Direct feedback elimination This is more of a general strategy that can be combined with many of the other methods. Don’t let the spammer know if he succeeds. You can either hide the current results altogether, only show percentages without absolute number of votes or delay the display of the votes. Pro: good against all … Read more
The captchas seem to be fooled by adept people. The Akismet is better option in my view. Having said that you should still use captch along with Akismet 🙂
Update: The answer was accepted because I recommended KeyCAPTCHA. From my hard-earned painful expereince, KeyCAPTCHA is a scam by professional spammers. I removed my recommendations of KeyCAPTCHA Note that most professional spambots are integrated with sweatshops (1 USD a 1000 solutions) human captcha solvers API. When a spambot cannot pass captcha itself it (spam bot), … Read more
I very much share your take on CAPTCHA. I’ll list what I have been able to detect so far, for my own detection script, with similar goals. It’s only partial, as they are many more headless browsers. Fairly safe to use exposed window properties to detect/assume those particular headless browser: window._phantom (or window.callPhantom) //phantomjs window.__phantomas … Read more
I basically use one trick on my site to prevent Spam and it works great (at least until spambot programmers will read this post 😉 ). Code is like this: In the script that builds the site which contains the form, I implemented: $_SESSION[‘lastSiteId’] = ‘something Unique’; $_SESSION[‘lastSiteRequest’] = time(); The script that contains the … Read more
Old question, but I thought I’d chime in, as I’ve been maintaining a module for Drupal (Honeypot), which uses the Honeypot spam prevention method alongside a time-based protection (users can’t submit form in less than X seconds, and X increases exponentially with each consecutive failed submission). Using these two methods, I have heard of many, … Read more
As the answers on how XSS can be malicious are already given, I’ll only answer the following question left unanswered: how can i prevent XSS from happening on my websites ? As to preventing from XSS, you need to HTML-escape any user-controlled input when they’re about to be redisplayed on the page. This includes request … Read more
A very simple trick I’ve been using with a surprisingly good success rate is this: Provide a text field that is hidden from human users with style=”display: none”, but with an enticing name like email. Most bots will fill in something in this field, but humans can’t see it so they wont. At the server, … Read more
I have tried doing ‘honeypots’ where you put a field and then hide it with CSS (marking it as ‘leave blank’ for anyone with stylesheets disabled) but I have found that a lot of bots are able to get past it very quickly. There are also techniques like setting fields to a certain value and … Read more
Concept By adding a invisible field to your forms that only spambots can see, you can trick them into revealing that they are spambots and not actual end-users. HTML <input type=”checkbox” name=”contact_me_by_fax_only” value=”1″ style=”display:none !important” tabindex=”-1″ autocomplete=”off”> Here we have a simple checkbox that: Is hidden with CSS. Has an obscure but obviously fake name. … Read more