Fighting Spam with CSS

Absolutely superb, so simple and yet so brilliant! cheers for this and nice site

Great idea, I like the way you are thinking here. The only thing that concerns me is that some users may view your site with the CSS off. Might not be the most accessible way to do it, but it looks like a very effective way to get the job done.

Ver very good, as said nice site too.

Excellent idea, well done mister. CSS is also a good buddy of mine!

Overall, I really like this. It’s creative and will work in the majority of cases.

There are however some fringe cases where users have CSS disabled or they are browsing with a non-visual browser (screen reader). If they fill out your form, their message will not reach you. Perhaps there is a way to label the spam catching input as to inform non-spammers of its use?

Thanks!

Great Idea! However where is the php file used to stop this? How do you make it work with just the css and form code?

[…] Get the whole scoop here… […]

Here is a snippet that may help: Click Here

Are there any ways for the spam bot to adapt which they seem to do very quickly? ex look for any fields tagged as invisible?

Also, is there a validation in rails that could send a failed if a field was filled out?

what about doing something with the z-index of the “special” input-field. for example place it behind something else. would be more difficult for the spammer to find a workaround then with a visability: hidden;

but it’s a great idea. thanks

Vision-impaired people’s screen readers will read this site improperly. Admittedly, it’s a small portion of most site’s readership, but it’s worth mentioning.

Three things:

(1) I’ve used

> Process.php returns different results based on what is typed in.

this is bad. the spammer should think his attack was succesful. otherwise they will investigate and adapt their attack to account for your trap!

Aren’t most spam bots human configured/tuned? I think so. Thusly, a hidden form field may not be “configured” or “tuned” in to begin with if they are targetting your site. I know a bot I would write would still work on your site. Since your page is fairly unique (i.e. not discernable from footprint scanning or such) I would tune a spam bot to use it if I really wanted to. If your page was not unique (i.e. fit a footprint of say common forum software or such), then this approach would still not work since the mass of others lead me to discount your hidden form field (if I even noticed it). Nice thinking though.

Daysleeper, good point. It would be better to maybe output “Thank your for your email” or something. Thanks.

this is called a honeypot

IMHO I still think the only *best* way to limit spammers is to use CAPTCHA. Bots learn and it’s only a matter of time before they learn that visibility: hidden or text-indent: -99999px in CSS.

[…] Combat Form Spam with CSS Jump to Comments Very nice.  Link. […]

It’s a nice tip for developers, but to stop spam you really need to help educate the greater number of webmasters out there who can only code so far - inclusion of a mailing script integrated with this would have been great. Otherwise, it’s just the better coders who get dibs on avoiding a problem that is simply getting worse.

2c.

Clever Man Kills Spam, Captcha Not Required….

Excellent article, on a clever way to kill spammers (except for the human ones, of course…) here.
Comments: When doing form submissions, I have four rules.
…

The issue is that most targeted spam bots know what fields they should fill. So this works only on generic forms and cannot be implemented in popular forum/blogging software.

I have to agree with @ObviousOcham here.. as someone who for a day-job creates screenscrapers (non-spam related), I would never be fooled by this method. I would view the page the form is on and then compare the structure and determine the “info” INPUT is unused. Also, I would test it first, which would uncover any trickery like this.

The only thing I worry about is captchas…

Forrest, as for testing, I could easily have it redirect back to the home page and say “Thanks for your submission”. Also, this is just a base for tougher and better techniques. Not everyone has the know-how to integrate captcha, or has the server requirements. This has worked for many of my smaller sites.

Great article, it’s simple, easy to read, and best of all - informative! Thanks.

[…] read an article today that appeared on the front page of digg about hiding parts of a HTML form with CSS to try and prevent spam. Its a nice idea, and the author claims that their “spam levels … went down to […]

I am not convinced by this method - sure it will stop the opportunist “drive by” spam, but an intelligent spammer will be spamming within seconds.

There is nothing to stop someone making a spam bot that is CSS-aware (and Javascript for that matter), simply by making use of the openly available Gecko and IE browser components…

Captchas and/or filtering of some sort (bayesian, akismet etc) are your best bets for the moment really. They aren’t foolproof, but they offer superior protection in my opinion.

[…] step guide using CSS to eliminate automated robots and spam fillers from getting through your forms.read more | digg […]

uh A hidden field set to a value would do the exact same job with less DOM cputime being taken up….

You need to have an associated LABEL element with it:

Please leave this box empty:

With the CSS:

#special, #special-label { display: none; }

display: none is better because it removes it from formatting altogether. visibility: hidden creates a hidden object box, which can subtly influence your layout and be very difficult to debug.

This approach was mentioned before some months back by someone else more prominent on the web (can’t remember who). Also, this approach is not accessible and could invite lawsuits from the ADA if not implemented correctly.

Solution to no css:

html:

Don’t type in the field below:

css:
#text {display: none;}

This has been widely used. on phpBB and punBB forums, the moderators always advise it. I protect everything with this (forums, bug software, blog, contact form, everything). Otherwise, the spam deluge resumes…

Thanks anyway, it’s a good trick.

edit:
[div id=”text”]
Don’t type in the field below:
[/div]

css:
#text {display: none;}

Very nice! Just curious why bots don’t pick up on CSS? Also do you think it will work with inline CSS?

[…] like some of us have discovered now that CSS *can* actually be our friend in more ways than one. This article from Modern Blue explains exactly how to do it. Essentially, you’re hiding an extra text […]

People have tried this before with type=”hidden” fields and bots get through since they soon learn what to send and not send, but the idea of display:none or visibility:hidden on a field might work for awhile. Until they write more code to adapt. People also do something similar with having an extra submit button or another hidden form or changing the action with JS and so if someone doenst have JS enabled it wont submit.

Form Spam voorkomen met CSS…

Soms vind je iets een oplossing voor een probleem, heel eenvoudig en elegant. Iedereen met een blog of site met een form kent het verschijnsel, forms spam. Bots struinen pagina’s af naar forms die ze vullen met nepadressen en reclame. Heel irrita…

Ik spreek nederlands eigenlikj. Bendankt voor uw comment.

[…] to eliminate automated robots and spam fillers from getting through your forms. x men kitty pryderead more | digg […]

Just wanted to throw my 2 cents in. I think this is very clever but it seems like most spammers could easily write around it in their spam bot’s code to just check for hidden form fields and not fill them in. Still, I think that this IN Addition to other methods just adds another level of protection so thanks!

And while I’m at it, has anyone found any good scripts or reg expressions that check for spam email injection and strips it out?

It’s called a Honeypot, and we implemented it ages ago. Not had a single hit of comment spam since.

Read all about it: http://www.rustylime.com/show_article.php?id=338

ever since I implemented this on http://www.ratemyrosetta.com/ months ago I haven’t received a single piece of spam. There is one trick you left out though, you may need to rename your fields if spam bots already know how to use your site!

You know, if it works for you, I’m certainly willing to give it a try. As far as bots figuring out what the CSS is doing, I could think of adding a few more layers of obscurity and CSS obfuscation to throw off the SPAMmers. This is not to say that such CSS tactics won’t eventually become obsolete, but, hey, if it works for some of us for now, all I can say is: THANK YOU!

Is there are wordpress plugin for this (especially for the comment fields?). That would be awesome. Thanks!

[…] step guide using CSS to eliminate automated robots and spam fillers from getting through your forms.read more | digg […]

I love it when people pout and plug their own sites in comments. As they say, there is nothing new in the internet, and i’m sure somebody thought it up before you Michael Ott. That said, this article and this method are a cleaver idea.

[…] CSS to eliminate automated robots and spam fillers from getting through your forms. jean from X Menread more | digg story RSS feed for comments on this post. TrackBack URI Cartoons Fans Lounge […]

[…] read more | digg story […]

[…] Web Design Blog | ModernBlueDesign.com » Blog Archive » Fighting Spam with CSS Cool way of using CSS to protect forms from spam […]

[…] general, Technology that’s possible with this buddy cald CSS.. seems 2 b possible.. lemme try >> No Comments so far Leave a comment RSS feed for comments on this post. TrackBack URI […]

SIMPLY AMAZING

Fighting Form Spam with CSS…

[…]Step by step guide using CSS to eliminate automated robots and spam fillers from getting through your forms.[…]…

Web Design Blog | ModernBlueDesign.com » Blog Archive » Fighting Spam with CSS…

[…][…]…

I wrote about a similar method for preventing bots from automatically signing up to the forum on my personal site. The article is here:

http://www.andymurdoch.com/Stuff/yabbspam.shtml

As it was a signup screen, I could easily accommodate those using screen readers by asking “Are you a Russian spambot?” where there was previously “Do you accept the terms and conditions?”.

I’m happy to report that there have been no more bots or spam.

As so many people are using this kind of solution nowadays, I think it won’t be very long before the bot-writers catch up. I’ll enjoy the peace and quiet in the meantime.

hey luv this post…tnx for sharing the idea on fighting spam. This is useful in my site and other site i made.

[…] Web Design Blog | ModernBlueDesign.com » Blog Archive » Fighting Spam with CSS (tags: css spam forms webdesign design php webdev tips) « links for 2007-06-24 […]

[…] site modernbluedesign.com publicou um artigo que ensina a detectar quando uma mensagem vinda pelo formulário é spam. Para […]

Interesting approach. I like it! I may just have to test this out to see if the spam comments on my blog decrease.

[…] an anti-spam technique that may help out. I’ll leave it to Jordan to decide if it’s applicable. Web Design Blog | ModernBlueDesign.com ? Blog Archive ? Fighting Spam with CSS __________________ […]

[…] Web Design Blog | ModernBlueDesign.com » Blog Archive » Fighting Spam with CSS […]

thanks for the information

Great tip! Improve on it by instead of letting the spammer know that something went wrong, reply with “thanks for the comment” but send the spam do /dev/null.

The less the spammers know the better!

Glad you figured out this solution, but it’s old news. I’m too lazy to find it now, but I came across this hack when searching for vbscript captchas. I recall the site linking to http://www.cs.sfu.ca/~mori/research/gimpy/.

If this is getting more popular, then spammers will eventually find a way around it. Bummer.

[…] Live2Study Everything should be made as simple as possible, but not simpler - Albert Einstein « An Open Letter to the Software Managers of the World A Good Idea to Limit Spams sent by Robot June 27th, 2007 If you have a form on your web site like feedback or suggestion form and if you are in the mail list, you won’t be surprised to get hundreds of spams from those forms. To avoid this some web sites ask users to copy letters from an image. Here is another good but simple idea to get this done. It uses CSS to play a trick with the spam robot. Please read. […]

this hidden field is an very old and working “trick”… i’m using this since years!

[…] Web Design Blog | ModernBlueDesign.com » Blog Archive » Fighting Spam with CSS (tags: css forms tips) […]

[…] Web Design Blog | ModernBlueDesign.com » Blog Archive » Fighting Spam with CSS (tags: css webdesign php) […]

[…] read more | digg story […]

[…] Web Design Blog | ModernBlueDesign.com » Blog Archive » Fighting Spam with CSS (tags: css form spam fighter) […]

“The php to handle this is very straightforward. Basically, you just look to see if that field has been filled in before it was posted, and if it was, you simply break the script so no email is sent, and tell the spammer to get lost.”

That doesn’t strike me as the best way to handle things. Instead of giving the spammer feedback that something didn’t work, I would give him no information whatsoever. As they say in law enforcement: “Anything you say can and will be used against you.” The less info you give the spammer the better.

Nice idea, i will try it out.

Thank you.

Da’s redelijk leesbaar Nederlands Prima stuk. Heeft erg geholpen. Graag gedaan.

[…] Method 2: […]

[…] a Hidden Field I read about this one on digg last week. By adding an extra field to your comment form and making it invisible with CSS, […]

[…] pe internet. Cel mai recent - ?i care m-a determinat s? men?ionez metoda aici - îl g?si?i aici. Vede?i comentariile care arat? c? pentru mul?i metoda aceasta simpl? a redus spamul la zero […]

[…] Script out spam Filed under: Technology — 0ddn1x @ 2007-07-01 15:27:10 +0000 http://www.modernbluedesign.com/web-design-blog/fighting-spam-with-css/ […]

Some problems may arise, and there is no reason someone targeting you couldn’t simply drop the hidden value.

The only surefire way I’ve seen are logic tests (ie: “What is 2+2?” — with enough variation, someone would likely give up before finding the answers to all the tests.

CAPTCHAs used to be a good way to stop spammers as well, but are now easily broken, even for a non-popular CAPTCHA image. Not to mention they are inaccessible if images are disabled.

[…] Fighting Spam with CSS The idea here is setting up a form with a text field and via CSS making it invisible. Then, if a post is sent to a php script handling the request and that text box has information in it, that means a human didn’t fill it out, and the script is simply a (tags: Spam) […]

[…] unsichtbares Formularfeld verhindert Spam. Einfach und wirkungsvoll. Mehr Informationen: Fighting Spam with CSS Tags: CSS, Tutorial « Mehr Usability in wenigen […]

[…] Web Design Blog | ModernBlueDesign.com » Blog Archive » Fighting Spam with CSS (tags: css forms spam design tips php webdev webdesign accessibility antispam blog blogs code coding cool) […]

Sensational. Superb idea to use CSS - and great site.

I would like to use this method on my site but am not a PHP coder. For my (and other non coders) benefit, would you mind please confirming how the non spam mail gets actioned by a mailing script?

EG. Say your mail program is: formmail.php. Once verified as OK, how do I then get the process.php script to send the mail via the formmail.php script?

Thank you in Advance and keep up the great work.

[…] Enlace: RibosoMatic Recurso: Fighting Span With CSS […]

[…] Fight spam with CSS […]

[…] describes an interesting CSS-based approach to fight and avoid form […]

[…] #314 Fighting Spam with CSS. […]

[…] spambots July 10th, 2007 by George Notaras Kudos to the person who thought about this! This article describes how you can prevent comment spam with CSS. I am not sure how well this works, but it sure […]

Ignore the post above re how to action the mail script. All working now. Thank you kindly.

this is a great idea! i was just about to program a captcha-like system for some of my sites, but this trap will be alot easier to implement, without requiring anything more out of the users or my server/bandwidth

[…] recent post on Modern Blue suggests a CAPTCHA alternative that uses CSS to stop spammers. The trick is to include an extra […]

[…] Fighting Spam with CSS - this is actually a real good idea […]

[…] Fighting Spam with CSS […]

Nice one, just implemented this myself. 3 things I’d recommend though: 1) Use display: none in the CSS instead of visibility: hidden. The latter leaves a gap there for the element, whereas display: none collapses everything around the element you want to hide. 2) I think another commenter mentioned this, but I think it’s a good idea to wrap the field and a descriptive paragraph in a div, then hide the whole div. This way, people with styles disabled will see the field but also the instruction to leave it blank. 3) As for robots recognizing what you’re doing via the class or id name, I think that’s unlikely. Probably safer tho if you don’t use inline CSS. Put the actual styling code in your master stylesheet.

Thanks for this post, proved very helpful. Must go get my washing.

I remember Damien Katz talking about this back in January…

http://damienkatz.net/2007/01/negative_captch.html

Nice to see it catching on

I use this since june 2006 in the guestbook on my website http://www.windoof.org …

GREAT trick! Definitely a lifesaver to go against spammers!!

[…] Fighting Spam with CSS from Modern Blue – Discussing a way to use CSS to detect form spam from your website. […]

[…] Partant du principe qu’une simple ruse est souvent la meilleure des défenses, j’ai décidé de vous retranscrire le contenu du billet montrant comment combattre le spam grâce au CSS […]

Simple yet extremely effective. Thanks for the great tip! I’m sick of putting CAPTCHA into everything I do.

[…] Pligg captcha useless against spammers - Today, 04:16 AM You know the Pligg captcha that’s verifying if people are actually human? Well, a simple software program can "see" what that code is on the captcha in about one second: BotMaster.Net: captcha breaking, automatic recognition of pictocodes (human verification) Why not ditch the captcha and protect pligg with something like CSS? Fighting Spam with CSS […]

Really asome, I’ll put this tutorial on my blog ( with credits, don’t worry ).

Cool. appearently you had the same idea as I had a few months ago (article is in Dutch)!

Yeah, a few other people have mentioned they had the same idea. I guess it’s independent invention. Your article was interesting too, thanks for the link. Ik kan Nederlands lezen.

Ah, great! I very much enjoyed your article as well :). The only shortcoming it has to be future-proof IMO, is that a bot might be able to read the CSS-rules. Hiding it with negative margins is a better solution, I think. display: none; or visibility: hidden; are easy to detect. Should this become a more widespread technique, spammers wil surely implement a CSS-readout :).

Have you noticed that Google Toolbar chokes on the hidden field? It seems to stick email addresses into it!

a bit off-topic but, after reading so many comments from people who had the same idea, independently, makes me think of how terrible patents are.

Hello

Very interesting information! Thanks!

Bye

useful information, thanks

That’s a great hack. I think considering all the possibilities, this would make it at least 90% successful. If I can suggest, instead of deleting those spam messages, it would be helpful to take them aside to evaluate.
Thanks for sharing with us.

[…] read more | digg story […]

Looks like you need to implement this strategy or some other on this very page since many of the comments are quite obviously spam.

On a PHP mailing list I am on, one person also suggested creating a checkbox that is named “cancel” with a value of “cancel” and then giving it a label such as, “I agree to abide by the commenting guidelines”. Require users to check it and bots won’t like it because to them is says “cancel”. The developer who suggested it said it worked great on his site.

Jonathon, actually those are called “track-backs” which show sites that are linking to this article, not spam.

I think the cancel button is another great idea. I may have to give that a try some time.

Tried this and it works like a charm. Thanks.

I been fighting forum Spam for years and have done a number of things to prevent automated and human Spam.

1. Enabling captcha for regestration.
2. Checking domain referer for posts.
3. Developing a customized redirect script preveting a post if it contains a Spam domain that has been caught and cataloged in PHSDL Spam Domains Database.
Here is a hot list that you may refer to Spam domains that do redirect to porn, trojans, and other junk.
http://www.phsdl.net/project_honeypot.php

I have caught about 20,000 Spam domains over a few years.

Next will probably add a captcha for loging in, do not really want to add one for submiting a new post.
Will take a look how the CSS Spam prevention can help stop automated Spam, but I think now dealing more with human Zombies..:)

Excellent work. Hopefully my posts will be protected from now on…

I’m going to implement this now!!! great idea.

this is so cool I added it to my site yesterday and since then I got no spam this is a 2 thumbs up idea.

Great idea,

More people should implement stuff like this to secure their scripts.

- Dwayne Charrington.
http://www.dwaynecharrington.com

great idea, thanks!

This is a cool technique. I just finished implementing it on all my forms.

Another good trick to mention: As tempting as it is to rub your spammer’s face in the fact that you caught them, it’s MUCH better to simply act like they tricked you and NOT output any special message when you catch them. Just act like you sent the form when you didn’t. If you tell them it didn’t work, they’ll just try harder to get through. Let them think they’re done.

I am currently using a perl formail script called formail.pl and I have no idea how to integrate the php code. Can some one help with that. Do you have the form action call both scripts on submit? Not sure how to implement this.

Very clever, he he love it thanks for the great tip!

Spam has killed my time……. i hope your article will stem the flow of spams ….

I love it! You really did think outside the box here and came up with an innovative solution!

Great tip!!! Thanks for sharing.

This works until any spammer decides to write some simple code to detect which is the honeypot field. The only way around this is to randomize the honeypot field and use some javascript to calculate which field it actually is and then hide that, but this incurs an additional dependence on javascript while also staying theoretically defeatable given enough effort to defeat it and widespread adoption of it to make the effort worthwhile.

I would just use a reCaptcha, they make it pretty easy.

Is there javascript validation code that would void a form if text is entered in the hidden text box?

Thanks and great advice!

@peter: the only thing to remember with your solution, is spammer spiders don’t read javascript… so doing it with javascript wouldn’t make a difference.

Obviously if someone really wanted to, they could write a custom script for your site… but it’s rare. If you are a larger site, I would recommend using reCaptcha or something similar in addition to this.

@stan: as I mentioned to Peter as well, using javascript won’t do anything if a spider is filling out the form. That’s why using your server-side script is the only way to go.