We're Knights of the Round Table, We dance when ere we're able, We do routines and chorus scenes With footwork impeccable. We dine well here in Camelot, We eat ham and jam and spam a lot. --Monty Python and the Holy Grail
Last year at OSTraining.com, we started using an unobtrusive technique on some of our web forms in an attempt to stop the flood of spambots submitting junk on those forms. It worked better than we could have hoped and we've been talking about turning it into a Joomla! plugin ever since.
With apologies to Monty Python we are calling it OSpam-a-not.
OSpam-a-not looks for all forms on a Joomla page when the visitor is not logged. Unless the form has only a single text field with no submit button, two fields will be added at the very end of the form.
So, how does OSPam-a-not work?
Time Gate
First is a hidden timestamp that records the time the field was created and added. If the form was submitted more quickly than humanly possible, we can block the submission. Since the interval to use will be dependent on many unknown factors and could potentially create too many false positives, this test is turned off when you first install the plugin. But the field is still added to the form. Similar to the form token Joomla uses to prevent CSRF attempts, the field name is a hashed value we can identify a protected form when it is submitted.
<input type="hidden" name="4dae3556796029138fbec8655162f36b" value="1421891860.0"/>
Honey Pot
This is the technique that we implemented at OSTraining to stunning success. A text field is added to the form and hidden by adding a style tag at the end of the document head
tag. It isn't visible to a human user, but a spambot doesn't see that and fills in the field anyway. If we find anything at all in that field when the form is submitted, we've caught a spambot in the honey pot! And the form is blocked.
<style type="text/css">input[name=my_name] {display: none;}</style>
<input type="text" name="my_name" value=""/>
It seem entirely possible that if a spambot saw a text field named 304777dc6667acf98dd
it might get suspicious and avoid filling it in. Something like 'my_name' is much sweeter sounding. So we choose from a list of reasonable sounding field names adding the one that we're sure isn't already on the form.