I'm setting up an e-mail form for scientific journal articles. I need to be able to check for bots and filter them quietly. The site run ASP.NET MVC. I'd like to avoid CAPTCHA. Any ideas?
+2
A:
IIRF can do blacklisting based on user-agent or IP address (or other things). Works with ASP.NET, PHP, anything. Runs on IIS5, 6, 7. Fast, easy, free.
You can browse the doc here.
Cheeso
2009-07-12 17:47:16
+6
A:
Add a new input field, label it "Please leave blank", hide it using CSS, and ignore the post if that field is filled in. Something like this:
<style type='text/css'>
#other_email_label, #other_email {
display: none;
}
</style>
...
<form action='mail'>
<label id='other_email_label' for='other_email'>Please leave blank:</label>
<input type='text' name='other_email' id='other_email'>
...
</form>
So a human being won't see that field (unless they have CSS turned off, in which case they'll see the label and leave it blank) but a spam robot will fill it in. Any post with that field populated must be from a spam robot.
(Copied from my answer to this related question: "What is a good invisible captcha?")
RichieHindle
2009-07-12 17:58:21
This, of course, will not work if someone tries to create a bot to spam your site specifically, but it does work great otherwise.
mgroves
2009-07-13 12:51:21
A:
I saw a solution to this with forms, the premise was using JavaScript to count keystrokes and time the distance from page_load to form submission. It then guessed if it was a bot based on that time and a typical expectation boundary for keystrokes/second as bots (that use the browser) tend to dump text very quickly without strokes (just a ctrl-v).
Bots just sending POST or GET data without loading the page just get filtered too.
I don't know the details of the implementation, but might be an idea.
Aiden Bell
2009-07-12 18:22:55
A bit risky I'd say. There are fast typers, you know. And what if the bot writers suddenly figure this out and add a sleep(10000) command?
synhershko
2009-07-12 22:26:37
Indeed, just depends on the scale of the project and if you envision bot-writers customizing their spam machines to your site.
Aiden Bell
2009-07-13 10:54:29
@synhershko, I think it'd be unlikely for the bot programmer to add a sleep command, that's a pretty big reduction in the amount of spam to spread, unless they're programming specifically for your website in which case these bot detection techniques are going to need to keep evolving.
Nathan Koop
2009-07-15 19:13:56
If a bot wants to program specifically for your website (which it doesn't) then it will get in. Sorry. However, you can make the bar high enough that he doesn't want to waste cycles on it.
Christian Mann
2010-10-16 21:49:47