Trying to determine if these users are real

I run a small site that gets quite a bit of traffic from developing nations - particularly Nigeria. Users can register for free content, and many do - only lately, I’m becoming concerned that some of these registrations follow a very regular pattern. The pattern is:

  • An unfamiliar name (which one might expect in Africa) such as “Candace Drew.”
  • A long, garbled-looking email, often through Yahoo and usually ending with four digits. Anonymized example: “”.

On the one hand, our registration system uses double-opt-in: The user has to sign up AND click an emailed registration link in order to get an active account. On the other hand, I find it scarily bizarre that multiple registrations at about the same time should match the same pattern so closely, and I am wondering if perhaps some bots are now sophisticated enough to defeat double-opt-in? Does anyone know if that might be the case, or have any suggestions as to how I might go about verifying if it’s happening? (Yes, I could slap a CAPTCHA on it. I don’t like it, but I could.)

Hard to say until the accounts become active. But IMHO if they raised suspicion the chances are your instincts are trying to tell you something.

These are what I would call “keep an eye on” accounts.

You can define some question/aswers base on your country you target so the target person will easy answer this and pass the validate. The questions is as much as posible and appear random

An effective form of captcha will help keep robots out. I’m not keen on those wonky letters you get on the usual captcha tests, I find it quite a tedious process. But you can use a little more imagination to come up with a more ‘human friendly’ (easy and low-effort) method that is difficult for bots to understand.
I use this on a contact form. It is unusual in that you have to pass the test before you even get to the form. The small 2 field test form is not very appealing to bots it seems. I have only had one 3 time failure reported so far and no spam or attempted spam contacts since employing this, so no bots have even seen my form. Before this there were several attempts at spamming reported by the form on a regular basis.

I just created my own kind of CAPTCHA, using ColdFusion. It’s a two-pronged defence.

First, I use a ‘honeypot’ - a blank form field that is hidden from users. If it’s filled out, it’s a bot (they fill out every field.)

Second, I created an array of all-text very simple math questions with corresponding correct number-only answers. Present the question and ask the user to enter the numeral-only answer. If they don’t match, the form doesn’t get processed, but will display a “Thank you” message, making it look like it was.



I have that as well as the image question.
The only problem with my image question is possibly accessibility.

Thanks all for the replies. I have been busy with other things, and I’m just circling back to this topic. To clarify, I do have a sort of CAPTCHA on the form - the same principle described by @WolfShade with the honeypot field. If I add anything else, it will probably be the second half of that same solution – the simple math question – which I have resorted to on other forms that are getting spammed too much.

The problem, of course, is still that I am not sure whether I am in fact getting spammed. These accounts do “become active,” in that the emailed activation link is clicked; there is no other way for the account to reach that status. Does anyone here know of any cases where spammers have been shown to actually click activation links sent to the email addresses they supply? It’s hard for me to believe that they do, because I cannot think of any reason why they would.

Another thing to try would be to make a note of when someone access a page with a form, then once the person submits the form, if the time inbetween them accessing the form and submitting it is less then a certain amount of time, deem them to be possible bots and show them a geneic error message


I love this, but I’m the kind of developer who would show a success message just in case the bot or another script is logging the response screen. :smile:


I have heard of this method too, but have not tried it. Basically, if you fill in a whole form in under a second (or whatever time) you are not human.

1 Like

Any tips for the easiest way to implement this practically? :slight_smile:

What language are you using for processing?
I have not used the timing method, but I guess you would record the time a user enters the form page in a hidden form field. Then after submit, get the time again in the processing script and compare, subtract start time from submit time, if the result is less than a given value, you got a robot.
The code for that will of course depend what script language you use for processing, but its fairly basic stuff.

I had a go at doing a timed form script with php, something along these lines.
First of all at the start of the form document, get a timestamp:

<?php $start = date(U); ?>

Then make your form page and form:

<form action="process.php" method="post" name="My Form">
    <input type="hidden" name="start" value="<?php echo $start ; ?>" /> <!--Start time in the hidden field-->
    <p><label for="name">Your Name:</label> <input id="name" type="text" name="name" maxlength="60" required /></p>
    <p><label for="mail">Email:</label> <input id="mail" type="email" name="Email" maxlength="60" required /></p>
    <p><input type="submit" value="Submit" name="Submit" /></p>

Note the timestamp put into the hidden field.
Then in the processing script, again start by getting a timestamp for the submission time, subtract the start time from that and you know how many seconds it took.

    $subtime = date(U); // Get submission time
    $robot = false;
    if (isset($_POST['Submit'])) {
        $start = $_POST['start']; // Get the form start time
        $time = $subtime - $start; // Find the difference
        if($time < 1) { // Set number of seconds
            $robot = true;
            $name = 'Tin Man'; // We don't even look at the "user" submitted data, it may be harmful
            // Do anything else you want to do here...
        else {  // you passed the test you slow human
            $name = preg_replace('#[^A-Za-z 0-9]#i', '', $_POST['name']);
            // Continue to process the data and do whatever you need to do with it...
    else { // No POST !!
        header("location: form.php");   // Get outa here

Then display your friendly “thank you” message:

<h1>Form Result</h1>
<p>Hi <?php echo $name;?>, your data has been processed.</p>
<?php if($robot==true){ echo '<p style="font-size: 2em; color: red;">Not!!</p>';} // A quite unnecessary line ?>
<p>Thank you</p>

This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.