How to Prevent SPAM without CAPTCHAs or a Centrally managed system (e.g. akismet)

Question

Has anyone been able to successfully prevent spam on their site without placing a burden on your visitor (e.g. CAPTCHA) and without using a centralized spam reporting system (e.g. Akismet)

I've found this & it looks promising, but doesn't contain detailed deployment instructions.

I want to present my web forms without burdening my users with CAPTCHA like technologies, but also actively automate preventing spam.

There doesn't seem to exist a detailed instruction/tutorial on how to implement such a technology.

Disclaimer

Also, I realize there no silver bullet appropriate to preventing spam. But if simply putting in place a non-invasive (invisible to user) prevention system that blocks 95+ % of spam, it would be worth the effort to deploy.

Answer 1

I basically use one trick on my site to prevent Spam and it works great (at least until spambot programmers will read this post ;) ).

Code is like this:

In the script that builds the site which contains the form, I implemented:

$_SESSION['lastSiteId'] = 'something Unique';
$_SESSION['lastSiteRequest'] = time();

The script that contains the logic to write the comments to a database contains this:

if($_SESSION['lastSiteId'] == 'something Unique' 
   && $_SESSION['lastSiteRequest'] + 5 < time()){

    insertComment();
}else{
    echo "Please read the article before posting a comment";
}

Remember this is pseudocode to give you the idea. You have to implement it all alone in the end... ;)

All it does is checking if more than 5 seconds have passed between redering the form and sending a POST Request.

Be warned that spambot engineers are not sleeping. Bets are, that spambots can wait a few seconds before posting unwanted input if the programmer wants it that way. Question would be: How much spam messages can be send if the Spammer have to wait 5 secs between the requests? See, maybe this IS the final solution to Spam prevention.

Combining time tests with javascript tests (if possible and wanted) plus prefilled/unfilled hidden fields tricks, you should be save from spam a few years from now on.

Answer 2

Honey Pot captcha (article by Phil Haack). Is the usual method employed to do what you are looking for. It isn't foolproof, but what is really?

This appears to be pretty much what you have already explored. Just do your due diligence to understand what the limitations of the solution are, if you still find it meets your needs, be assured this technique has been put to good use by others.

Answer 3

If there were an ultimate solution, there would be no need for CAPTCHA's at all. However if the size of your site isn't large enough to warrant someone manually looking for a way to hack it, security through obscurity may be the best way. Such as the link you supplied above, or as easy as adding a input called something like "City_2" and making it hidden. If the input box is filled out, chances are you've got a spammer as they automatically fill in every field- just dump the data and move along... Just my 2 cents.

Answer 4

I recently tried one very simple-minded technique. I noticed that when presented with a collection of radio buttons, the spam bots seems to always either choose the first option or accept whatever was pre-checked. So on one web site I run I have a form that users fill out with maybe half a dozen questions. One of the questions is a "type of entry" with radio buttons for the choices. So I added a new first choice, "I am a spammer", with a parenthetical comment explaining why the choice is there, and made it the default. If the form is submitted with that option checked, I return an error message instead of the usual confirmation message. Since doing that, the amount of spam I get has dropped to almost nothing. I don't know if what's left is spam bots that take a different strategy -- randomly choose among available radio buttons perhaps -- or if it's human spammers rather than robots.

Mostly I did this as an experiment to see if it would work -- and frankly because it was fun to trick the spam bots into simply confessing and turning themselves in! Mostly I bring it up for discussion: maybe it will contribute to a better idea.

If a spammer decided that my little site was worth devoting their special attention, they could easily beat this with a slightly smarter spam bot. But that could be said of many anti-spam schemes.

Answer 5

Get rid of 99% spam, see this - http://wordpress-plugins.feifei.us/hashcash/

Obviously it only prevents automated spam, use it together with Akismet or something else and get a 100% protection.

Update: How HashCash works? Spamming costs nothing (its free using botnets), that's why it works. So the idea is that if this process can be made (CPU)expensive then bulk spamming/messaging would not work. More details are here - http://en.wikipedia.org/wiki/Hashcash

A simpler version can be implemented using JavaScript. Before submitting the form, the script would produce a computed value. This process has to be CPU expensive. Most botnets would avoid doing so and hence no automatic spam.

Answer 6

This is a very good working solution, I using it in my projects.

It's worth a try...

Answer 7

I use Akismet, which is really just very similar to an email spam filter, but quite powerful as it continuously builds a Bayesian profile with the combined spams of every site using the service (about 18 million comments per day). Their web service is extremely simple and very fast - just sent the comment over the wire and they will send back a "spam" or "not spam" response. There are existing Akismet libraries for almost every platform.

On my site, if the comment passes, I put it in the database, otherwise I just silently ignore it.

Answer 8

General comment about any anti-spam system: Nothing you do is going to be 100% secure. If your site is big enough or rewarding enough that a spammer decides to devote special attention to breaking it, they'll probably find a way. But it's like they routinely say about home security: Sure, a skilled, professional thief can beat any alarm system the average home owner is likely to be able to afford. But you'll keep out the clumsy amateurs, and if you make it enough trouble for the professional, you increase the risk for him that by the time he breaks it, you'll have returned home or a neighbor will see him and call the police. When I worked for the military, we routinely talked about the balance between security and preventing the legitimate users from doing their jobs. The goal in the military is not some hypothetical "absolute security", but rather something good enough to reduce the risk to "acceptable levels" consistent with minimum inconvenience to authorized people. Obviously what constitutes "acceptable" depends on what you're protecting: I certainly hope that the people who were protecting nuclear warheads insisted on a higher level of security than we put around radar systems. People in areas where attacks were suspected, like bases in the Middle East, had higher security than we had in middle-America bases. Etc.

Point being: How likely a target is your site? I certainly hope my bank uses tighter security to protect my money than I bother to use to prevent spam abstract submissions on the convention site I run. Sites that have millions of visitors and are well-known probably need better security than obscure sites with thousands or hundreds of visitors. How much is "good enough"?

Answer 9

In your form (comments or also contact form) you should add an hidden input

<input type="text" id="hidden_input" name="hidden_input" style="display:none;"/>

and write a little php to check if this input is filled, so with a selection 'if than else' you can control

if($_POST['hidden_input'] != ""){
    echo('<p>You are a spambot!!!</p>');    
}

This because people can' t see this form, so can' t be filled by us. In this way indeed bot fill every input, so if every input is fill PHP send this error message and it doens' t send to the server comments or emails,

Answer 10

Ask users a simple, random, math problem. If they solve it, they see the submit button. Otherwise, they don't. This works on static sites as well.

This is the problem input group

<div class="input-group">
  <input type="text" value="" id="testInput" class="form-control">
  <span class="input-group-btn">
  <button class="btn btn-default" type="button" id="mathTest">Go!</button>
</span>
</div>

Here is the script that generates and validates the problem.

<script src="https://ajax.googleapis.com/ajax/libs/jquery/1.4.4/jquery.min.js" type="text/javascript"></script>
<script type="text/javascript" src="https://ajax.microsoft.com/ajax/jquery.validate/1.7/jquery.validate.js"></script>

< script > jQuery(function($) {
    $("#wj-form").validate();
    var rnuma = Math.floor(Math.random() * 11);
    var rnumb = Math.floor(Math.random() * 11);
    var sum = rnuma + rnumb;
    $("#rnuma").text(rnuma);
    $("#rnumb").text(rnumb);
    $("#mathTest").click(function() {
        if (sum == $("#testInput").val()) {
            $("#wj-form").append('<div class="form-group"><input type="submit" value="Send Message" class="btn btn-primary"></div>');
        } else {
            alert('Sorry, please try again.');
        }
    });
}); < /script>

The above script does exactly that. Make sure you do not put the submit button in the form. It should be appended only when the problem is solved. I have implemented this here. Make sure you use the correct form id as mentioned in the script.

There is one caveat though. The trick will not work if the user has no javascript running on their browser.