Simple & basic form spam reduction: checking for Javascript?

Question

I'm trying to reduce the form spam on our website. (It's actually pretty recent).

I seem to remember reading somewhere that the spammers aren't executing the Javascript on the site.

Is that true? And if so, then could you simply check for javascript being disabled and then figure it's likely that it's spam?

Answer 1

There are still a large number of people that run with Javascript turned off.

Alternatively, I have had decent success with stopping form spam using CSS. Basically, include an input field and label that is hidden using CSS (display: none;) and once submitted, check if anything has been entered in the field.

I generally label the field as a spam filter with an instruction to not put anything in the field, but all newer browsers will properly hide the block.

• More: Fighting Spam with CSS

reCAPTCHA is also surprisingly easy to implement.

Answer 2

check http://kahi.cz/wordpress/ravens-antispam-plugin/ for a nice answer

if puts in

<noscript><p><label for="websiteurl99f">Please type "e73053": </label><input type="text" name="websiteurl99f" id="websiteurl99f" /></p></noscript>
        <script type="text/javascript">/* <![CDATA[ */ document.write('<div><input type="hidden" name="websiteurl99f" value="e' + '73053" \/><\/div>'); /* ]]> */</script>

so javascript users see nothing, non js users just type in a word

if a spammer targets you specifically it won't take them long to code round it but for drive by spammers it should be good

Answer 3

In the same vein, adding a dummy field and then using CSS to hide it is a good way to trick the bots. If the field is submitted, you know a non-human probably completed the form.

Especially effective if you label/name the field something along the lines of URL or website.

Answer 4

You could check - have JavaScript that populates a hidden form field with a specific value after the page loads. Then, when the page posts back to the server, check that hidden form field the expected value. If it is not there, that means the JavaScript didn't execute.

As to whether you should assume it is spam is another story altogether, and one that has no certain answer, really. You could simply have a <noscript> tag and have it indicate to the user that their submission will not take unless they enable JavaScript.

Once you have JavaScript running, however, the spammers will just use another workaround for that. :)