mdibb.co.uk

I read an article today that appeared on the front page of digg about hiding parts of a HTML form with CSS to try and prevent spam. Its a nice idea, and the author claims that their “spam levels … went down to zero”. If it works for him then great, but I am unconvinced mainly because:

• People not using CSS devices (e.g. those with disabilities, some mobile users etc) get a poor and/or confusing user-experience.
• It relies on spammers being stupid.

There seems to be a misconception that spammers are morons, with mindless scripts just trawling the internet looking for unprotected HTML forms and naked email addresses for harvesting. Sure there are no doubt a lot of people and scripts like that, but lets not beat around the bush here: spammers are not idiots.

For example, the technique in the above link relies on a spam bot automatically filling in the “info” input field, in addition to the “name”, “email” and “comments” fields - their assumption seems to be that bots will do this simply because they are bots and not humans, and so thus apparently defeating spammers.

There is nothing to stop a bot programmer in making an “intelligent” spam bot based on a modern browser which uses semantics of a page to its advantage. Humans still need a label of some sort near the fields (in fact its an accessibility requirement of XHTML that there is a text label for each field…) to know what they are for, so a bot could infer the use of the fields through that. Lets just hope someone doesn’t decide to implement a microformat for a contact form!

Likewise humans need to see a form to fill it in, so a bot could look at the CSS to see if the form is hidden and simply ignore the honey pot. Javascript generated forms? No problem to a bot that simply relies on the browser’s DOM - just like how any Firefox or IE plug-in relies on the browser’s DOM… but lets not let that genie out of the bottle just yet…

Sorry, this turned into a bit of a rant. My point was simply that coming up with fairly primitive “tricks” to prevent spam wont last very long - especially if its on the front page of digg. There are other well established methods (e.g. CAPTCHAs) that I’d try first!