Damien Katz

Very very clever. Think I'll give that a try...

Looking at the implementation, it seems that a legitimate user on a browser which either doesn't support or doesn't have CSS enabled could fall for it. Perhaps some kind of human readable warning is called for.

To Random Reddit Reader; "hidden" form fields are part of the HTML spec. No browser (that I know of) will display them.

However, I went to the mentioned demos and didn't see any hidden form fields. So I'm confused too.

I've heard other people calling this idea 'Comment Flak'

Jonathan, Random Reddit reader is correct. The fields are hidden via CSS, they don't have the "hidden" attribute. This tricks the bots, because bots generally disregard CSS altogether; however, it will also trick any legitimate user who doesn't load the CSS.

The write up says that it's done with form fields hidden with CSS. If they were fields of type 'hidden' the bot would know to leave that as is - it would have to think they were a required text field to try and enter a value. This leads to the obvious issue of browsers that don't support CSS ...

Maybe if you put something like this on css hidden filed: "do not put anything here", name it "email" and check if you received the string you´re supposed to recieve.

Obvious solution is to include a message, "If you type anything into this field, your message will be discarded. This is to protect against spam. Thanks.", and hide that as well.

Another problem would be form auto-fill that some browsers do.

First, there's a big misunderstanding of how bots work. They don't just crawl the web and look for forms (ok, some do, but most don't), and then fill them out. That just won't work, because they wouldn't know which field is email, which field is first name, which field is the body. So it is human that looks at the form, at the HTML code, and then tells bots which parameters mean what. So your CSS trick will not fool most of the bots, because forms are reviewed by humans first.

Btw, you can create forms dynamically, with Javascript, so if you are afraid of crawling bots, they will never even find the form.

You are a load of blubbering idjeets.

First, if a bot programmer is smart enough, he's already found out about this 'Negative CAPTCHA!' (gasp!) and has preprogrammed his to look for the hidden CSS tags and discard those field responses.

Thank you! COME AGAIN!

agreed. idjeets indeed. this will be completely useless in the space of about 7 -10 days.

Just use Akismet. I think it was originally a Wordpress plugin, but it has generic-use libraries for PHP, Perl, Python, etc. Catches spam very effectively.

This is way to easy to overt. Simply look for the forms that are marked type=hidden and dont' fill them in...if you were a spam bot.

dan, maybe before posting a comment you should read the other comments, don't you think? :)

anyway, I find it intresting... this (or evolutions of this strategy) can be worth a try :)

nice!

To you people who just don't seem to get it (dan rather, listen-up)...

This is NOT a hidden input field! This is a regular text input field that is being hidden using CSS.

I love the "smart" comments about how dumb the implementer of this technique is and how this will be figured out by "spambots that don't fill out hidden fields!"

Learn to code, or at least learn to read articles correctly before jumping to stupid conclusions.

Yeah, that will protect you for all of five minutes. And then, the bot maker adds a CSS parser, and it's broken again.

CSS is machine parseable. You are missing the point of "turing test", here.

If you identify the field in any way so that a regular user knows not to fill it in... it is only a matter of time before spammers and their spam bots figure out how to identify these fields. All these suggestions about adding a "Don't fill this line" would defeat the purpose.

The beauty of this solution is that it would take a very sophisticated spam bot to read the CSS, figure out which field it is hiding, and then not fill it in.

As for the users without CSS problem, well first off why on earth are there people still using browsers without basic CSS support? But second, I'd be such a small minority that I don't think it would pose a problem. Same problem designers face with the CAPTCHA and users who have images disabled. You don't see people shying away from this technique just because of that.

Seems a pretty good idea to me!

and yes... it wouldn't really be worth the spammers efforts to have it read CSS and analyse that. Unless of course everyone starts using it, but isn't that always the way.

If you used JS to hide the neg-captcha field (with CSS/DHTML) it would be much harder for spambots to catch it. They couldn't just parse the CSS or HTML to catch it; the JS could be obfuscated or encrypted to hide its true purpose.

The next solution for spambot writers would be to actually load and execute the page w/ Javascript and submit that way. Perhaps built on top of Firefox. Quite a bit of work to defeat this protection though it's doable.

This is not a good idea.

I've never written a spambot myself, but if I did, I'd NEVER have it parse a form in realtime. Instead, I would look at the HTML myself (as another poster said), and most especially, I'd look at the URL parameters (GET or POST, both)! Then I'd write a script that just runs 'wget' or 'curl' with the params.

This trick wouldn't even fool me the first time.

Lex,

Yes, thats make sense, but I did a test when I renamed the name of php file that receive the form parameters(In my case the wp-commments-post.php to something like wp-comments-post-foo.php).
One day later I started to get spam again... seems to me that the majority of the spambots parsers the html anyway... or at least once in a while for each site.

Nice idea, maybe if instead of putting it hidden by CSS, you can only set a position outside the screen. I've made some approaches to avoid spam to but I won't describe here. spambots are reading too

Funny how many of the readers didn't understand the original post.

Like anything, of course, it's just a matter of time before Guido's spamming software provider also learns of this trick and gets wise to it, and he buys another gigantic chandelier off the profits of Joe American Dumbass That Actually Responds Favourably to Spam.

How about a statistical approach for a bot....

Instead of parsing CSS,or writing JS executable engines,the bot can just send (POST/GET) of only some the required fields,if one post does not work
it can add other "compulsory" text fields to its list .

(It can also submit nulls for many fields which it 'thinks' are not required)

The fields which are "required" can be interpreted by using tricks like parsing HTML for or descriptive text around the supposedly hidden input.

once it works for one form in a particular site it can keep a record of the fields and continue with the same process.

simple data structures don't you think?

Please feel free to comment.......

Absolutely Brilliant!!!!

Its like Sherlock Holmes. When it was a puzzle/mystery, it seemed so difficult and once you found out the explanation, it seems so damn easy :)

Why not give this another twist? You could randomly generate the name tags of some (or all) of your fields all the time. Then use CSS + JS hiding of one (or more) fields. When you receive the form back again, using the session, you can just map the generated field names against the rest of the program's field names (the names your app server expects).

That will eliminate all spam for quite some time.

sdfg

What about users of RoboForm and other Form Submitters? Will they add value to this hidden with CSS field? If yes, it will be a problem for humans not for bots...

I had the exact same idea yesterday ...

What most commenters seem to forget is that everybody using this technique will have a different CSS classname for the hidden field (or they should). So simply checking for a certain classname won't work everywhere. Sure spambots can parse CSS but not even Google touches CSS, I'm guessing it's not that hard but it's extra traffic for the spammer and it delay's the overal spamprocess. Also, what's stopping us from using multiple CSS-hidden fields. Instead of breaking it down, improve it!

The random addition is a good idea. Not just random class attributes though but randomise the location, name and markup of the hidden input. Use JS, use CSS, randomise the whole thing.

As for the statistical idea I think that has been beaten by systems that flag the comment as spam but continue displaying it to the original poster/bot. So the bot thinks it worked but nobody else can see the comment.

And there's the obvious issue of how the heck does a spammer programmatically guess which items are hidden when the colours are subtly different - too subtle for most humans to notice - say, #000000 vs #010101 (Or other more subtle colour difference - that really is a poor choice of colour - but there are other better examples)

To Gahhh:

First, if a bot programmer is smart enough, he's already found out about this 'Negative CAPTCHA!' (gasp!) and has preprogrammed his to look for the hidden CSS tags and discard those field responses.

But CSS isn't that simple. You shouldn't directly hide the field, but make it a property of a class, or a combination of classes, that hides it. It'd work best if everybody who applies this trick, uses a different system.

Let's see how long it'll last.

I think this is an interesting idea, far from a complete solution, but definitely a good stop gap method for smaller sites.

In the long term it wouldn't hold up - as someone mentioned CSS/JS are both machine parseable (obviously) and if made common place eventually spam bots would adapt.

I'd also be slightly concerned about the accessibility impact of the technique - for those without CSS/JS - screen readers, mobile browsers, etc.

There's already a big problem with false negatives with CAPTCHAs and I could see this being equally problematic without some sort of (also hidden) explanation, which would give spam bots another hook to identify the trap fields.

Please make sure the field is also hidden from the blind user who is using a screen reader (e.g. JAWS) so they don't try to fill out the field.

For the people worrying about browsers without CSS, please stop it. It is 2007, if someone is using a browser that can't even parse basic css they are a lost cause. The only exception should be sites is specifically designed for mobile or other archaic platforms that don't have CSS support. Stop spending so much time worrying about the how %0.1 of users see your site and focus on the other %99.9 percent.

Also, parsing CSS and applying the rules to HTML is not a trivial task. Since spammers generally go towards the path of least resistance this will probably work for awhile since spammers have many other sites with less protection to exploit.

As Mark said above, you would need to hide this field from the screen reader user as well as the sighted user. Unfortunately, screen readers vary widely in how they react to display:none, according to which software you use, as well as how you call the style. See Bob Easton's research results on the topic. (Note: you would want a n/n for this instance.)

I've put a mechanism in place on my forum that has 100% eliminated spam.

Since most forums (including mine) are centered around a particular topic, I have a set of very simple visual questions, one of which is randomly presented to each new registrar.

Since my forum is centered around "Battlestar Galactica", I simply present a picture of a cast member and ask a question. To see it in action, try and sign-up for my forum at: http://www.alanlight.com/phpbb/viewforum.php?f=2

This is a brilliant idea indeed, BUT

Many people use auto-form-filling tools (i.g. google toolbar offers such a tool, roboform-toolbar etc etc). And this tools will fill the hidden fields :-(

But the idea is really GREAT!

If this problem is caused in normal blogs by bots recognizing a form field called (maybe stupidly) "email", why would any site designer in his/her/its right mind name an email form field that? Your back end could accept any appropriately named field as the email address.

John Rockway:
It has to be made invisible through CSS or javascript. Not just HTML.
A bot wouldn't change a form value if its type is "hidden"

Bots usually don't fill out and submit the form via a browser, they read the form in the html, generate the request, and make it. This saves the bot the trouble of rendering the HTML and whatnot.

As a result, and even easier way to avoid bots is to have some javascript change the ACTION url of the form. A bot would submit the page to the original form submission location,, while a user with javascript enabled would be redirected elsewhere.

I've been using this technique for almost 6 months on my site with a great success. I used display: none CSS attribute to hide the field on the form, so a human user can't fill it but the same field is visible to spam bot. I don't think it's wise to assume it's a full proof solution because it has its own limitations but overall it's a simple solution that works.

That does not seem very smart....

@Stop It: I think you missed the point of most peoples concerns around accessibility when you said:

"Stop spending so much time worrying about the how %0.1 of users see your site and focus on the other %99.9 percent"

No one is saying you can't use this method because of a small minority, but that it should degrade gracefully and still be usable for a minority.

It's difficult to write off visitors who 'don't have CSS' as using some archaic browser from the dawn of time. But theres a huge variety of reasons you may get unstyled content, they are rare, but it's _not_ just old browsers.

A viable solution needs to work at a fundamental level, CAPTCHA has already gotten an awful lot of flak because it essentially discriminates against visually impaired users.

This method could offer an improvement in terms of accessibility, so it would be shame to see visually impaired users regarded as false positives.

So no one is saying you can't hide things with CSS/JS, just that it needs to be done in a robust way.

i don't get the accessibility problem. if you're hiding a form field called "e-mail" from stupid bots, why not also include some explanatory text like "if you're a human, don't type anything in here--its just a trick to weed out spambots." sighted users will see nothing 'cause you've used js/css to hide the whole thing but the blind or people using lynx will read/hear an explanation. this would take some getting used to but i think most blind users would be grateful considering how big of a pain visual CAPTCHAs are.

I like the idea of using the same foreground/background color as a hiding mechanism. In CSS, since it is cascading styles, setting either foreground or background using one element and than setting the opposite to the same color in another element would be much harder for robots to determine "hidden" elements, since it would have to track both colors settings and look for a concurrent match. Using display:none or visibility:hidden is much easier to find and associate with the html form object.

Kudos to Jan for a clever idea. I think people give spam bots programmers more credit than it's worth. These people want to work less, not more and since their current methods seem to be okay, I think creating a CSS reader not to mention Javascript parsing bot is far down the road for them.

I think some of the accessibility problems brought up in the comments are good things to think about. Are there other fields that spam bots fill in automatically? Do methods like just changing the default way of describing the name and id attributes on input fields help?

Anyway, you guys are doing clever work. Keep it up.

I did something similar which I call InvisibleCaptcha (http://haacked.com/archive/2006/09/26/Lightweight_Invisible_CAPTCHA_Validator_Control.aspx) which gets around the usability problem for users using screen readers and such.

These techniques are surprisingly more effective than some commenters give credit for. Turns out, bot developers are focused on the big players (Hotmail, Ticketmaster, etc...).

They don't have time to focus on every small-fry CAPTCHA variant. That wouldn't scale very well. So this might not be effective for Yahoo, but it is effective for many bloggers. I've not had a automated comment spam comment in a long while.

Of course, this doesn't do anything for trackback spam.

I like this new idea, primarily for the visitor's convienence. However, after some consideration, I think the standard captcha approach should prevent more abuse. I believe this is the case because it does more to deny access, by default, and therefore is a better security design (aligning better with the principle of least privilege).

I think the negative captcha is more of a security through obscurity approach which works, as some commenters note, until it is no longer obscure.

I do not believe site audience size matters to a spammer. If a spammer is reaching more people than other spammers (even if their inventory is comprised purely of less-visited site), then the economics remain in their favor.

Please keep trying though, more attempts (perhaps while keeping the previously-mentioned concepts in mind) may yield more fruitful results.

I've been using something similar to this for a long time -- except I hide the main comment textarea rather than the email field. Also, I use an MD5 hash to generate the name of the real textarea based on date and IP address, so it's different for every user and even then changes every day. It's been quite effective.

Spammers are lazy. They develop scripts that hit the maximum number of comments with the minimum amount of effort. Edge cases don't really concern them because who cares if you don't spam five sites when you've just successfully spammed five million? So just making your comment script different in some way from a stock MT or WP install will stop a certain amount of spam.

As I said before, "You could randomly generate the name tags of some (or all) of your fields all the time."

This should be done in the backend of course (JSP or something).

My 0,02€

I think trendio use something like that, I checked for a while.. http://www.trendio.com

Anyone who uses the Google toolbar autofill option or any similar program will understand why this will not work

It's a simple DOM method call to determine if an element, say a form field, is visible or not. So Bot writers could trivially work around this technique.

Guymac, you shouldn't just use 'display' none to hide the form field, as your right in that this can be easily parsed. Instead you could wrap the field you want to hide in a dive with something like height: 1px ; overflow: hidden. That way, it's removed visually from the page, but there's no parsable style on the input itself to tell the spambot that its hidden.

However, I get a LOT of spam with just a name and comment, with my email field left empty, so this measure would never stop all spam, but it could certainly help things.

Has anyone thought how this affects accessabilty, reader software ignores css. So anyone using a reader will fill the form and get ignored. Sounds like discriminaiton to me.

Really, really need to be careful with this stuff. Same goes for CAPTCHA in general thought.

Фигня я вам скажу. Идея не нова, реализация примитивна. Выпийте йаду.

The idea is good, I think that if you hide everything right in the CSS few bots will be able to work arround. Also you can change name of fields or play with name of variables and them content, and just to ve sure to avoid bots I would add captcha images per subject where you show to the user N images which N-1 are connected with one subject and only one is not connected to that subject, the question is to ask to the user which is the main subject. Also I have seen already some test that you can do to a human to prove is really a human, including captchas that check you are an adult and not a child. More at: http://www.w3.org/TR/turingtest/

кыпаыпкккыпкпыпкы

_________________________________________

Great idea,

I have translated your article in French and it can be found here:

Un captcha à l’envers

( traduction française de l'article Negative Captcha )

Thanks Cleo, I 've never been translated. Very cool!

I use this technique but instead of hiding the textbox I set its width and height to be 1px and a border of 0px. The typical user never evens notices its there.

set color to background/foreground white - noedit, and border white

*Replace white with background colour of your site.

Good idea ;)

why not using complex java scripts to hide the field? nevertheless bots
are made for a particular form. so it can be fixed in some hours in a
bad case.

the only solution that i see is using that old image-trick. any other
(automatic) solution is bad, because humans cant be tricked that easy.

my latest idea (which is not perfect also):
an server-generated (as random as possible) java script which generates
a key which has to be posted also to get the form accepted. it would be
necessary for the bot to parse and execute java script what is some
more
work to do.

okay, right, bad idea with java script disadvantage ;D

had it going 5 days now and no spam, thanks! :)

nice