As quoted from About.Com ( http://webdesign.about.com/od/forms/qt/protect-forms-from-spammers.htm ):
One way that I like to fool spammers is to add CSS to forms to hide certain fields. When the spam bot comes in and reads the HTML, their bot sees that form field and fills it in. Then when I get the results any entries that have that field are automatically deleted. To do this use the display: none; property on the field. Web browsers will leave that form field completely off the page, but spam bots will see it in the HTML and fill it in.
So if I’m trying to safeguard my Contact Me page from spam, should I make two email fields that can be filled out, with one of them hidden so nobody can see it, and then in the send.php script add a few lines of code that basically says “if email1 AND email2 are both filled out, then don’t send?”
with one of them hidden so nobody can see it,
Remember you will have users without CSS. Don’t let them get caught in the trap.
These will include those using text browsers and those using other technology which sits atop browsers like screen readers and refreshable braille devices.
You can avoid hitting those people by making sure your “hidden” fields have proper labels warning humans not to fill them in or something.
At fronteers.nl there are some comment forms which have a question at the bottom “Spammer?” then an empty input. After the input (and here I would use aria-describedby for screen reader users, as this question wouldn’t work for them and it’s only for people like me who don’t have Javascript enabled) is some text that says “fill in No”.
If the user has Javascript enabled (as most people do but most bots don’t) they use that input as a “honeypot”. Nobody with Javascript on will see the input, because they remove it with Javascript. So bots see it, they can’t actually read or follow instructions, and they fill something in there. Then an exception is made for the word “Nee” for those users who don’t have Javascript on. A bot won’t follow directions in a form like that, though I suppose there’s always the possibility that a bot filling in random garbage in each input has the possibility of happening to fill in the right characters for the spam input… but very unlikely.
Now it was in Dutch and said “Nee invullen” and the first several times I tried to post I misread it as “Niet invullen” (don’t fill in) so it still got me a few times. Never underestimate the stupidity of a user filling out a web form, even when (or especially when) they are rocket surgeons. Everyone’s IQ seems to automatically drop at least 10 points once they start filling out a web form, and they also become semi-illiterate too.
Hey thanks for the quick and informative reply; it was helpful. I’ll check out that fronteers.nl page!
In case you don’t read Dutch and cannot find an example of this form:
(add in the protocol)
[noparse]
fronteers.nl/blog/2011/09/wcag-2-0-betekenisvolle-volgorde#reageer[/noparse]