Thread: 3-D CAPTCHA
View Single Post
  #7   (View Single Post)  
Old 19th October 2008
ddekok ddekok is offline
Port Guard
 
Join Date: May 2008
Posts: 38
Default

One spam prevention measure, which I had implemented (after reading about it somewhere) is a bit of form trickery.

Basically, you have an array of several inputs for a given field. You randomly select one as the valid field, giving it a CSS class to make it visible. The rest get a CSS class to hide them. The form has a hidden input with information on which input is valid for a given field (indexed). This data is encrypted. When the form is submitted, the encrypted string is decrypted, and the inputs checked. If any of the invalid inputs have values, the submission is considered spam.

I like this method because it is unobtrusive. However, it be a bit of a PITA on the back end. Writing a good library for it helps.

There are some pitfalls, though. For instance, the CSS could be parsed. You can do some trickery with that though. Usually I have 5 - 10 different CSS classes for both the hidden and visible inputs and randomly assign one of the classes to each input. The CSS is defined in an external file. It would be possible to have multiple definitions for a given class, with the last one taking precedence.

Also, it wouldn't be viable for people running browsers without CSS (eg: console, or CSS disabled).

I figure that if the spam check fails (within a certain range, such as 1%-30% of the fields fail), then it could revert to a captcha style spam prevention measure.

Spam prevention is just like virus protection - you either have to be ahead of the game, or really good at playing catch-up.
Reply With Quote