Another way to protect web forms from robots

Foreword

I bring to the readers of the habr my way of protecting forms from spam bots. The method is based on the fact that most bots do not know how to read style sheets and execute javascript codes. But about 90% of all browsers support these technologies. The remaining 10% are old browsers and browsers with javascript disabled. If you think about it, it is unlikely that users of these 10% have as their goal the use of feedback forms, registration on forums, guestbooks, etc. Now I will briefly review ways to combat such spam today.

The existing methods of struggle and their disadvantages

Ways:

• Using CAPTCHA
• Combining the above methods

Minuses:

The disadvantages are the annoyance of the user who is forced to solve puzzles, guess the numbers, letters. Further, most of today's graphics captcha are the so-called “weak captcha” and are cracked using simple OCR server scripts. It is also worth mentioning the “lemming method”, where many real people take part in the captcha recognition process: spammers re-post the question / picture from the site being hacked on special sites with high traffic, where, in order to gain access to information, a person solves this captcha and sends the result to spammers . Another method is more interesting - direct hiring people for guessing.

The essence of my method

On the page we create a dummy form and hide its fields from the user's eyes, using the display style element of the display: none. Next, by running a certain javascript function on the page somewhere outside the fictitious form, we print the real one with the actual field names instead. When the robot sends a dummy form, the interpreter receives an array with incorrect names and, for example, displays an error message. In the case of a real user, the form is processed normally.
')

Benefits:

• 95% spam bot cut-off guarantee
• no need for a man to solve captcha
• ease of implementation for the developer
• load spam server due to the need to perform javascript and css

Minuses:

• Sooner or later hacked

Implementation

Most of the work is done on the client side using CSS and Javascript. WITH
using CSS, which is desirable to connect to the page from a separate file, we hide
trap form from the user's eyes:


#ourGreatForm {display:none;}


Then we write simple javascript (by the way, you can also put it in a separate file), with the following content:

 function GenerateSomethingGreatForRealPeople () {

 // Declare our variable
 var ourfields = '<input type = "text" name = "sndr_name"> <br>' +
		 '<input type = "text" name = "sndr_email"> <br>' +
		 '<textarea name = "sndr_content"> </ textarea> <br>' +
		 '<input type = "submit" name = "sndr_pressed_button" value = "send email">';

 // Replace dummy fields on those machines where Javascript is running
 document.getElementById ("ourGreatForm"). innerHTML = ourfields;

 // Turn on the display of real fields
 document.getElementById ("ourGreatForm"). style.display = "block";

 }

All elements of the trap form are placed between the tags. The value of the identifier must coincide with the value inside the javascript function described above:

 <! - This is a trap form ->
 <form method = "post">
	 <div id = "ourGreatForm">
		 <input type = "text" name = "name" value = "dummy field"> <br>
		 <input type = "text" name = "email" value = "dummy field"> <br>
		 <textarea name = "content"> dummy field </ textarea>
	 </ div>
 </ form>

After the form, somewhere in the end of the document, run our javascript function, if we have a real browser:

 GenerateSomethingGreatForRealPeople ()

As a result of this function, the fictitious form content is changed to the present and the form is displayed to the user.

Example

Page in action

findings

The method has proven itself as an excellent weapon against spam, reducing it almost to nothing on those sites where it was implemented. The target audience of users of the method is sites with low traffic. Such protection is effective against bots that are hosted mainly on public hosting servers that do not know how to work with javascript and css. After a while, I am sure that spammers will write a program for circumventing this method, but only if the use of this method becomes widespread. To enhance protection against spam bots, one can consider combining my method with captcha — a human issue.

Related Links:

1. Wikipedia: The global market share for browser usage. Counting is not in Russian.
2. Spylog: The global market share for browser usage. Counting in Russian.
3. One of the algorithms for hacking graphics captcha
4. Wikipedia: All about captcha

Any comments, additions, comments are welcome.