I am attempting to build a system that only shows users a CAPTCHA when bot-like behavior is detected. Here are the behaviors that I am currently looking for when somebody is filling out a contact form...
how quickly the form is submitted after the page loads (if its 5 seconds or less, its almost humanely impossible to fill out)
how many contact attempts have been made in the past hour (limit 15/hour), or day (limit 25/day)
check message content for links, and cross-check links against other links recently included in the past day
check message for spam keywords
I will add useful community solutions here as they come:
use a "honeypot" (info at http://haacked.com/archive/2007/09/11/honeypot-captcha.aspx)
check referring URL for an outside entrance
What other behaviors would be indicative of robots that PHP could help detect (don't want to use JS because it can be switched off) without the help of a CAPTCHA?