We launched new forums in March 2019—join us there. In a hurry for help with your website? Get Help Now!
MODX Community Forums Archive

Hidden Field Spam Protection

  • sottwell Reply #1, 16 years, 4 months ago
    I’ve made the attempt at spam protection by adding a field that must be left empty. I took it from BobRay’s spform.
    the field:
    <input type="text" name="Last__Name" id="LastName" size=30 autocomplete="off" eform="LastName::0" />

    the CSS:
    #LastName{
    position:absolute;
    text-decoration:underline;
    background-color:#CC0000;
    left:0px;
    top:-500px;
    width:1px;
    height:1px;
    overflow:hidden;
}

    The snippet checkField:
    <?php
function checkField(&$fields,&$vMsg,&$rMsg) {
    if(!empty($fields['Last__Name'])) {
        return false;
    } else {
    return true;
    }
}
?>

    And the eForm parameter:
    &eformOnValidate=`checkField`

    I suppose only time will tell if it actually works; if I don’t hide the field and fill it in, the eForm just aborts with no errors or messages, which is all that a ’bot deserves. If the field is empty, the form works as expected.
      Studying MODX in the desert - http://sottwell.com
      Tips and Tricks from the MODX Forums and Slack Channels - http://modxcookbook.com
      Join the Slack Community - http://modx.org
      • 33372
      • 1,611 Posts
      ZAP Reply #2, 16 years, 4 months ago
      I’m trying this out on a form that’s been getting hit by a dirty rotten spammer lately. I expect it’ll do the trick. Thanks for posting it!

      I actually added a separate check to the function to block messages with certain words in them. I did this mostly because I thought that perhaps this spambot had already determined which field data it needed to send to this form and wouldn’t necessarily recheck it and fill in the hidden field. I wanted to be sure that I stopped the current wave of spam, and this seemed like a simple way to do it.

      <?php
function antiSpam(&$fields,&$vMsg,&$rMsg) {

     $hasBadWords='no';
     $badWords=array('xanax','viagra','phentermine','cialis','tramadol','propecia','[url=');
     foreach($badWords as $badWord){
           if(strpos(strtolower($fields['Name']),$badWord) !== false) $hasBadWords='yes';
           if(strpos(strtolower($fields['emailSubject']),$badWord) !== false) $hasBadWords='yes';
           if(strpos(strtolower($fields['message']),$badWord) !== false) $hasBadWords='yes';
      }

    if(!empty($fields['Last__Name'])||$hasBadWords=='yes') {
        return false;
    } else {
    return true;
    }
}
?>


      I don’t think that any legitimate email would ever have any of these words in it, so it seems like a safe extra measure to throw into the mix.
        "Things are not what they appear to be; nor are they otherwise." - Buddha

        "Well, gee, Buddha - that wasn&#39;t very helpful..." - ZAP

        Useful MODx links: documentation | wiki | forum guidelines | bugs & requests | info you should include with your post | commercial support options
        • 33694
        • 742 Posts
        [e]Bu$ter Reply #3, 16 years, 4 months ago
        I’m to using hidden form field for spamfighting. But, my variant is very simple:
        <input type="text" name="title" eform="spammer:string:0:go to hell:#REGEX /^$/i" />
        and hide this field with css rule:
        display: none;
          • 21496
          • 225 Posts
          nightsignals Reply #4, 16 years, 4 months ago
          Quote from: sottwell at Nov 24, 2007, 09:40 PM

          I suppose only time will tell if it actually works; if I don’t hide the field and fill it in, the eForm just aborts with no errors or messages, which is all that a ’bot deserves. If the field is empty, the form works as expected.

          Actually I had to implement a solution like that to a page built on another CMS than MODx, which was flooded with spam. I used a hidden field together with a simple question that needs to be answered. The result: since 6 weeks, no single spam could send the form anymore.

          But if that approach is used more, I guess it’s only a matter of time until spam bots get smart enough to check for css rules that hide form fields, leaving them empty. Maybe answering simple questions is the way to go, as they are more accessible than visual captcha with distorted letters, for people with disabilities.
            René
            • 3749
            • 24,544 Posts
            BobRay Reply #5, 16 years, 4 months ago
            Quote from: [e
            Bu$ter link=topic=20155.msg125197#msg125197 date=1196119190]
            I’m to using hidden form field for spamfighting. But, my variant is very simple:
            <input type="text" name="title" eform="spammer:string:0:go to hell:#REGEX /^$/i" />
            and hide this field with css rule:
            display: none;


            The only downside to this approach is that Google may penalize you for having hidden content. If you use the method Sottwell describes above in your CSS instead, the field will be invisible to users but Google’s bots (and spambots programmed to ignore "display:none" content)will still "see" it.

            Bob
              Did I help you? Buy me a beer
              Get my Book: MODX:The Official Guide
              MODX info for everyone: http://bobsguides.com/modx.html
              My MODX Extras
              Bob's Guides is now hosted at A2 MODX Hosting
              • 33694
              • 742 Posts
              [e]Bu$ter Reply #6, 16 years, 4 months ago
              Spam bot’s parsing css files to? Mm... may be. But, I am sure, google is not penalize for this, because display is standart property which is used everywhere (for dumanic content usually default value is none smiley ).
                • 3749
                • 24,544 Posts
                BobRay Reply #7, 16 years, 4 months ago
                My understanding is that many sites use (or used) display:none to hide a long list of keywords in the hope of moving up in Google Page Rank. It’s widely believed that Google responded by penalizing sites that hide content in this way when media=screen. Google, of course, is mum on the issue.

                Since the method Sottwell describes works just as well for hiding content without using "display:none", I would use it instead, just in case.

                Obviously, if you don’t care about Google Page Rank, this is a non issue.

                Bob
                  Did I help you? Buy me a beer
                  Get my Book: MODX:The Official Guide
                  MODX info for everyone: http://bobsguides.com/modx.html
                  My MODX Extras
                  Bob's Guides is now hosted at A2 MODX Hosting
                  • 26931
                  • 2,314 Posts
                  anonymized-26931 Reply #8, 13 years, 10 months ago
                  Hi everybody,

                  got it working, just wanted to check if the intendet behaviour is right

                  if the hidden field is filled out, and the form submitted, nothing will be displayed at all ( the actual form will basically disappear from the page), right?

                  thanks, j
                    • 33372
                    • 1,611 Posts
                    ZAP Reply #9, 13 years, 10 months ago
                    Yes - that’s right. Susan doesn’t like to talk to spambots. I don’t blame her.
                      "Things are not what they appear to be; nor are they otherwise." - Buddha

                      "Well, gee, Buddha - that wasn&#39;t very helpful..." - ZAP

                      Useful MODx links: documentation | wiki | forum guidelines | bugs & requests | info you should include with your post | commercial support options
                      • 26931
                      • 2,314 Posts
                      anonymized-26931 Reply #10, 13 years, 10 months ago
                      Yes - that’s right. Susan doesn’t like to talk to spambots. I don’t blame her.
                      haha, great thanks smiley