View Full Version : Stopping Spam Bots on Forms

Reno CF
05-09-2007, 04:37 AM
I recently read of a technique for stopping some of the spam bots that go around the web sending other people's forms, which of course they fill with their garbage.

The idea is to put a "hidden" field in the form that the visitors would not see but the bot would fill out; then, use a script that would close the form and re-direct the bot to some other place whenever it filled anything into that hidden field (which presumably they would do every time).

If anyone knows of such a js, please pass on the info, as the spam creeps are driving us nuts. Thanks...

05-09-2007, 04:49 AM
It would not involve any JavaScript, just HTML for the hidden field and a server side language to process the form.

Reno CF
05-09-2007, 05:28 AM
Thanks Stephen. We've been using a perl-script contact form for a number of years that was originally written by The nms Project, so I have both the HTML and the script in place.

But not being any kind of cgi wonk, I do not have the expertise to modify the perl in such a way that it would stop any bot that entered words or numbers into the hidden field. Thus, I was thinking that a javascript might be a work-around.

If it's just a matter of entering a few lines of code onto the perl script itself -- and if you know that code -- we'd much appreciate your advice. As I said, these spam bots are a huge aggravation, so we are looking for some solutions to stop (or at least slow down!) the daily assault...

Philip M
05-09-2007, 08:39 AM
As has been pointed out, a server-side filter would be best, but you might try something simple like:-

<SCRIPT type = "Text/JavaScript">

function foolBots() {
if (document.formname.hiddenFieldName.value !="") {
return false;

<FORM ................ onsubmit = "foolBots()"

You can find out if it works by experiment.

I guess this is a variant of a simple CAPTCHA technique in which the user has to give the correct answer to a simple question before the form will submit, e.g.

What is 10 times 5?

if (answer != "50") {return false}

But this may filter out some users as well!

e.g. Recent TV quiz game:-

Quizmaster: How many pins do you have to knock over in ten-pin bowling to score a strike?
Contestant: All of them.
Quizmaster: And how many is that?
Contestant: Nine.

Reno CF
05-09-2007, 05:31 PM
Thanks Philip for your suggestion. I tried it using the very simple form below, but either I did something wrong or the script is not quite right. For the purpose of this test I made the field visible, so I could enter some characters. The goal is to have the js not send the form if any characters are in the third field down, called "yourcomment". With my tests the form did send each time, so some tweak must be necessary. If anyone sees anything obvious, please jump in ... thanks:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<title> Testing JS </title>

<SCRIPT type = "Text/JavaScript">
function foolBots() {
if (document.bonk.yourcomment.value !="") {
return false;


<body bgcolor="#333333" text="#000000">

<form action="/cgi-bin/Form_Mail.pl" method="POST" name="bonk" onsubmit = "foolBots()">
<input type="hidden" name="subject" value="Testing JS">

<table bgcolor="#ffffff" align="center" width="450" border="1" cellspacing="0" cellpadding="7">

<tr><td align="RIGHT"><font face="Verdana, Comic Sans MS, Arial, Helvetica" size="1">Your Name:</td>
<td align="LEFT"><input type="text" name="realname" size="30"></td></tr>

<tr><td align="RIGHT"><font face="Verdana, Comic Sans MS, Arial, Helvetica" size="1">Your Email:</font></td>
<td align="LEFT"><input type="text" name="email" size="30"></td></tr>

<tr><td align="RIGHT"><font face="Verdana, Comic Sans MS, Arial, Helvetica" size="1">Your Comment:</font></td>
<td align="LEFT"><input type="text" name="yourcomment" size="25"></td></tr>

<tr><td align="center" valign="TOP" colspan="2"><input type="submit" value="Send Now"></td></tr>



Philip M
05-09-2007, 05:59 PM
Should be:-

onsubmit = "return foolBots()"

Reno CF
05-09-2007, 06:49 PM
Eureka! That is what we wanted -- now the form just sits there and will not submit when anything is typed in that field. Thanks much! :thumbsup:

Philip M
05-09-2007, 07:53 PM
I shall be interested to learn in due course whether the idea is effective in defeating the bots, as some of these things are pretty clever and if Javascript is disabled obviously it does not work.

If you are using Matt's FormMail.pl it would be easy to add a few lines to reject any form which had a value entered in the hidden field - you might post a request for advice about this in the Perl forum.

Reno CF
05-09-2007, 09:13 PM
If you are using Matt's FormMail.pl it would be easy to add a few lines to reject any form which had a value entered in the hidden field
I'm using a more secure version of Matt's script, so I'll take your suggestion and will post a question in the perl forum to see if anyone can offer that as a solution.

05-21-2007, 10:30 AM
Hi, I tried this method, however, it didn't work. I suspect that it is because not only did the spam bot not look at the CSS, but it ignored the javascript.

I have two ideas to get round this though.

1: Change the post location in the javascript (preferable)
2: Require that JS is enabled for the page to be displayed.

However, I don't know how to do either. Can someone help?


05-21-2007, 02:27 PM
Because spam bot scripts submit data directly to the action="..." URL, nothing you do using javascript on the form page will help. This subject has been discussed many times on this Forum. Search and you will find a number of discussions on protecting forms and making sure that it is your form page that submits to your form processing code...

For your two specific ideas -
1: Change the post location in the javascript (preferable) - the javascript code is visible in the page content and the new post location can be determined by reading and parsing through the content by the bot script.

2: Require that JS is enabled for the page to be displayed. - see the first part of this post.

Philip M
05-21-2007, 02:51 PM
See for example:-

For what it is worth I have not had this problem for some years since I changed the name of formmail.pl to something like ekl6sn2d.pl

05-21-2007, 03:08 PM
Thats excellent, thanks. I shall try things out from that thread and let you know.

Philip M
05-21-2007, 05:33 PM
Another thing which seems to work is to obfuscate the form action using JavaScript, so:-

<SCRIPT type="text/javascript">
<!-- Javascript must be enabled!

The data can be further obfuscated, e.g by changing the letter 'c' to %63 (and other letters to their corresponding hex values). E.g. www.mysite.%63o.uk/%63gi-bin/%63lassifieds.%63gi

But I don't know how clever these bots are!