del.icio.us Digg Reddit Fark MyWeb Furl Spurl BlogMarks

Blocking web form spambots


If you manage a website with even a minimum of interactivity, then spambots must be a very familiar concept. These parasites are automated programs that trawl the Internet, searching for, collecting and parsing the pages they find with web forms. They use the collected information later for filling forms with spam.

They feed off forum pages, guestbook pages, blog comments, post forms and other similar places where the information typed by the visitor appears on the website. Sad examples of this problem are the many abandoned forums, whose owners never took measures against spambots. Such deserted forums have many threads full of spam, a pitiful and unappealing sight to their rare visitors.

Interactive web sites are vulnerable to spam robots.

As the Internet grows, many sites are becoming increasingly interactive, especially within the Web 2.0 paradigm. Many of the interactive sites allow full automation; however, interaction with the visitors often needs some sort of moderation. If there is no verification or approval method of what visitors write in a forum, guestbook or blog comment, the website will become less and less interesting for many of the site visitors. If a website is commercial, then lowering popularity will generally mean a significant loss in profits.

Time is money...

The time spent deleting many hundreds of spam messages costs money. If a website administrator receives hundreds of spam entries in a day, it will take up to an hour to remove them all. It will take an hour every day, even weekdays, as spambots know nothing about weekends, and the robots never sleep.

Block them!

How is it possible to stop losing time and money due to spambots? Block them! Here are two common ways to prevent spam robots from sending spam through web forms:

  • Ask your visitors to identify themselves as human beings
  • Block spambots programmatically, with active or passive countermeasures

Do not ask visitors to solve your problem

The first spambot battling method is branded CAPTCHA (Completely Automatic Public Turing test to tell Computers and Humans Apart). Most modern computers still cannot recognize images, especially if these images incorporate special geometric and colored distortions displayed to users filling out web forms. The method is good and effective except for one important factor – the spam-filtering job becomes a responsibility of the website visitor.

Anti-spambot protection must be invisible!

The second approach to battling spambots is hidden from the website visitor. It requires the use of various technical methods, but visitors to the protected website will never notice any evidence of the countermeasures taken against spambots.

Active blocking means server-side detection of spambot activity on a web form. If the information submitted to the form looks like it has originated from a spam robot, rather than a human, the server ignores it. There are many signs of spam robot activity, including (but not limited to) the wrong referrer address, too short a time spent on filling out the form, and read-only trap fields filled with information. Another giveaway is the submitted information itself, which may have too many hyperlinks, too much text, keywords and other evidence of a spam nature.

Dynamically created web forms are less vulnerable

Passive blocking is less complex but may only be as effective as active spambots blocking methods. Passive countermeasures against spambots involve hiding the forms from spambots, making them difficult to read and unrecognizable, but also easily reproducible by web browsers.

The most effective are various dynamic form creation methods. Commonly, the HTML page code taken from a web server has no web form in plain code (<form></form> tags). However, there is a JavaScript code block injected into the page, which dynamically creates a web form while being run in the visitor’s web browser.

Encode, encipher, and hide web forms from spambots!

The weak point of such JavaScript is that web form parts are still contained within it, so clever spam robots can easily filter JavaScript and obtain the original web form HTML source code. To prevent this, it is better to encode or encipher these parts, which will create a heavy computational task for a spam robot. This can be hard to implement manually; fortunately, there is software to do this automatically.

Web Form Anti-Spam

Web Form Anti-Spam 1.00 is able to take any part of HTML code (not only web form HTML tags) and convert it into a form unreadable by spambots, but visible with any JavaScript-capable web browser. It can also process the entire file or selected parts of the file, marked up with special markers (HTML comments). Web Form Anti-Spam is flexible enough to enable one-click website protection, as it supports command-line mode processing and batch file operations.

Save time, save money...

The utility costs less than a system administrator’s hour of work, has a good online manual and is very easy to use. It only usually takes about five minutes to start work with the utility in protecting web forms against spambots. The time and money spent once will save a lot more time and money in the future!

Web Form Anti-Spam is available for Windows 2000/2003, Windows XP and Windows Vista. The demo version is free to download and is free to use for evaluation purposes for 15 days.

Trial Version Download: 2.83 MB, 1.00.0.40, 19 May 2009.
(for Windows 2000, Windows XP and Windows Vista)

15 October 2007
Xander Zerge
del.icio.us Digg Reddit Fark MyWeb Furl Spurl BlogMarks