Dealing with bots submitting our forms

Imported From: http://groups.google.com/group/in-portal-dev/browse_thread/thread/709f3e710b1139d0#

Any of you probably heard about spam bots, which submit spam to forms on our websites.

Most obvious solution would be to place a captcha on a form. But I don't like captchas because they make entering data on a form a lot harder for me. If I see form with a captcha I'll better go to another website without
captcha and fill out form there.

If you think the same, then reading http://nedbatchelder.com/text/stopbots.html article might become handy. Ned there describes popular techniques to prevent bot submissions.

Related Discussions

• [security] Another approach to prevent form submission by spiders

Solution

1. create the Honeypot engine:

   1. create kEventHandler::eventHoneypotFields array, that would only contain events that support Honeypot protection (it’s a developer responsibility to add any new events in there):

      1. key - is event name

      2. value - is honeypot field name on that form)

   2. create kEventHandler::checkHoneypot method, that would:

      1. return true, when event isn’t Honeypot protected

      2. if a specified honeypot field is absent in the Web Request (value = false), then throw an exception because a developer hasn’t placed that field on the form

      3. return true when a specified honeypot field is empty

      4. return false otherwise (when Honeypot field is populated)

   3. call the kEventHandler::checkHoneypot method from the kEventHandler::CheckPermission method, and it returns false, then consider event permission check as failed

2. apply the Honeypot engine:

   1. apply Honeypot protection only on the Front-End for any publicly accessible form (e.g. form, that doesn’t require user login to work)

   2. apply Honeypot protection on the Administrative Console login form (because, depending on a Web Server configuration, it could be publicly accessible)