The other main problem is that if this plugin starts to be used a lot, spam bot developers will use its source code to find ways of going around it. Which is why I have to find ways that will make it very hard for them.

So far this plugin has blocked 23 attempts of spamming in my blog, since I activated it for testing 3 hours ago. Only 2 spam comments actually went past the security walls I had setup. Which means that in this early stage it has a 92% accuracy.

Thanks a lot for your ideas, I will consider them carefully
Alex

The alternative from the “noshow” could be to simply blend the text field with the form
background using css again of course for border, background, and text;
– this method should allow for 99% compatibility with all browsers.

When it doesn’t you can use the feature for decoration to display a link or some text.

I agree with most here however that this feature will get adopted by the masses, then it will definitely need those extra layers of security ( randomness, etc ) that have been proposed.

Along the lines of the generation of content based on the most simple user interaction which I’ve been considering but aren’t too transparent.
– you could get the user to type a number between 1 and 26 (provide a chart) based on the first letter of their email; seemed much left cryptic than any captcha I’ve seen.
– you could also have the user select 2 out of 5 radio buttons. (which 2 could depend on the form content)

For the purpose of preserving the life of the tool, you definitely need a thank you page so the the operation is transparent to the bot. however that page can inform the real user that they have failed in sending you a message but that they can retry by simply typing the email once more ( that is not too much of a hoop to jump through)

Enough said for now.

– od46.com

It is giving me some interesting results, although I still need to work on it

Thanks for everyone’s support

If everything goes as planned, the plugin will use several “invisible” techniques that the reader won’t even notice to stop spam, and become this way the most silent option when fighting spam.

Thanks for the idea

This plugin is turning way more complex than it seemed when I started its development!

Combine this with your strategy and maybe it will be the next best anti spam method. Even Microsoft is tackling this strategy.

I found that most bot developers actually look at the code thoroughly. I added a hidden timestamp field on one of the sites I developed. The bot coders actually scripted the timestamp into their submission engine to make it seem like it took 2-3 minutes for submission.

There is a drawback to giving a legitimate person a thank you page, when you’re flushing their email because they matched a bot pattern because they assume their message to you has come through. That’s fine for a personal website, but in corporate situations, you have to make sure you’re not discarding valid emails.

What I noticed is if I can hash something that’s unique to that user’s session(not necessarily a session var), without causing a real end user grief when they forget something like their email address, then I have something for comparison to make sure they’re at least using my form and not simply posting to my form handler. Nothing says they’re even using your form at all.

My latest approach takes a couple of hashes and a random number. I hash their IP and the random number together, then i hash their user agent. Since most bots don’t actually have to use your form for submission, it’s a good idea to try and make your handler force submission through your form. I hash their user agent because that changes when they start implementing the bots too. It has to be exactly the same for it to match for a hash. I also flush the email if I get an empty user agent. In addition I pass the hashes via GET and the random number via POST.

Surprisingly, some of the spam I get via forms is a real person pasting links and so forth. I’ve got keyword blockers on some of my forms that look for flag words and look for words without vowels. Don’t get too many of those in everyday speaking. I also bounce emails that have BBcode in them. In short, it will cut down on headaches, but there will always be someone who takes the time to fill out the form just so they can let you know they have beaten you.

Another approach I’ve used in the past is a reverse dictionary attack. I used bayesian logic to develop a pattern for good submissions via the form. Depending on the form, it could be people sending their contact info, maybe even requesting information. Since most spam doesn’t sound like real content this can work in a variety of situations.

If something flushes it’s a good idea to write it to a log, that way you can check for false positives as well and fix the code if trouble arises. Also remember to use Regular Expressions.

I am sure that bot developers will eventually find a way around this, or will teach the bots how to read CSS, but we can always make it so hard to figure out that no one will ever understand it.

Another way I was thinking about was to position it under the real form elements using negative top margin. For example under the field Name, we could place another field that shouldn’t be filled…

But anyway, this requires a lot of thinking, and first I need to get the plugin to work

Maybe an even better way to counter this would be to actually show the field and ask the user not to enter anything here!!! This way, the “human” genuine user does not enter anything in that field while the bot does!

When I have some stats I will publish an article with my research and results, and in a few weeks when the plugin is working and thoroughly tested I will publish it as well.

Thanks for your interest!

About the CSS issue, I’ll try to find a good way of hiding the fields without the bot being able to notice it… Either with the margin or with the size I still don’t know how.

First I’ll get everything else to work, like the processing, and the implementation of the extra fields, and then I’ll start working on the details like improving the CSS, and the overall security.

Thanks a lot for the ideas!

When I have some stats I will publish an article with my research and results, and in a few weeks when the plugin is working and thoroughly tested I will publish it as well.

Thanks for the ideas.