Reputation: 11
Is this a good way to catch bots?
Is this method sufficient?
<?php
// User pressed "Register"
if (!empty($_POST['name']) && $_POST['email']) {
if (!empty($_POST['antispam']))
exit("bye");
}
?>
<form>
<input type="hidden" name="antispam" value="" />
Accname: <input type="text" name="name" value="" />
Email: <input type="text" name="email" value="" />
......
</form>
Upvotes: 0
Views: 378
Answers (4)
Reputation: 23749
probably the best name for a form-field designed to trigger a spam bot would be url
The chances of a bot parsing the html for type=text attributes or textarea tag a and ignoring all others are quite reasonable.
Your chances of trapping a spambot can be improved with a few extra lines of code:
styles.css:
#commentUrl {
display: none;
}
script.js:
function setFlag() {
document.getElementById('commentUrl').value = 'Javascript check ok';
}
form.html:
<form onsubmit="setFlag();" method="post" action="comment.php">
<label for="commentName">Accname:</label>
<input type="text" id="commentName" name="comment_name" value="" />
<label for="commentEmail">Email:</label>
<input type="text" id="commentEmail" name="comment_email" value="" />
<label for="commentUrl">Url:</label>
<input type="text" id="commentUrl" name="comment_url" value="http://" />
</form>
comment.php:
<?php
if ($_POST['comment_url'] <> 'Javascript check ok' && $_POST['comment_url'] <> 'http://') {
// Let's increase their server load.
header('Location: http://' . $_SERVER['REMOTE_ADDR'] . '/', 307);
}
?>
Because you use three different languages you improve the chances of catching the spammer considerably.
You could improve the javascript by dynamically appending the <link rel="stylesheet" dynamically to the DOM for example.
Upvotes: 2
Reputation: 43447
I would not use a hidden field as bots might be looking for only elements of type="text". The naming should be something common but something you have no use for, examples being:
- firstname
- lastname
- username
- password
- bio
- description
You should change your input from
<input type="hidden" name="antispam" value="" />
to something more along the lines of
<input type="text" name="username" value="" style="display:none; height: 0; width: 0; border: none; background: transparent; margin: 0; padding: 0;" />
Upvotes: 1
Reputation: 1270
I wouldn't recommend making the input type hidden or let it have something with "spam" in it. The best way would be to give it a neutral name ("message" maybe) and hide it from the page via css. Additionally I would measure how long it took to fill out the form (as this will be very fast or very slow by robots) by adding a timestamp field (and again give it a neutral name and maybe encode it).
Upvotes: 1
Reputation: 15599
In all basic sense of the idea, sure. Only thing I would recommend for your simple implementation is that most spam scanners that you're trying to block out look for fields titled "username", "name", "user", etc ..
So, isntead of naming your honeypot "antispam" I would name it "username" or something similar that does not conflict with your existing form.
Upvotes: 4
Related Questions
- PHP Detecting bot-like behavior
- Preventing Spam
- How to recognize bots with php?
- detect bot using php
- Best way to detect bot from user agent?
- Detect if a page is visited by a bot
- Is this simple concept against spam valid? (Optimization required?)
- Creating an "anti-botting" system by adding values into the database
- small php code for detecting real search spiders from a spammer
- Stop bots without captcha - with a twist