When captchas (the little messed up images of words that you have to identify when submitting something) came out I though that they were a great innovation. Finally, a way to be sure if a visitor is really human. Unfortunately, captchas, originally the holy grail of spam prevention, began to turn evil. Every day I saw captchas that were more twisted and color-intensive than the day before. Most captchas are still pretty good, assuming that your eye sight is perfect. Many, though, are indistinguishable no matter how good your vision is.

As an alternative, I liked the simple suggestion of Johannes Ullrich in his SANS article. He suggests:

Instead, one or more fake form fields are added to the form. But style sheets are used to make them “invisible”. To further confuse the attacker, the fake form fields are given names like “subject” and such suggesting to the bot that these are the form fields they are looking for. However, whenever a form is submitted with content in a “hidden” field, it is discarded. I am not talking about the classic hidden form fields that are not user changeable, but form fields that are marked with “display: none”.

For example this field in visible:

Subject:

And this is the same field but with the “display: none;” tag added:

Subject:

You can check the source code to see the invisible form.

From the statistics he gives it seems to work well for him (dozens of spam pieces a day reduce to 3 or 4 over a week.)

Another suggestion made was to have an easily identifiable picture that requires a text input. This could be a picture of a dog and then in the field you would enter ”dog”. The only problem I have with this is that it is does not offer as much of an uninterrupted experience as the “display: none” tag.

This entry was posted on Wednesday, November 8th, 2006 and is filed under Whatever, Internet, Design and Usability. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.