How OSpam-a-not Protects Your Joomla Forms From Spambots
In 2014 here at ostraining.com, we decided to stop the flood of spambots sending spam via forms on our site.
We tried one particular unobtrusive technique on some of our forms. (PS. We’re big fans of Shack Forms here at OSTraining).
This method worked out much better than we could have expected. So, we decided to turn this into a Joomla plugin. This is how OSpam-a-not was born.
So, how does OSPam-a-not work? OSpam-a-not looks for forms on your Joomla page when the visitor is not logged in. Unless the form has only one text field with no submit button, the plugin will add two fields at the very end of the form.
PS. If you’re new to Joomla, I would recommend reading “How to create a Joomla contact form” before attempting this tutorial.
Time Gate
The first field is a hidden timestamp. It records the time the field was created and added. If the form was submitted more quickly than humanly possible, OSpam-a-not blocks the submission.
This interval to use will depend on many unpredictable factors. Obviously, it could potentially create too many false positives. We suggest you turn this feature off when you just install the plugin. But the field is still added to the form.
Similar to the form token Joomla uses to prevent CSRF attempts, the field name is a hashed value we can identify in a protected form when it is submitted.
<input type="hidden" name="4dae3556796029138fbec8655162f36b" value="1421891860.0"/>
Honey Pot
We implemented this technique at OSTraining with a stunning success. You just add a text field to the form and make it hidden. Simply add a style tag at the end of the document head
tag.
It isn’t visible to a human user, but a spambot doesn’t see that and fills in the field anyway. If you find anything at all in that field when the form is submitted, we’ve caught a spambot in the honey pot! And the form is blocked.
<style type="text/css">input[name=my_name] {display: none;}</style>
<input type="text" name="my_name" value=""/>
It seems entirely possible that if a spambot saw a text field named 304777dc6667acf98dd
it might get suspicious and avoid filling it in.
Something like my_name
is much sweeter sounding. So we choose from a list of reasonable sounding field names adding the one that we’re sure isn’t already on the form.
Click here to try OSpam-a-not today.
Finally, if you want to see a wide range of Joomla forms extensions, check out this guide: The 5 Best Joomla Forms Extensions.