I've been doing my forms such that they have at least one mandatory field (typically it's the person's email address) that must parse, and one hidden field that must be blank. If they don't get both of those right - I call it spam and toss it in the trash. It's been working all right for a bit now.
I was thinking about setting a cookie on visitors' browsers when they first visit my site. Then if the cookie is not set it won't let them process the e-mail form.
What I'm wanting to do is to try and make sure that it's a real live browser.
I'm just wondering if spam bots can recognize when a cookie is trying to be set and somehow trick the server into setting a cookie onto the spam bot. Does anybody know if a spam bot can accept a cookie?
here is a thread I started about a month ago on this very subject.
I found the system of CSS hidden fields works better than any other method, BASED on my requirements. I wanted something simple and not threating for the site reader. I personally hate the captcha scripts I find them very threating to site viewers.
I've actually used validation scripts to parse for known SPAM submissions.
I also do the same in my server-side validation (I use ASP), where it redirects the form to my homepage rather than logging the form submission.
I wrote my validation scripts by looking for commonalities on every SPAM submission. For example, the first and last name fields tend to get the same text, so if FirstName = LastName on my form, the form never gets submitted (as mentioned above). Writing these scripts is time consuming and not fool-proof, but it seems to thwart the majority of attacks.