Protecting a web contact form from spam without PHP?

Question

I'm supposed to implement some sort of spam protection (captcha, etc.) for an existing web contact form. However the original form uses a .cgi file on the virtual server that I can't access, so I can't work with this script. The PHP mail function is turned off.

I'm guessing I need my own cgi file but I'm not really into perl and cgi :-)

Maybe you can point me to some kind of solution for this problem.

Answer 1

You can add a Negative Captcha:

A negative captcha has the exact same purpose as your run-of-the-mill image captcha: To keep bots from submitting forms. Image (“positive”) captchas do this by implementing a step which only humans can do, but bots cannot: read jumbled characters from an image. But this is bad. It creates usability problems, it hurts conversion rates, and it confuses the shit out of lots of people. Why not do it the other way around? Negative captchas create a form that has tasks that only bots can perform, but humans cannot. This has the exact same effect, with (anecdotally) a much lower false positive identification rate when compared with positive captchas. All of this comes without making humans go through any extra trouble to submit the form. It really is win-win. [source].

In your case, you probably best use a Honeypot: add a new field:

<div style="position: absolute; left: -2000px;"><input type="text" name="surname"  value="" /></div>

This assumes you are not interested in recieving the surname. If people manage to fill this field and submit it, they are most probably a bot: Normal browsers will not show the field: normal users will not see it, and hence not fill it in.

Now, in your CGI script, simply filter on "surname"; if set, stop processing and give an error, or just leave it at that.

Or, if that is not possible, try to filter the results of the posted forms by "where record does not have surname set". Say, if you get the results in an excel/CSV: just use excel to filter out the items that have a surname. Or use your email-filters to move any mail where surname: .... has a value, into a special directory.

Answer 2

You can make some kind of askew antibot, if you suppose, that all your users have turned on javascript.

Set forms action to some 404 page and in javascript change it back to proper action page. Example:

<form action="nowhere_ahaha" id="myform">
   ...
</form>
<script>
document.getElementById('myform').action = '/form_action.cgi';
</script>

All this works, because bots usualy do not run js, but human visitors do.