Spam via website enquiry form. Solution?

[Axel]

Hi,

I made a website for a friend and the enquiry form is fairly basic. He's suddenly getting spammed a fair bit through it and I was wondering if there were any suggestions to make it more difficult for the bots. Would rather avoid a captcha for such a simple and small website.

Example:

From: SNIPPED
Sent: Wednesday, March 27, 2013 6:25 AM
To: SNIPPED
Subject: Customer Enquiry

Name:Hermosallg
Email:fjptly198@mail.ru
From:Hermosallg
To:
Details:pequenos musical teaching college pc games reviewa russian ladies
marriage refactory    [url=http://www.pradabagsjpmise.com/]プラダ
長?²?布[/url]
hd burner record collector wooden potty chair 3 3101 gracecheng
[url=http://www.mcmbagsjpmise.com/]MCM 激安[/url]
turbulence 3 movie ear radio zenith zhdtv1 scrubs season 5 super nintendo
gun door speaker sea kayak schecter c 1 classic gear nob obagi nu derm
[url=http://www.blaklabeljpsale.com/]バ??¼バリ??¼ブラックレ??¼ベル[/url]
  mustang stickers pajama travel by cargo ship reinvented green mascara 12
inch speakers aroma burners podolny magneatos razr motorola 

Cheers,

Alex

[episode]

If you're not going to do a captcha, the only other way is to make a checkbox labelled 'Check if you're human' and NOT make it required. That will catch some of them.

[Brian M. Veteran]

You could tie into Akismet's API?

[primexx]

  On 27/03/2013 at 11:59, episode said:

If you're not going to do a captcha, the only other way is to make a checkbox labelled 'Check if you're human' and NOT make it required. That will catch some of them.

or have a hidden field that looks generic so that bots do fill it in while humans won't...

I've also done challenge-response systems that hold the message they want to send, email the address they put into the form, and have them click a confirmation link before sending the original message onward.

captcha is probably the best idea though.

[episode]

  On 27/03/2013 at 19:52, primexx said:

or have a hidden field that looks generic so that bots do fill it in while humans won't...

Not a bad idea.

[Axel]

These are some great ideas. I especially like the idea of the hidden field and getting the user to verify their message before sending. Thanks (Y)

[ncc50446]

I recently looked into the hidden field (Honeypots), and noticed a few concerns about them. Then again, no solution is perfect either lol

People with those screen readers wont know they are hidden, and might fill them in. Have to make sure to tell them not to fill it in.

Will also effect the tab button. While it is hidden, the browser might tab to it.

Some people use those auto-forms. Their form is automatically filled in for registration and such. They might fill it in. Depending on the site and form, might not be a worry.

Though honeypots would effect the fewest people I'm sure, so I'll most likely go that route with my site.

Note: I haven't tried this method. I only looked into it quickly yesterday. Those were concerns that were brought up.

[Depicus]

I use a simple math question i.e. what is 5 + 3 and have cut bots out to 1 a month from 6/8 per day.

[remixedcat]

make them answer a random challenge question the requires thought.

Also use re-captcha as well.

there are even little puzzles you can get your users to put together.

[+DonC Subscriber²]

It depends on the technology that your spammers are using. Some are easy to battle against and some are extremely difficult to the point of impossible to deal with via automation alone.

I share the concern with the hidden field trick. I found that it caught less than 10% of the spam on the site I work on and it came with the risk of tripping up legitimate users.

[Sandor]

Hidden field check is the method we used fairly regularly in my work if we get reports of spam messages. Doesn't interfere with 99.9% of real users and doesn't introduce another step or roadblock.

It's also rather easy to implement too which is nice. In .NET it's a simple "if" statement around the code that generates the email message.