Mobile browsers and form spam protection

Forum Moderators: open

Message Too Old, No Replies

Mobile browsers and form spam protection

How do you stop spam when you can't use CSS and Javascript?

kujie

10:18 pm on Jun 26, 2009 (gmt 0)

I'm working on a mobile site right now that has a comment form on it. The thing is, how do you protect a form when you can't guarantee the user will have CSS and Javascript? A lot of smartphone browsers, even modern ones used right now, block the two. I can't even do the blank input form field hidden by CSS method.

Anyone have any advice? I've been looking for server side solutions but most of them are intertwined with Javascript and CSS.

Thanks!

kujie

10:26 pm on Jun 26, 2009 (gmt 0)

I guess I should probably note that captchas aren't an option on this project either, or else I would have used those.

penders

10:34 pm on Jun 26, 2009 (gmt 0)

Blocking CSS?! So, even trying to style the site so it works better on a smartphone/smaller screen is a waste of time?!

Spam protection...

- Very strict and verbose validation of the comments field? HTML, BBCode, URLs, keywords...? Although that would no doubt block a few legitimate comments along the way!

- Ask a simple (random) question... "What is one plus two?"

- Or, even a very simple question... "If you are a robot, tick this box [ ]" ...?

kujie

10:44 pm on Jun 26, 2009 (gmt 0)

No, I mean that I can't use the usual way of making an input field display:none so that a human won't see it but a bot will try to fill it in because on many phones, including Blackberrys, it'll display that field and it looks ugly.

The last option I can't use because it's unprofessional (client would say: why do we have this?), but the textual captcha is a GREAT idea. Thanks for that!

penders

11:21 pm on Jun 26, 2009 (gmt 0)

No, I mean that I can't use the usual way of making an input field display:none so that a human won't see it but a bot will try to fill it in because on many phones, including Blackberrys, it'll display that field and it looks ugly.

Ah ok, so CSS to hide an INPUT is being ignored? What about if that INPUT is inside a DIV and you hide the DIV? Or are INPUTs just unhide-able on the Blackberry?!

rocknbil

3:47 pm on Jun 27, 2009 (gmt 0)

Nothing you can do with CSS or Javascript will thwart most spam. The "hidden field" trick has limited success, but in truth, it's the server side processor that checks that the hidden field is blank. And that is where you do your work to stop or at least slow down spam, in whatever script processes your form.

This is because once your form URL is discovered, the robots post directly to that form processor, never visiting the form again. So again, CSS and JS are out of the picture.

I can't use the usual way of making an input field display:none

But can you make an input type of hidden? Some bots will pick this up but most won't.

As said, this has limited success but in combination with other things in your form processing script is a good tool in the arsenal.

swa66

5:33 pm on Jun 27, 2009 (gmt 0)

Work server side.

Generate the form dynamically, add a hidden field with a random number in it. Think of the number as a sessionID. Keep server-side a timestamp when it was generated.
When processing forms, don't act on sessionIDs that are too old.

Check server side for keywords, for bbcode or html links, don't use it if it contains that.