How can I prevent spam bots

from Axel von Leitner in August 2014 in Tech

When we switched to our own solution with our blog from Wordpress a few weeks ago, we knew that we would not only need an editor to write the posts and a few pages to display. The comment function with reliable spam protection should be the greatest challenge. And to anticipate the result - we made it! So that you don't have to try everything out yourself, we proudly present you like Bolle: The perfect spam protection for your forms.

We had a few ideas, but initially wanted to start without any special spam protection to see how big the flood would be.

Form without spam protection?

In the first attempt, our comment form went online without any special protection. A simple form with name, email address and comment field. The result was sobering: the next day the blog was full of spam comments.
All right, the first round went to the bots. In the second attempt we expanded the form with an additional text field, which we hid. The idea behind it is simple: the bot cannot distinguish which fields are visible and which are invisible. He will also write in the field that is invisible to humans, but humans will not. These hidden fields for bots only are called honeypots, which the bots cannot keep their fingers off of. So if the hidden field is filled in, we send the bot away and discard the comment.

The result? Fewer spam comments, but we were still a long way from being spam free.
In the next iteration, we wanted to bet that (most) bots can't do JavaScript. We initially got the form as a disabled rendered into the page. It is then only activated when you click on the link to write a new comment.

This is what the link looks like before activation ...

... and so after activation:

However, that has changed little, presumably because bots simply set every form to active and try to submit it.

In the next step we swapped the field names. The typical named content field is now called bot_protect, we have the hidden field content called. And as soon as something is fake content If the field is up, we discard everything.
Nevertheless, we still had individual spam comments for days. Our guess was that some bots just managed to get through with trial and error. We were and still are skeptical that you can really get hold of bots with sessions, cookies or IP blockers, but we tried that too.
On the one hand, we set session variables if we think it is a bot. As soon as the session variable is set, we discard all further attempts by this visitor to comment. We also tried the blocking of special IPs briefly, but then removed it again relatively quickly because it did not have any great effect and we did not want to collect IPs unnecessarily.

The final trick to spam protection

We tried a lot and at the very end we got ours display: none in the CSS of a surrounding class of fake content Input field is replaced by a minimum height. The field is no longer completely hidden, but has a minimal height. It is still not visible to humans, but bots apparently think it is a normal field. So far, all bots fall for it, write in the field and we discard the content.
Since then we have been spam-free and don't have to annoy ourselves day in and day out about spam comments, invalid login attempts and more - just as the bots are of course trained on the standard Wordpress blog on whose URL and form structure.

Here is a list of the measures that have so far ensured that we are absolutely spam-free:
  • Honeypot field for the bots. Just the input field itself hidden It was not enough for us to sit down. It works best to set a surrounding element to a height of 0.5px.
  • The honeypot field has the name content, the right field for people is called bot_protect.
  • First deactivate the form and only activate it when you click on “new comment”.
  • Set session variable on first incorrect entry to prevent trial and error of the bot.
Apart from the fact that it is fun to fight against the bots, we have created a spam-free comment function with relatively little effort, without having to force the user into any input or invoice. Of course, this no longer works if the spammers deal with the special form and train the bot on it. However, this is not the case for 99.9% of the websites and forms.
I look forward to your experiences or solutions to spam protection in the comments. How do you keep the spambots off your neck?

There are 15 comments on this article.

Henry N. on Friday, August 18, 2017

I found that bots can be very effectively deterred by self-made actions. Own creativity protects here more effectively than ready-made and well-known tools. There is a hidden field on my pages that is filled using JavaScript. The user cannot fill out the field because it is a so-called hiddel input, which is usually used for constants. The content is a fingerprint of the browser, which is made up of data that the browser already gives in another form in the header of the HTTP post, e.g. the browser identifier. No bot has done this yet. Of course, anyone could train their bot so that the field has a valid value. The code is "readable" in JavaScript. But it's probably not worth the effort. We have also built in honeypots there and the field names are generated randomly. It was interesting that the bot was clearly changed after adding the honeypot. Someone tried to find the honeypot based on the position of the fields because the names of the fields were no longer meaningful. However, we had already considered that and repeatedly positioned the honeypot in a different place. You could see how the bot tried to enter the email address in several fields. Nowadays, the bots are even built in such a way that the typical clicks of a visitor are modeled. So our friend always started on the homepage and always gave the referer on every new page. Even the PHP session was processed correctly. Which was of course an advantage for us in that case, because we can change our random field names back with the session. The bot even waited about 5 seconds between the GET and POST.

What do you think Write a new comment. We look forward to your contribution.