I’m looking around trying to figure out how to prevent spambots from filling out form fields and submitting, but doing it without using a CAPTCHA.
Right now, I’m looking at using a combination of two factors: A simple math problem (ie, “Using only numbers, what is three plus two?” answer 5 - anything else fails), and an empty form field hidden with CSS that if left blank will submit, but if there is anything entered into it, it will fail.
Has anyone used anything else with a high success rate? I’m totally open to suggestions.
Someone suggested Google’s “no CAPTCHA reCAPTCHA”. Can’t use it. You have to register a domain; it’s not downloadable, so apparently only their CDN can be used (not on my isolated DEV environment; and our production environment won’t allow it.)
“Honeypot” - have an invisible-to-the-viewer field that, if checked/filled in, results in a bot-fail, because a user wouldn’t be able to see it.
“Timestamp” - a human filling out a form takes a few seconds unless it’s a really small form - so you can also throw in a timestamp method; from page or form load, x time must pass before it can be submitted (so, timestamp captured on load, timestamp captured on submit, if difference is not greater than x, bot-fail).
I’ve got mixed feelings about both, but they’re options. For what it’s worth, I like the noCAPTCHA - but understand it can’t be used everywhere
[quote=“jeffreylees, post:2, topic:120094”]
“Honeypot” - have an invisible-to-the-viewer field that, if checked/filled in, results in a bot-fail, because a user wouldn’t be able to see it.
[/quote]This is the hidden, empty form field that I mentioned as the second option I was considering. I’m not sure how fool-proof they are, but apparently people have had a lot of success with them. Not 100%, but enough. (Did not realise they are referred to as “honeypot”.)
[quote=“jeffreylees, post:2, topic:120094”]
“Timestamp” - a human filling out a form takes a few seconds unless it’s a really small form - so you can also throw in a timestamp method; from page or form load, x time must pass before it can be submitted (so, timestamp captured on load, timestamp captured on submit, if difference is not greater than x, bot-fail).
[/quote]Now this sounds like it should work, quite well. The question is how much time to give. Don’t want to make it too long (user will become impatient; and any session variables in CF will timeout after 20 minutes), don’t want to make it too short (someone might program their bot to wait x seconds.)
Combined, I’m hopeful that they will weed out at least 99% or more of the spambots. Thanks, @jeffreylees!
Anyone else have any suggestions, before I start to implement these?
Not really an answer to your original question, but if you do find there are still bots getting through despite your other precautions, you could look at adding a “black hole”. They might get through once, but they’ll not get through again (from the same IP address). I’ve used it on a couple of sites and found it very effective.