarea input and a submit button. I wanted it as easy and quick as possible for users to submit a comment. However I'm getting an increasing number of spam submissions. It's only an irritation but still. Apart from having a turing number question or similar, what ways are there of preventing spammers from submitting their links and other rubbish? I'm guessing they use automated scrips so I could use a bit of javascript to weed out submissions that weren't from a browser?

Thanks

You'll want to do the filtering on the server side, as the spammers will either be using scripts that never see your JavaScript, or if being done manually will just disable JS in their browsers.

I'm currently looking at using Akismet (http://www.charles-reace.com/blog/2008/09/06/using-akismet-to-detect-spam-email/) (Akismet API (http://akismet.com/development/api/)) for such filtering, but haven't gotten around to tying it all together yet.

So it all boils down to if these spammers do it manually with javascript enabled. If they do then there's no way round it.

Otherwise, assuming they don't bother to hack the javascript code, I could trigger a javascript function to insert a value for a hidden form field which the server side checks for, when the form is submitted. Sounds simple enough.

The thing is this introduces problems for non-javascript capable/enabled browsers - but then again I don't care since 99% of my users will have javascript enabled.

Here's what I'm thinking...


<script>
function nospam(){
document.forms[0].nospam.value = "nospam";
}
</script>
<form onsubmit="nospam(); return true;">
<textarea name="feedback"></textarea>
<input type="submit" value="Submit"/>
<input type="hidden" name="nospam" value="SPAM!"/>
</form>


And then on the server side, (PHP) check that $_REQUEST['nospam']=='nospam'.

However my gut instinct tells me that at least some of these script kiddies will get round this quite quickly - but then again, they're submitting a form which only goes to me so they can't be that bright!!! Maybe I should just try it and see.

The askimet thing looks like overkill for this, but I can see how it's invaluable for larger sites and/or where the submission is published online. Especially for apps like wordpress where the same spam-filtering code is used on hundreds if not thousands of sites - so the above code would be no obstacle for a spammer. Both of my sites are very low-profile in comparison so I'm assuming the submissions are of a different nature. I'm still worried that my above code won't work either because submissions are done manually with javascript enabled, or that spammers are using automated scripts which run the javascript, such as a submission script programmed in javascript to run in frames or whatever. These kids should get a life... or a real job...

All thoughts & suggestions welcome

Well, I've implemented the above code so I'll report back with the results!!

cURL isn't supported with my host so it rules out that askimet class but where there's a will there's a way.

Good news!! The spammers seem oblivious to the javascript trick and never execute it. My serverside doesn't give any indication by the response it returns, it simply marks the item in the database as probable spam and doesn't send me the email!