preventing form spam

[jcombs_31]

I think I've talked about this before, but wanted to hear what methods you guys use for simple commenting/guestbook forms. I know tried and true is using captcha images, but this is more or less annoying to a user for leaving a simple comment in a blog or whatever.

I see many different blogs out there that are not using captcha and don't seem to have spam posted.  What methods do you guys use to prevent spam?

[redbullmarky]

although a different type of thing, a petition site i saw recently had a good type of spam prevention, and as comment/guestbook type things are more one-off post type things, it seems to work...basically an email is sent to the email address specified in the form, with an activation link. works EXACTLY the same as forum registration activation emails. most spam bots are either using forged email addresses, or just fake ones, in which case, it works very nicely.

as far as guestbooks and things go, i dont think i'd ever actually post a comment to a site of mine straight away. the dinnertimes site of mine puts ALL submissions by a user in a moderation queue for me to click 'approve' or 'deny'.

[steviewdr]

Take a look at css based methods of preventing spam and disguising forms:

http://isc.sans.org/diary.php?storyid=1836

-steve

[jcombs_31]

I recently read that article from digg sterviewdr

[steviewdr]

I know - I got it from ./ originally.

Apart from that - my own thoughts may be a simple maths formula for ppl to solve. It will cross all language barriers. If a person sees 2+5=__  Im sure they will be able to know whats going on and manage the answer.

Anyways - I havn't had to implement any of these yet.

-steve

[alpine]

I use a combination of things, but mostly my first barrier is a decent captha. I run ajax to validate it as it is being written just to help people out visually - once posted it is ofcourse checked again.

From all forms that have the captcha in it - or forms that i choose to include a spesific named hidden field in (both fields have fixed named that my postcheck function looks for) all posted values (exept the captcha field) is melted together into one string and put into a mysql table (works global on the entire site) to prevent submission of the exact frase more than once in an interval of 24 hrs. This prevents mass-reloading etc. Also if the hidden checkfield is not empty as it is designed to be, the form is stopped.

I also validate title etc. to not contain sertain characters not expected such as @* and so on, and i use checkdnsrr() on the always mandatory email field in addition to ordinary pattern-validation and injection check's.

I always prefer to name formfields in norwegian, not naming them name,email,title etc.

On my oldest site, i've only had 3 known spam attempts in 3 years so i guess i'm lucky. It is a pretty visible site in search engines too with a google rank of 4/10 , i think is fairly good for a hobby site - and with an averal of 60.000 page views per month according to my BBClone, 3 attempts isn't bad in my eyes.

To be realistic, there isn't such a thing as a spam-proof form in my eyes. The nearest would be Mark's email-activation, but this might prevent many people from entering anything at all. My experience is that if it's too complicated to use, most people won't use it at all.

[monkey_05_06]

A friend of mine has done some things like:

What is an apple?
-> Vegetable
-> Fruit
-> Rock

Enter the number 8 in this box: [        ]

Lol.