I just released a new version of CFFormProtect. CFFormProtect is a fully accessible, invisible to your users form protection system to stop spam bots, and even human spammers. CFFormProtect works like some email spam protection systems, in that it uses a series of tests to find out if a form submission is from a spammer or not. Each test is given an amount of points, and each test that fails accumulates points. Once a form submission passes the threshold of ‘spamminess’, the message is flagged as spam and is not posted. The points assigned to each test and the failure limit are configurable by you the developer.Click here to download CFFormProtect.CFFormProtect uses these tests to stop spam:
- Mouse movement-Did the user move their mouse? If not, it might be a spammer. This test is not very strong because lots of people, including the blind, don’t use a mouse when filling out forms. Thus I give this test a low point level by default.
- Keyboard used-Did the user type on their keyboard? This is a fairly strong test, because almost everybody will need to use their keyboard when filling out a form (unless they have one of those form filler browser plugins)
- Timed form submission-How long did it take to fill out the form? A spam bot will usually fail this test because it’s automated. Also, sometimes spam bot software will have cached form contents, so the form will look like it took days to fill out. This test checks for an upper and lower time limit, and these values can be easily changed to suit your needs.
- Hidden form field-Most spam bots just fill out all form fields and submit them. This test uses a form field that is hidden by CSS, and tests to make sure that field is empty. If a blind person’s screen reader sees this hidden field, there is a field label telling them not to fill it out.
- Akismet-All of the above tests can be easily bypassed if a spammer hires cheap labor to manually fill out forms. However, Akismet attempts to stop that as well. Akismet is a service provided by the folks that run WordPress. The free service (for personal use) takes form contents as input, and returns a yes/no value to tell you if the submission is spam. This test is disabled by default because you have to obtain an API key. This is easy to do, and CFFormProtect is easy to configure if you want to use Akismet.
The beauty of CFFormProtect is that any of the above tests can fail, and the spam bot can still be stopped. By default, CFFormProtect will stop spam if any two tests fail. One test, Akismet, is configured strong enough to flag form contents as spam by itself. And all of this is possible without making your users type in hard to read text, and without blocking the poor blind folks. And you don’t have to maintain a black list or use an approval queue.You can view the project page here at RIAForge.