NYCPHP Meetup

[Rolan Yang]

Ok, here's a totally off the wall idea to help thwart the robots from 
even getting into the submission script. It is complex though:

1. You create a encrypted string based on a secret key combined with 
something like the current datetime, then split it in half.

2. Half of that string is pasted into your form as a hidden variable. 
The other half is hidden in an obfuscated javascript function which is 
called when you click on the submit button. For added "protection", the 
javascript function can even be one of those self-decrypting ones (they 
used to be common with those malicious browser-exploit worms).

3. When the user clicks "submit", your form script receives the the 
hidden value and the javascript decrypted value, pieces it together, 
decrypts it with the private key, and checks to make sure the date is 
valid. If the string fails to decrypt then we know it's a bot. Otherwise 
we have a little more assurance that it's a browser submitting the data.

You may be thinking, well, some bots are pretty smart and have a 
javascript engine built in. Ok, here's another layer of deception 
throwing css into the mix:

You do above steps 1 and 2 the same.
The first half of the encrypted string should be saved locally on the 
server or stored in a database (I'll explain why in a minute).
Your form page will then have a function that dynamically generates 
random css code like this:

<style type="text/css">
aerguaehrgaer {display:none;}
cvoazsdofddf  {display:inline;}
htergoergjarg  {display:none;}
joregpokerge  {display:none;}
g493t344kt4  {display:none;}
</style>

Then put a bunch of submit buttons at the bottom of your form:
<input type="submit" class="aerguaehrgaer" 
onSubmit="selfdecrypt('eg834nt9ejwegwe');">
<input type="submit" class="cvoazsdofddf" 
onSubmit="selfdecrypt('s8934t0w340t934t34q');">
<input type="submit" class="htergoergjarg" 
onSubmit="selfdecrypt('mr90238t340834t3');">
<input type="submit" class="joregpokerge" 
onSubmit="selfdecrypt('d83ng0erg34t0834');">
<input type="submit" class="g493t344kt4" 
onSubmit="selfdecrypt('j9340tgi340we0jerg');">

The spam robot won't know which submit button to push, but a human will 
only see one button because the css is hiding the rest.

Well, if I was a stubborn inconsiderate javascript interpreting spam 
bot, I would just submit the same form 5 (or  however many) times trying 
every submit button.
That is why when we receive the form submission,  we check for the first 
half of the encrypted string in our locally stored list. After a failed 
try, the string should be removed from the local list or database and 
any successive attempts will return as failed.

The method above provides a decent amount spam-bot deterrence while 
still presenting a userfriendly captcha-less form.

Good luck,
Rolan