CFFormProtect: invisible, accessible, automated spam bot killer

Posted At : December 4, 2006 10:11 AM
Related Categories: Technology,ColdFusion

I just released a new version of CFFormProtect. CFFormProtect is a fully accessible, invisible to your users form protection system to stop spam bots, and even human spammers. CFFormProtect works like some email spam protection systems, in that it uses a series of tests to find out if a form submission is from a spammer or not. Each test is given an amount of points, and each test that fails accumulates points. Once a form submission passes the threshold of 'spamminess', the message is flagged as spam and is not posted. The points assigned to each test and the failure limit are configurable by you the developer.

Click here to download CFFormProtect.

CFFormProtect uses these tests to stop spam:

  • Mouse movement-Did the user move their mouse? If not, it might be a spammer. This test is not very strong because lots of people, including the blind, don't use a mouse when filling out forms. Thus I give this test a low point level by default.
  • Keyboard used-Did the user type on their keyboard? This is a fairly strong test, because almost everybody will need to use their keyboard when filling out a form (unless they have one of those form filler browser plugins)
  • Timed form submission-How long did it take to fill out the form? A spam bot will usually fail this test because it's automated. Also, sometimes spam bot software will have cached form contents, so the form will look like it took days to fill out. This test checks for an upper and lower time limit, and these values can be easily changed to suit your needs.
  • Hidden form field-Most spam bots just fill out all form fields and submit them. This test uses a form field that is hidden by CSS, and tests to make sure that field is empty. If a blind person's screen reader sees this hidden field, there is a field label telling them not to fill it out.
  • Akismet-All of the above tests can be easily bypassed if a spammer hires cheap labor to manually fill out forms. However, Akismet attempts to stop that as well. Akismet is a service provided by the folks that run WordPress. The free service (for personal use) takes form contents as input, and returns a yes/no value to tell you if the submission is spam. This test is disabled by default because you have to obtain an API key. This is easy to do, and CFFormProtect is easy to configure if you want to use Akismet.
The beauty of CFFormProtect is that any of the above tests can fail, and the spam bot can still be stopped. By default, CFFormProtect will stop spam if any two tests fail. One test, Akismet, is configured strong enough to flag form contents as spam by itself. And all of this is possible without making your users type in hard to read text, and without blocking the poor blind folks. And you don't have to maintain a black list or use an approval queue.

You can view the project page here at RIAForge.

Comments (9) | Print | del.icio.us | Digg It! | Linking Blogs | 4164 Views
Comments
[Add Comment]
This sounds great. I'll give it a try when I get my comments up and running. Are you using it here? Were you getting much spam before? If so, has it cut down dramatically?
# Posted By Sam | 12/5/06 2:45 AM
Sam,

I just put this in place here last night. I was getting 2-5 spam comments a day, that I had to manually delete. Now, the way I set it up I get an email when a comment fails telling me what tests caused the failure, and the comment doesn't show up on the blog. Over night I had 3 spam attempts, and surprising ALL of them were actual humans filling out my forms (all 4 tests to make sure they're human didn't flag them, they had actually used their mouse and keyboard). But the Akismet test caught them! :D
# Posted By yacoubean | 12/5/06 5:07 AM
Cool. I like the ideas in it. I think I might run a test on it on some of my sites that get spam, and do a before and after comparison post! I'll be sure and let you know when I do.
# Posted By Sam | 12/5/06 5:39 AM
The riaforge site is deadly down ... for a long time...by spammers? It seems that this is a dangerous tool, I would more than like to use it on my sites. Spammers have been attacked for a long time my server. I need help really!
# Posted By Francisco Rojas | 8/19/07 9:16 AM
Francisco,

It looks like riaforge is up again. Let me know if you need any help getting cffp configured on your server.
# Posted By Jacob Munson | 8/19/07 2:01 PM
how can I port this in php enviroment?Thank's in advance
# Posted By morowind | 5/21/09 2:21 AM
morowind,

It wouldn't be super hard to port this to PHP (there isn't a lot of code in this thing). You can grab the latest source from here:
http://cfformprotect.riaforge.org/
The JavaScript parts will not need to be ported, of course. But all of the ColdFusion will have to be translated to PHP. Good luck.
# Posted By Jake Munson | 5/21/09 7:14 AM
Jake, I see the comments on this post are still very much active, so thought I'd jump in with some feedback on this that might be of use to others. As I posted on Jamie Krug's blog earlier today ( http://jamiekrug.com/blog/index.cfm/2009/5/12/cffo... ), we implemented cfformprotect about a month ago on our site. We host about 15 000 travel blogs and wanted to give users the option to let people comment without becoming a member of the site first. Spam has always been the main thing stopping us from going down this route. After putting something basic in place for a few beta-testers, it was clear pretty quick that we needed an extra layer in between to minimize the number of emails users would get with comments needing moderation.

Hunting across the web, I stumbled on cfformprotect and in short, it's been the perfect solution.

This is how we've used it:
* users can switch public commenting on or off on their own blogs
* all comments left by non members get run through cfformprotect (logged in members get a pass so far)
* members can choose to add a personal akismet api key, so this was moved out of the .ini file into the cfc.
* anything passing the system goes into moderation and blogger is notified via email. This might prove overkill now, but was previously necessary.
* users who have previously had approved comments get a pass.
* comments that don't pass the system don't get saved to database at all. User is shown a message letting them know so real comments can still get reposted.
* in addition we've let users set limits on how long public commenting is open on a post, which gets rid of a lot of the bots commenting as they can be slow to pick up on new posts.

I decided to have rejections emailed to me for a while to see if any adjusting was needed and in about a month of usage now, I'm yet to see a false positive come in. All in all, it just proved dead simple to implement and works incredibly well. Highly recommended.

Just thought I'd pass that on with our thanks!
# Posted By Sam Daams | 5/25/09 11:50 AM
That is awesome, Sam! I'm glad it's working well for you. :)
# Posted By Jake Munson | 5/26/09 8:23 PM
[Add Comment]
BlogCFC was created by Raymond Camden. This blog is running version 5.9. Contact Blog Owner