views:

638

answers:

6

I'm trying to reduce the form spam on our website. (It's actually pretty recent).

I seem to remember reading somewhere that the spammers aren't executing the Javascript on the site.

Is that true? And if so, then could you simply check for javascript being disabled and then figure it's likely that it's spam?

A: 

I can't remember where I've seen this method but spam bots like to fill out forms. Have you considered putting a form field that is hidden with javascript (and says don't fill this field if the user doesn't have JavaScript). This way if something fills in this field you can ignore it as spam.

Ryan Lanciaux
+1  A: 

You could check - have JavaScript that populates a hidden form field with a specific value after the page loads. Then, when the page posts back to the server, check that hidden form field the expected value. If it is not there, that means the JavaScript didn't execute.

As to whether you should assume it is spam is another story altogether, and one that has no certain answer, really. You could simply have a <noscript> tag and have it indicate to the user that their submission will not take unless they enable JavaScript.

Once you have JavaScript running, however, the spammers will just use another workaround for that. :)

Jason Bunting
+7  A: 

There are still a large number of people that run with Javascript turned off.

Alternatively, I have had decent success with stopping form spam using CSS. Basically, include an input field and label that is hidden using CSS (display: none;) and once submitted, check if anything has been entered in the field.

I generally label the field as a spam filter with an instruction to not put anything in the field, but all newer browsers will properly hide the block.

reCAPTCHA is also surprisingly easy to implement.

Jason Navarrete
reCAPTCHA requires Javascript too.
porneL
Wow, does that really work?!? That seems like a great idea!!!
Josh
I did it too and it works great.
usr
+1  A: 

In the same vein, adding a dummy field and then using CSS to hide it is a good way to trick the bots. If the field is submitted, you know a non-human probably completed the form.

Especially effective if you label/name the field something along the lines of URL or website.

Dave Ward
+1  A: 

check http://kahi.cz/wordpress/ravens-antispam-plugin/ for a nice answer

if puts in

<noscript><p><label for="websiteurl99f">Please type "e73053": </label><input type="text" name="websiteurl99f" id="websiteurl99f" /></p></noscript>
     <script type="text/javascript">/* <![CDATA[ */ document.write('<div><input type="hidden" name="websiteurl99f" value="e' + '73053" \/><\/div>'); /* ]]> */</script>

so javascript users see nothing, non js users just type in a word

if a spammer targets you specifically it won't take them long to code round it but for drive by spammers it should be good

James
A: 

Did you have any luck with this? I think some text based browsers have implemented basic JavaScript support, so maybe spam bots have as well?

Otherwise I'm considering using a captcha for users without JavaScript and some automatic JavaScript check for other users.

Jacob R