Matt's Blog

eMoms at Home is having another Group Research Project, so here’s my post. 😀  

In this age of the Internet, SPAM is an inevitability. If you have a site that’s open to the public, and it has some type of Form on it, it’s only a matter of time before SPAM starts rolling in.

Sure, you can filter it out at your end, but why not stop it from even getting through? Why not use rudimentary techniques to stop SPAM bots from even getting the comment to the processing stage? These rudimentary techniques are easy for humans to easily pass, but SPAM bots will have a hard time with it.

CAPTCHA

Probably the most common way of trying to stop SPAM is by using a CAPTCHA. CAPTCHA stands for Completely Automated Public Turing test to tell Computers and Humans Apart. What it is a dynamically generated (in other words, on-the-fly) image that contains a random string of letters, numbers and/or other characters or a word. The text is then made less readable by one or more of the follow methods:

• distorting the text, such as by warping it
• adding random lines
• coloured shapes behind the text
• grids
• textures on the font
• colours

There is a large flaw with CAPTCHA’s. People are making SPAM bots smarter and smarter, so CAPTCHA’s need to get harder and harder. That’s fine, but a lot of CAPTCHA’s cross the line of the human being able to read it. So, when it gets to that point, nothing’s going to get through that form, not even stuff from humans.

Another large flaw with CAPTCHA’s are that screen readers can’t read/see them. So when someone who is disabled or visually impaired comes to that form, they won’t be able to type in the CAPTCHA because they won’t know it’s there. Large corporations, such as Microsoft, have developed a way for the CAPTCHA to be spelled out. But, that’s extremely hard, and a waste of time, basically.

I’m not going to provide any code for CAPTCHA’s, mainly because every CAPTCHA should be different.

Simple Math

Another method of prevent simple SPAM bots from submitting SPAM into your forms is to make the submitter do some simple math. And by simple math, I mean like “1+1”, not “-(2x² + 56 • 3xy³r²wc⁶)² = 3456″. 😉 Which I don’t even think is possible. 😛 Well, it might be…

Matt Cutts uses this technique on his blog, for comments.

Here’s some proof-of-concept code (note, this code might not work, that’s why it’s called proof-of-concept 😉 ):

First of all, you would want to generate some random numbers. Now, since this is simple math, I recommend nothing over 10, so the user will, hopefully, know the answer without even thinking about it. I’m going to use the mt_rand() function. You could also use the rand() function, but mt_rand() is faster and is more random.

So, lets randomise some numbers!

<?php 
$number1 = mt_rand(1, 10); 
$number2 = mt_rand(1, 10); 
$equation_string = $number1 . "+" . $number2; 
$equation_answer = $number1 + $number2; 
?>

Now, you’ll want to use $equation_string right beside a new text input field.

Now, you could just take out $equation_answer and then store $equation_string in a hidden field and then process it on the flip side of the form. But, to make it easier, we’re going to do something different.

So, what you want to do is store $equation_answer in a hidden field (<input type=”hidden” />). But, wait, don’t leave it raw. By raw, I mean just the answer. It should be encoded first. For this, I’m going to use base64_encode(), simply because it’s decodable and it came to mind first. 😛

So, replace the second to last line in the code before, with this:

$equation_answer = base64_encode($number1 + $number2);

Then, in the processing part of your form, you’ll want to grab the value of the text field and the hidden field (so make sure you put a id and name on it), use base64_decode() to decode the answer and check if they match. Assuming you put the fields in the variables $user_answer and $equation_answer, respectively: (you better make sure they submitted a number, too)

if (!is_numeric($user_answer)) {
echo "That's Not a Number!";
exit;
}
$equation_answer = base64_decode($equation_answer);
if ($user_answer == $equation_answer) {
// Okay, passed, carry on processing...
}
else {
// Failed, stop the script...
echo "Your Calculation is Incorrect!";
exit;
}

And, there you have it. 😀

Conclusion

I have explained two different rudimentary ways of stop simple SPAM bots from even getting to the processing of your form. Please note, that it is nearly impossible to stop SPAM all together, but using a carefully thought out SPAM defense plan, you can a least minimize it.