Re: Web Form Spam

[Charles Gregory <cg...@hwcn.org>]

On Fri, 29 Jan 2010, terry@cnysupport.com wrote:
> little uncomfortable making the form submit any more complicated than 
> necessary, since the people who use it are generally already stressed, and 
> I'd prefer to not make them decipher swirly letters.

I find that most form-fillers are robots and stupid, and can be easily 
defeated by inserting a 'hidden' field into the HTML that is invitingly 
labelled something like 'e-mail' and then have your form handler test 
whether it is empty. If not, then a robot has generated an input string 
rather than using your actual form.

Also, if any fields like phone number can reasonably be expected to be 
all-numeric, make this a test condition, and it will stop the 
alphabet-soup kinds of random field entry.

If the form is intended to report URL's for your own site, test to make 
sure any URL *is* one of yours - any other URL, just toss it..... :)

> Really, I was just trying to figure out what the point would be for 
> someone to fill out the form with obviously invalid data.

You would be amazed how many different bulletin boards and forums rely on 
a simple HTML form to post to a message/report to a large list of people.
Or the form is for a 'comment' page whose output is visible to all website 
visitors. Guestbooks are frequent victims of form spam.

- C