Form Security - Spam Bots

Hi everyone,

I have a form that asks for a users name, email & any comments.
I have included a “Are you Human” question i.e. 5 + 2 =

Name is set to input type “text”.
Email is input type “email”.
Comment is input type “text”.
Are you Human is currently not set but it could be set to number and a range of 1 - 10 for example.

What is 5+2?<input name=“human” type=“number” min=“1” max=“10”>

My Question relates to spam bots. How intelligent are they these days?

If I set the “Are you Human” input type to number and a range, am I making it extra easy for the spam bot?
Can they process the information I have provided?

If I don’t narrow down the type and range, a human will still understand the question.
However, would it be more difficult for the spam bot?
Would they fill the field with text or something else for example?

BTW, I have included both client and server-side validation for this question field.

Thanks for any help / insights.

Andy

Well, you are using HTML5 input types. They only work under a browser that works with HTML5. (Not all browsers are up
to date!) It is the currently standard in the world, but, older systems might have problems with the input types.

A spam-bot is only as good as it’s programmer. It is extremely easy for a spammer to read your page of HTML code and
know what it does. Any PHP programmer can load any URL from the internet and save it as a string and decode it’s inner
HTML to see what is in the INPUT field. BUT, most spammers do not sit and look at the millions of pages that their code
has scraped off the internet. Therefore, it is good for a start to just use your simple 5+2 system. If your site starts having
spamming issues, then, you would have to move up to a “Captcha” type of system where the picture is harder for the spam
system to decode. Basically, a spammer would have to program his robot to handle inputs with every caption that you could
dream up. “Are you Human?” is a common one, but, the spammer would need to customize the code to look for that. Doubt
that they would go that far. A spamming robot is only as smart as it’s programmer designed it to be. They do not do any
other thing except what they are designed to do. One simple change can make it not work.

Now, as far as your server-side and client-side validation? If you place code in Javascript into your HTML, you have to be
careful that it does not give away your security. Remember that Javascript can be seen by a spammer if it is embedded
into your HTML code. You can always review this by just RIGHT-CLICKING on your live page and selecting VIEW-SOURCE.
Then, you can look at the input fields and see what the spammer’s robot sees. (Note that you will never see any PHP code
in the listing!)

Not sure if this helps, but, hopefully it does… Good luck!

Yip, that helps ErnieAlex. Thanks for the information.
As you say, it should do as a start. I can always revisit if there are any issues in the future - you’ve gotta start somewhere!

Thanks again.

Andy

You are very welcome… I will mark this one solved even if it is a bit hanging open. Then, when you get further we can deal
with other questions on the same subject…

Good luck! CYA in the Bitstream… ( That’s all this really is, LOL )

One of the best simple validations I have seen, asked for an artist album name. Something I had to lookup to use their site. Takes simple validation to another level.

Yes, nice variation! I have used the “You must erase this line!” in an extra field. Since web-bots tend to fill in every field, this
works in a simple way, too…

Both sound like really good ideas.

I found the Honeypot Technique (http://www.dexmedia.com/blog/honeypot-technique/) to be pretty effective against spam bots in general. The added bonus it doesn’t distract real users from accessing the site, but nothing is 100 percent foolproof.

I had to read it twice to get it… It is basically like removing text, but, is hidden instead. So, this would work well.
Unless the bot skipped filling that field in… I agree this is a nice non-distracting version…