In an earlier post about foiling form bot spam without using a CAPTCHA, I introduced an idea to validate your forms to not allow any HTML tags in any of the fields.  The theory was that spammers’ main motivation for spamming forms was to get links sent.  This method has worked wonderfully for me for quite a while… until yesterday, that is.

I have a client who has been getting blasted with form spam for almost 48 hours straight.  Here’s the odd behavior though… there are no links or any other HTML in any of the form fields?!?!?

So why is the person behind this bot doing this??

Other than to annoy me, I can’t think of any other reason.  So I had to think of a new way to foil this form bot and I came up with this…
Form Bots Are Predictable

I believe that most form bots read the name or id attribute in the input tag as a clue for what info to insert into that form field. So, if you name your input field “email” then the bot knows to insert an email address into that field.

So I’m going to use the bot’s predictability against it by naming my email field something completely different, then validating the field to require a properly formed email address (i.e. [email protected]).

So the bot will likely populate this field with random characters instead of a properly formed email address.  My validation will throw an error when the field doesn’t get an email address, the form bot is STOPPED!

I have a few more tricks up my sleeve, but I’ll save that for part III.