Good Form Security - no CAPTCHA

Question

Is there a good method of form security that does not involve CAPTCHA? CAPTCHA is so annoying, but I need security because I am getting form spam. My form is

Answer 1

If all you are doing is avoiding spam bots (automated programs that seek <form> tags, fill in all <input> fields, then submit the form), then a simple solution is to do as Paolo said: use JavaScript to add a hidden field. The disadvantage is for people who disable JavaScript.

Feel free to use this:

<form method="post" action="contact.php" id="commentForm">
  <label for="name">Name</label>
  <input type="text" name="name" id="name" maxlength="64" /><br />

  <label for="email">Email</label>
  <input type="text" name="email" id="email" maxlength="320" /><br />

  <label for="message">Message</label>
  <textarea name="message" rows="10" cols="40" id="Message"></textarea><br />

  <label for="human">40 + 2 =</label>
  <input type="text" name="human" id="human" size="10" maxlength="3" /><br />

  <p align="center">
  <input type="submit" name="submit" value="Send" class="submit-button" />
  </p>
</form>

Then place the following as "contact.php" in the same directory:

<?php
require_once 'lib/swift_required.php';

// Reason for not contacting.
//
$reason = 'default';

error_reporting( 0 );
ini_set( 'display_errors', 0 );

function not_contacted() {
  global $reason;

  header( 'Location: error.html' );
}

function wms_error_handler($errno, $errstr, $errfile, $errline) {
  not_contacted();
  return true;
}

function wms_shutdown() {
  if( is_null( $e = error_get_last() ) === false ) {
    not_contacted();
  }
}

set_error_handler( "wms_error_handler" );
register_shutdown_function( 'wms_shutdown' );

$name = trim( $_POST["name"] );
$email = trim( $_POST["email"] );
$message = trim( $_POST["message"] );
$human = trim( $_POST["human"] );
$subject = 'FormSpam';
$contacted = false;

if( is_null( $name ) || empty( $name ) ) {
  $reason = 'name';
  $human = false;
}
else if( is_null( $email ) || empty( $email ) ) {
  $reason = 'email';
  $human = false;
}
else if( is_null( $message ) || empty( $message ) ) {
  $reason = 'message';
  $human = false;
}
else if( is_null( $human ) || empty( $human ) || $human !== '42' ) {
  $reason = 'computer';
  $human = false;
}

if( $human === '42' ) {
  $subject = 'YourCustomSubject - '.$name;

  $transport = Swift_SmtpTransport::newInstance( 'localhost', 25 );
  $mailer = Swift_Mailer::newInstance( $transport );

  $message = stripslashes( $message );

  $message = Swift_Message::newInstance()
    ->setSubject( $subject )
    ->setFrom( array( $email => $name ) )
    ->setTo( array( 'YourEmailAddress' => 'Your Name' ) )
    ->setPriority( 1 )
    ->setBody( $message )
  ;

  if( $mailer->send( $message ) ) {
    header( 'Location: contacted.html' );
    $contacted = true;
  }
}

if( $contacted === false ) {
  not_contacted();
}
?>

Should prevent 99% of spam.

I have not added constants, but I'm sure you can figure out where to change the script. I've removed the part where it redirects to different pages depending on what was (or was not) entered by the user (e.g., missing full name, e-mail address, message, and such). If you want a full version of the script, let me know and I'll fix the code to be more new-developer-friendly.

Note the Swift Mailer dependency.

Answer 2

Here's what I've found to be very effective (and dead simple):

1. Put a hidden field on your form. Give it a name like "phone" or something similar/common and put in a default junk value.

2. Put another regular text input field on your form, but hide it with CSS. Make that one empty. Again, give it a "real" sounding name (first_name, phone_number, whatever).

3. When the form is posted, verify that the hidden field still has the default value and the field you hid with CSS is still empty.

You're basicly taking advantage of the fact that most spam bots will simply fill in every field in the form in order to avoid failing any required field validation checks. Some might be smart enough to ignore hidden fields, but I've never seen one that was smart enough to ignore fields hidden with CSS.

ETA: To address some comments - Is this a truly "secure" system? no, it certainly isn't. It would be trivially broken by anybody who wanted to specifically target your site. That said, it is still remarkably effective against the automated form spamming bots that most "low value" sites will see.

If you want to stop a determined attacker, you'll need something a bit more invasive. Another poster mentioned Akismet, which is a good option. Re-Captcha would be another. Stopping determined, targeted spammers is hard though. Even Yahoo and Google have a hard time with it.

Answer 3

Math questions are interesting alternative. You can even write your own simple math checker by using random numbers.

Here are couple of plugins:

http://www.codegravity.com/projects/mathguard

http://sw-guide.de/wordpress/plugins/math-comment-spam-protection/

Answer 4

Try akismet. It's great at flagging spam. The API is easy to use and completely transparent to your users.

Answer 5

Yes, I invented and developed a method many years ago called nocaptcha.

I tested employed it in my sites for a year then noticed google also using it.

I released it for Joomla (see http://shop.ekerner.com/index.php/shop/joomla-nocaptcha-detail ) and since it has been copied by many platforms (see https://www.google.com.au/search?q=nocaptcha ).

I believe the git hosted version via the above link can be deployed to any site, and if you cant find a version for your site then perhaps ask my dev team for a custom solution (see: http://www.ekerner.com/ ).

Answer 6

If cutting down spam is the immediate need, putting the form in an iframe has been effective for me.

<iframe src="contactform.php" scrolling="no" height="*"  width="*"></iframe>

Set the frame's height and width a little bigger than your form's width and height. Use CSS to make the frame border 0 so users won't notice they're looking at the form within frame.