Preventing spam and bots using JavaScript generated checkbox

Question

I've read that one can deter bots by using JS to create a checkbox in a form which must be set (i.e. http://uxmovement.com/forms/captchas-vs-spambots-why-the-checkbox-captcha-wins/). Is this strategy effective? Does the user need to physically check the box, or can client side JS be used to check it as well?

Answer 1

The article seems fishy to me. The checkbox captcha seems like a decent defense against spam bots that blindly fill out forms, knowing nothing about the website they happen to be on, however if someone is writing a bot that has any sort of insight into your page, the benefits end there.

In the end, all that matters is the HTTP post. If the POST can be verified by the server, it doesn't really matter how the POST was created or what script may have run on the client. If the server is looking for a POST value called NotABot which has a value equal to 1, a spam bot can simply include this value in its own POST, as the server doesn't know if a checkbox was created through client-side script.. If the value must be equal to a random value provided in the initial HTML, the spambot can scrape that value as well. If the value must match a value provided on an image, then you've basically created a CAPTCHA.

In the end it's a cost/benefit analysis that depends on your risk tolerance of spam versus your desire for usability. Running a smaller website, perhaps every post can be moderated by a human before it is allowed. Perhaps you won't get enough spam to warrant a decrease in usability. If you're running a huge site used by millions, perhaps more aggressive measures to ward off bots are necessary. It's really your call to make.

Answer 2

Your best bet for an unobtrusive approach is obfuscation. That is, assuming on the off chance an evil spamming company hires someone to figure out how to write a bot for your site (which 99% of the time won't happen, unless you serve millions of users), you need to make it as difficult and as much a waste of time as possible to understand what's going on under the hood of your site.

I used to have bots in the guest comments of my site so I decided to go overboard. (Javascript is required on my site. The very small percentage of people who have it disabled are usualy bots or web developers)

1. I don't use form tags, and always have a random number of CSS-hidden dummy submit buttons mixed in with the real submit button.
   • Since the submit is Javascript/ajax, this already filters out a bunch of unspecialized bots.
2. I create a few text inputs that are hidden through CSS (not input type="hidden") and are named appropriately like "email" and other keywords bots generally look for.
   • If these are filled out and submitted to the server, I can assume it was a bot.
   • Bot would need to understand to only fill out certain fields.
3. My interface with the server requires a hidden captcha code (not visible to the user) that is scrambled by the client.
   • The server passes a random captcha string to the client.
   • The client uses a Javascript function that scrambles the captcha based on the date, comment length, and string rasterization of a portion of the DOM and passes the scrambled captcha back to the server for validation.
   • Server implements the same function.
   • A hacker can of course steal or otherwise reference this Javascript function, so I have 10 or so different scrambling functions that are swapped out and referenced on a randomized URL depending on the user's session.
4. Clients with empty user agent strings are not allowed to add comments or otherwise update the site.
5. The website does not visibly reject comments that are suspected to be from bots, but instead gives a message that the comment/etc will appear in a few hours. (It doesn't. LIE to them!)
6. Another one of my favorite things if someone is looking at my Javascript source code is to use the jsfuck.com method to obfuscate portions of it. It doesn't stop anyone if they know what it is, but I like to imagine the look on their faces when they see the obfuscated code.
7. Textareas/inputs are checked to see if keydown events have fired in them.
8. All in all this doesn't stop anyone from hiring a human to visit your website to spam on it. So comments that are completely copied and pasted into textareas are marked as suspicious and are flagged for review before they appear.
   • All subsequent comments within the next hour from the user with that IP are also flagged for review and do not immediately appear.
9. Comments with more than 1 link are flagged for review. Though most bots are aware of this restriction on many sites by now and don't get greedy with the links.