incrediBILL - 5:59 am on Nov 22, 2010 (gmt 0)

it can be this simple:

<script> function SendForm(form) { keystrokes(form); form.action="submitform.html"; form.p_is_bot.value="...hash code..."; form.submit(); } function keystrokes(form) { form.p_strokes.value = form.p_strokes.value + 1; } </script>

<form method="post" name="testform" ) > <input type=text name="content" maxlength=120 size=50 onkeypress="keystrokes(this.form)"><br> <input type=submit onclick="SendForm(this.form); return(false);" name="B1" value="SUBMIT" ><br> <input type=hidden name="p_is_bot" value="Y"><br> <input type="hidden" name="p_strokes" value="0"> </form>

If p_is_bot comes back as "Y" and p_strokes=0 we know either a) it's really a bot or b) they didn't have javascript enabled, at that point I typically toss the submission in my moderation queue or kick it back with "PLEASE ENABLE JAVASCRIPT AND RESUBMIT".

The above code is simplistic and simply counts all keys pressed and returns that value to the server script. I use something more complex that kicks off a formula that creates a key for the input data that the server side script verifies, but it's overkill at the moment because something as simple as shown will currently stop most, if not all, automated scripts.

When everyone starts doing this the spammers will just send the p_strokes value themselves, which is when you change the formula and break it.

That's the real key here, it'll never work if everyone uses the exact same thing so something as simple as making each keypress +2 or +3 will break it or multiply the result by some fudge factor before submitting, anything to keep it unique.

Heck, the script could easily be modified by PHP code each time it displays a page just to frustrate the spammers, even making the names of the scripts random gibberish so there's no "keystroke" function footprint in the code.

The hash code in the p_is_bot field links the request to the IP requesting and some other criteria I used to make sure it's a full round trip, not cached and being served up repeatedly as default values, but that's probably overkill as well.

Plus, I require a cookie to be set that tracks the current session, so it's either a real browser or a real fancy spammer, no arm chair programmer kiddie scripts slip thru the cracks.

I also validate the user agent and some other criteria, it's a real security checkpoint :)

Simplistic? yeah.

Stops spam? for now, yeah.

NOTE: p_strokes counts all keystrokes, backspaces, etc. so the actual length of the text rarely matches p_strokes, plus the SUBMIT button adds +1, the whole idea is to see if keys were pressed. You can make is more sophisticated obviously, but this just shows the basics of how the concept works.