How OSpam-a-not Protects Your Joomla Forms

Documentation for Joomla 3

How does OSPam-a-not work? 

OSpam-a-not looks for forms on your Joomla page when the visitor is not logged in. Unless the form has only one text field with no submit button, the plugin will add two hidden fields at the very end of the form.

PS. If you're new to Joomla, I would recommend reading "How to create a Joomla contact form" before attempting this tutorial.

Time Gate

The first field is a hidden timestamp. It records the time the field was created and added. If the form was submitted more quickly than humanly possible, OSpam-a-not blocks the submission.

This interval to use will depend on many unpredictable factors. Obviously, it could potentially create too many false positives. We suggest you turn this feature off when you just install the plugin. But the field is still added to the form.

Similar to the form token Joomla uses to prevent CSRF attempts, the field name is a hashed value we can identify in a protected form when it is submitted. 

<input type="hidden" name="4dae3556796029138fbec8655162f36b" value="1421891860.0"/>

Honey Pot

We implemented this technique with stunning success. You just add a text field to the form and make it hidden. Simply add a style tag at the end of the document headtag.

It isn't visible to a human user, but a spambot doesn't see that and fills in the field anyway. If you find anything at all in that field when the form is submitted, we've caught a spambot in the honey pot! And the form is blocked.

<style type="text/css">input[name=my_name] {display: none;}</style>

<input type="text" name="my_name" value=""/>

It seems entirely possible that if a spambot saw a text field named 304777dc6667acf98dd it might get suspicious and avoid filling it in.

Something like my_name is much sweeter sounding. So we choose from a list of reasonable sounding field names adding the one that we're sure isn't already on the form.

Documentation for Joomla 5

How does OSPam-a-not work? 

The Joomla 5 OSpam-a-not extension looks for forms on your Joomla page when the visitor is not logged in. Unless the form has only one text field with no submit button, the plugin will add two hidden fields at the very end of the form.

PS. If you're new to Joomla, I would recommend reading "How to create a Joomla contact form" before attempting this tutorial.

Time Gate

The first field is a hidden timestamp. It records the time the field was created and added. If the form was submitted more quickly than humanly possible, OSpam-a-not blocks the submission.

This interval to use will depend on many unpredictable factors. Obviously, it could potentially create too many false positives. We suggest you turn this feature off when you just install the plugin. But the field is still added to the form.

Similar to the form token Joomla uses to prevent CSRF attempts, the field name is a hashed value we can identify in a protected form when it is submitted. 

<input type="hidden" name="4dae3556796029138fbec8655162f36b" value="1421891860.0"/>

Honey Pot

We implemented this technique with stunning success. You just add a text field to the form and make it hidden. Simply add a style tag at the end of the document headtag.

It isn't visible to a human user, but a spambot doesn't see that and fills in the field anyway. If you find anything at all in that field when the form is submitted, we've caught a spambot in the honey pot! And the form is blocked.

<style type="text/css">input[name=my_name] {display: none;}</style>

<input type="text" name="my_name" value=""/>

It seems entirely possible that if a spambot saw a text field named 304777dc6667acf98dd it might get suspicious and avoid filling it in.

Something like my_name is much sweeter sounding. So we choose from a list of reasonable sounding field names adding the one that we're sure isn't already on the form.