Invisible Captcha Concept – Stop Spam Mail

Captcha Image

Captcha forms, having to type in obscure numbers and letters into a form to verify you’re a human is almost as annoying as receiving spam its self. I’ve spent some time thinking about an alternative to a captcha form that still detects if the form submission is spam without the need for users to enter an annoying code, here is the solution I’d like to share with you.

The theory is as follows; when a spam bot comes to your website, it does not see your website as regular users, nicely styled with CSS… it sees code, specifically forms, textareas and text inputs, then it fills them out and submits the form.

How do you stop this without a captcha form?

Create a text input field & hide it with CSS.

[sourcecode language=”xml”]

Please leave blank:

[/sourcecode]

Create a textbox that the bot will presume is just a field it can exploit with rubbish and label it with an indicator to let any viewers without the privileges of CSS know that it is to be left blank.

Disregard submissions with a value for this field.

[sourcecode language=”php”]if($_POST[“gotcha”]!=””){
header(“Location: {$_SERVER[HTTP_REFERER]}”);exit;
}[/sourcecode]

The above example is in PHP, it basically aborts the script if there is a value entered for the field!

I’ve been running this on my website and websites I’ve built for the last year or so and it has cut out all spam, give it a try let me know how you get on!

15 thoughts on “Invisible Captcha Concept – Stop Spam Mail”

  1. I’ve been getting a lot of junk via my clients simple email forms. I have just implemented this into one of the websites which receive a lot of spam to see if it makes a difference.

    Thanks for the code – I’ll let you know how it goes.

    Simon

  2. Ben,

    This seems great to foil spammers. I was wondering though, with PHP do you have to have the $PHP before any of the code?

    I’m really a babe in the woods when it comes to PHP. Thanks.

  3. Elena, the syntax is as follows:

    < ?php code ?>

    Replacing “code” with valid PHP code, the PHP part of the above script you should add to the top of your PHP file that processes and sends your form.

  4. Most anti-spam systems do not scale – they fail as soon as they become popular. That is because spam bot herders are real people who like gaming our antispam systems.
    How long will it take for a spammer to write a rule for his bots not to fill anything in that “invisible captcha field”?
    It’s just an endless arms race between spammers and us to keep our systems relevant. So I take the side of reCaptcha, it seems just as good as anything else on the long term.

  5. Bogdan thanks for your comment.. the whole idea behind this is that the spam bot does not know if the field is hidden or not so it presumes it is another field that can be exploited. Sure if everybody started using this script someone would develop a way to ignore it very easily by just telling the spam bot to omit any fields with a specfic name or class.. and in which case we then change the name or class!

    The only way they could destroy the whole concept is if the bot was able to query the stylesheet and then reference classes that apply to the containing html elements of the field to deduce if its is hidden by CSS or not, that would not be an easy task.

    Besides, the beauty of this is it is not mainstream like capcha or the others so the few people who have found this and who use it can rest assured that works great and its unlikely to be hacked any time soon.

  6. The REAL beauty of the Invisible Captcha is that it doesn’t inconvenience users of the site, and that it’s a completely accessible technology — usable by screen readers, braille devices &c — because there’s nothing there!

    Thanx for this; I’ll be putting something similar in my forms from now on.

    –Bob.

  7. The CSS handling is not difficult at all, there are CSS libraries out there that will calculate this for you. It might be a bit trickier if it works by hiding the field behind some other div, but still this can be calculated.

    Furthermore, the problem is that this request parameter keeps stable. So even without CSS calculation you just need to know which parameter(s) to skip for certain websites. It’s like a fixed password.

    You can’t fiddle around with Turing 😉

    –Alex

  8. Include the attribute tabindex=”-1″ in the input tag to skip this field with manual tabbing – hopefully the spambots don’t skip this field too!

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>