>> Will reCaptcha work?

Sure. Here's a guide to get you started...

[code.google.com...]

one thing that you could try is to include an extra text box, and then hide it with CSS. a human wont see it, so it will be empty, but a bot will most likely fill it in. so if that field returns some content, you can just reject the submission straight away.

First you should try and halt it on the back end; captchas and front end challenge boxes are a workaround and create one more challenge to your legitimate users. I was asked yesterday to add a captcha to a Wordpress site. The spam kept a comin' . . .

One thread [webmasterworld.com] on filtering cleansed data server side with PHP. I'm presuming like most form spam, it's a link dropping scheme - the second post in that thread shows one decent way to slow it down.

Another thread [webmasterworld.com] discussing form abuse prevention in general. Front end challenge/responses are discussed deeply in this thread ("What is the sum of five plus seven?")

Thanks, eelixduppy. I saw that. I'm new to PHP, so I figured I would ask for a more step-by-step instruction.

That sounds like a good idea, londrum. What would be the coding for that?

Thanks, rocknbil. I'll try your fix as well.

for a hidden input field, you'll only have to do something like this:

In your stylesheet:
_________
input.invis {
display:none;
}
_________


in your HTML form:
_________
<input type="text" name="spamtest" class="invis">
_________


in the PHP script that processes the form:
something like:
_________
<?php
if(isSet($_POST['spamtest']) && $_POST['spamtest'] !== "") {
exit("Please dont spam me");
}
?>
_________

Good luck

I posted a solution that uses a little javascript and PHP to solve the problem toward the end of the thread linked below. The code checks for keystrokes in the browser. No keystrokes, no humans, therefore post can be discarded and automated spam is whacked.

[webmasterworld.com...]

Simple, effective, been working for me for years.

Enjoy.

a more step-by-step instruction

I'm afraid that is a pretty straightforward tutorial on how to add reCAPTCHA to a website. Anything additional would have to require detailed knowledge of the actual scripts on your website. Probably shouldn't take more than 30 mins of fiddling to get it working just right. Perhaps it would be better to take a step back and learn some basics about PHP before diving in. Here [w3schools.com...] and here [php.net...]

But as you can see, there are many ways to thwart form spam. The truth is that it really is specific to your website and how it is being abused, and how you want your user experience to be. For example, incrediBILL's solution 1) requires JavaScript enabled for your users and 2) assumes that someone isn't specifically writing a script to hack your form. In the latter case, it would take no more than 30 seconds of looking at the source code to bypass this mechanism. If you are experiencing very basic attacks against your form then this will likely suffice, but again this is a case-by-case thing -- results may vary.

It's best to try to identify how your form is being taken advantage of (e.g. what if it were just actual humans submitting content? extreme, but possible) in order to figure out what solution will suit you best. Experimentation is also a must

it would take no more than 30 seconds of looking at the source code to bypass this mechanism.

The simple version I posted, true. But as I stated, it takes about 5 seconds to change the values by adding a multiplier or some other fudge factor and the spammer's code won't work again. I was getting 100s of spams per day, had someone from Romania actively hacking at my forms (I was watching them test it) and they gave up quickly after just a little cat and mouse with this code.

I didn't post all my secrets to thwarting the spammers, but if you insist...

As a matter of fact, you can randomly edit my javascript from the PHP server side and put a completely random fudge factor into the code each time you display the page, so unless they read and parse your source every single time, it won't work.

Basically that session ties a specific value to a specific page being rendered, which is where the hash value also comes into play on my site, the Romanian dude never got past it and he tried for hours :)

Besides, almost every site uses javascript these days in the page layouts, nav menus, and Ajax everywhere. The internet it almost unusable if you don't have it enabled, which is why I don't have any problem using it but the bots sure do!

FYI, people that tried my code have said it stopped the problem dead in it's tracks without all the craziness involved with the majorly complicated solutions everyone else peddles. Sometimes simplicity and obscurity are all you need to kick spam to the curb.

you can drop a cookie on their system with javascript as well, and then check if they have the cookie before you submit server-side.
then they will have to allow both cookies and javascript, and hardly any of the easy bots will get past that.

i put a time on my cookie too, and then check how long they took to fill in the form. if its just a matter of seconds then you can disallow it straight away.

check if they have the cookie before you submit server-side

This should probably be checked server-side, not via javascript, for it to work best. Otherwise, also a good idea.

Also, spam bots are automated programs and use curl (or a curl-like mechanism) and the truly motivated can spoof user agents and set and read cookies.

There is no sales pitch in cleansing and filtering input server side. :-)

Thanks, lostdreamer. Can I use that code verbatim, or are there some values that need to be customized?

Thanks, incrediBILL. Looks like a great solution as well. Is that the exact code I can use, or will I need to customize it for the form in question? Also, you mentioned that in order to make it really secure, a multiplier would need to be added. Care to give step-by-step instructions for that?

And I assume that I put the HTML form code either above or below the current form code. Is that right? If not, what is the correct placement?

eelixduppy, I figured that might be the case. Google usually makes things as simple as possible. I might take your advice and become more familiar with PHP via your links. Thanks.

With regard to the server side solution, could you possibly give step-by-step instructions? Thanks.

I use the form name, and two hidden fields. One is a time stamp and the other is an md5 hash of the form name, time stamp and another variable like a secret phrase. The md5 cannot be created independently because of the secret phrase which is not part of the form. It verifies that the time stamp and form name or valid and I set a 15 minute time limit on the validity of the form.

That should give the user enough time to fill out the form and the md5 value can't be used past the 15 minute window.

Haven't had a problem with spam since I implemented this.