I recently had a coverstation with my teacher from last year Jim Rutherford from Digital Media Minute about securing web forms that have email fields where the email address ends up going to an mail script. I’ve always busted my brain on how to do this. I’ve used math equations, but a bot could just loop through numbers easy, I’ve used captcha, but it’s kinda annoying, I’ve seen scripts that check if the refering page was from the same domain, but you could use curl to get around that, I’ve used flash to create the form then pass the variables to a script to do the handling, but that takes time and isn’t accessible (yet), and the list goes on. When talking with Jim, he said one of his previous employers used css. I was shocked at how easy it was. Although it doesn’t stop all spam, it can stop most of it. I’ve also done some stuff with php’s Ming. Ming is a library for creating flash. Here are 2 tutorials, one using Jim’s simple css, and two using Ming and php.

Using CSS/Simple Trickery (AkA Bastard Bots Blocker):

< input name="city" type="text">
< input name="email" class="hidden" type="text">

How it works:
Users don’t see the hidden name=”email” field, but bots do and they insert email addresses into it. Bots would insert a string like Vancouver into the name=”city”, (which is actually set up to be the email field for users) field and well obviously there’s not going to be any emails getting sent. This is really a simple way of stopping them bots to a point.

Using PHP and Ming (AkA Bastard Bots Blocker that’s a bastard to set up but easier than doing your own captcha):
First you will have to have Ming installed. I believe as of php5 ming is packaged in. Not too sure though. I know that if you install php5 using Marc Liyanage’s package it comes with it. Note: This is similar to captcha but easier.

<?php
 $font = new SWFFont("Bitstream Vera Serif.fdb");
 $text = new SWFText();
 $text->setFont($font);
 $text->moveTo(200, 400);
 $text->setColor(0, 0xff, 0);
 $text->setHeight(200);
 $random_string = (you'll have to create a random string, there are many ways);
 $text->addString($random_string);
 $movie = new SWFMovie();
 $movie->setDimension(6400, 4800);
 $movie->add($text);
 header('Content-type: application/x-shockwave-flash');
 $movie->output();
?>

How it works:
Basically this is php creating a flash file with a text string in it. The random string part isn’t part of this tutorial, but it’s not hard to do. Then once that small flash output has been created you can have a field that a user would have to input the random string into, then in your testing scripts just check that the string matches your $random_string variable. I haven’t done this but I have used Ming to create flash and this works. Also note that you will have to get your hands on a fdb font file and upload it to your server. Also another note: Not accessible = booo.

Here’s a great Ming resource

RELATED:

Jonathan Snook has a sweet write up on developing his own spam blocking system that was interesting to read.

Also Defensio has a really cool application that you can sign up for and include in your own sites. Oh and their Canadian too!