WesleyC - 2:49 pm on Oct 31, 2013 (gmt 0)
While this is more of an anti-form-spam technique, there are a couple of serverside detection techniques I've been using to find and block badly-behaved 'bots that attempt form submissions.
The first is an encrypted (blowfish) timestamp embedded into a hidden form field. This lets the server know what time the form was generated--if it's too old, throw the submission out. This prevents 'bots that "capture" the form once then re-submit it multiple times from operating for more than a few hours (or whatever you set the timeout to).
The second method I use is a form field with a juicy name attribute (say, name="comment") that's hidden via unorthodox CSS methods. A simple display: none is too obvious, and many 'bots will ignore it. What you want is something much more insidious, that would require the 'bot to actually render the full page, notice that this particular form field isn't visible, then decide not to fill it in. I prefer using strange margins with an overflow: hidden container, odd z-indexing, and absolute or fixed positioning to make it not at all apparent from simple parsing of the CSS that the is not visible. Then, if the field is filled in, throw the submission out as spam.
A third technique is a simple form field with a randomly-chosen string in it, and a matching value saved in the session (not in any value the user has access to). If the session value doesn't match what's in the form, throw the submission out as spam. While cookie-enabled 'bots will walk right past this particular trap, a surprising number of spambots still get caught by it.