1080degrees : Reverse Captcha

May 31, 2007

Reverse Captcha

So, I finally got around to looking at the comments on articles from a little while ago. It has been a little over two months since I wrote my new administrative backend and added the ability to post comments to my blog. While writing it, I took the blissful mentality that spambots would only spam Wordpress installations due to their incredibly popular nature. I suppose this isn't the case.

On two articles, a bot (from multiple IP addresses, but with the same scheme in the email address) advertised cheap drugs. Only now did I notice, and finally remove them. This bit of spam got me to thinking.

I have used the concept of captcha systems before. Have the user input a series of random numbers and letters, or even use a list of short dictionary words. I've always hated having to fill these out. They only prove an annoyance to anyone who trying to post a legitimate comment. However, they are great at fighting spam. I went in search of a better way to prevent seeing Viagra ads on my site.

From my friend TomB I learned about the reverse captcha idea. I decided I would go ahead and try it.

The idea is instead of having a human prove they're human, have the bot prove it's a bot. We do this by using some creative CSS. First off, instead of naming your email field in your comment box "email," name it something unique. Now we can move onto the CSS and HTML hackery.

<div style="display: none;">
	<input name="email" type="text" />
</div>

The CSS attribute "display" dictates whether the object on the page should be displayed at all. To hide everything in the div, we use "display:none" to hide all the code from just about every web browser that supports CSS. To spam bots, this will display a standard box where the bot will put a fake email address. Now, we have to refuse the comment from being posted. We do this by adding this to whatever file adds the comments. This should preferrably be added as close to the top as possible.

if (!empty($_POST['email'])) { die("Spambots aren't welcome here. Have a nice day."); };

This simply checks if the field was posted to the script using PHP, and if it was, deny any further PHP actions on the page. Therefore, comments are blocked by spambots that can't tell that the field is not a real email field and is allowed for real users who can't actually see the field.

Go ahead and test it out, comments are enabled!

Leave a Comment

Comments

Dranyam

May 31, 2007
at 05:54 PM

What an unsightly typo....

TomB

May 31, 2007
at 06:05 PM

It's a very interesting technique until spammers catch onto it, which I feel won't be for some time.

Justin Bull

June 1, 2007
at 06:40 PM

A very good idea! I plan to implement this into my next commenting system.

The_PHP_Jedi

June 1, 2007
at 06:47 PM

Very nice article. Love the idea of reverse captcha :D Will try it one day hopefully.

Dravas

June 5, 2007
at 08:16 PM

BALLLLLLLLLLLIN' Pretty cool.

thespy

June 5, 2007
at 08:16 PM

Quite interesting, I think I'll try it out sometime

JUMANJI

June 5, 2007
at 08:22 PM

Thanks for the tip! I think I might revive my blog at http://uberget.net finally!

boxgamex

March 24, 2008
at 07:27 PM

posting this on the internets might not be the best way to stop spammers..

David

March 24, 2008
at 07:30 PM

@boxgamex
This might be true, but spammers don't have any way to cope with this method, as they have no idea which field is the actual email field.

sezer

May 2, 2008
at 01:18 PM

CSS "Cascading Style Sheets" LessoNs - WeB DesigN LessoN - - Web site : http://WWW.css-lessons.ucoz.com/index.html

Crad

May 3, 2008
at 05:58 PM

I'd opt for turning off the input by id instead of wrapping it in a div. The div is just wasted space.

If you add id="email" to your input:

input#email { display: none; }

David

May 3, 2008
at 06:01 PM

This is true. Even some simple inline CSS could do the trick. I suppose it's just the concept that is important, however.

May 29, 2008
at 04:57 AM

does it work if i do not have javascript enabled ?

David

May 30, 2008
at 10:47 PM

@ee
Yes. It works so long as you have CSS rendering support in your browser of choice.

Jean

July 9, 2008
at 09:16 PM

Well, seeing the two fields would be very confusing to a disabled person using a screen reader.
I have a small bot trap on my site. The link to it displays a tiny transparent gif. I have many other measures in place to ensure that I am 99% certain that any visitor is a bot. All visitors to this page have their ip address quietly written to my banned list.
Gloating when you catch the spammer tips your hand and makes it easier for them to figure out what your defenses are. A quiet defense lasts longer.

David

July 9, 2008
at 09:51 PM

@Jean
I have my code setup (on this blog) so that when any user trips the reverse captcha, the following page displays a notice instructing people to not fill in the first form field (or something of that nature). I understand this method might not be the most accessible, but I'm not sure how many visually disabled people are reading a blog related to web design. Just my two cents.

commentbot

July 25, 2008
at 05:00 PM

I am bot. This does not compute. Therefore, please buy viagra.

Guest

September 25, 2008
at 09:01 AM

@1080: Wenn I wanted to post the comment ""Buy It!!!!!!!!!!" I got the message Invalid Comment.,

What the heck is that ?

How does it work ? Counting words or what....

David

September 27, 2008
at 12:49 PM

@Guest
I do have a system setup to weed out many incoherent comments based on length criteria. The longer the comment, the more likely it is to be something valid.