I thought this may be a worthy thread to start I'll start with some things I have tried and results I have achieved, as my employer has recent had this problem and we are working on it without using CAPTCHA.

Started by putting a empty text field hidden via CSS display:none; command. This is done for the reason that many bots just put something in every text field, so, upon submission, if anything is in this field, the form is not sent. This did help cut down a little, but not enough.

The next thing I did was put a validation on the comments field of the form looking for < and > (both, not just one, as both indicates HTML) and this actually cut down quite a lot.

The emails that got thru used bbCode which is basically using [ and ] instead of < and > so I instead started validating for all those characters. not in pairs, but having them at all, as they are unique characters that are not used in 99% of the standard messages.

When doing this I added a javascript validation as well using string.indexOf("<") type of functions so I could alert the user as well, since it may happen from time to time, until now the tests were strictly behind the scenes.

It does appear that spam has decreased exponentially from these measures, they should be of very limited impact on any regular user but, on the rare occassion if does there is a javascript alert explaining it.

All in all it seems successful enough were it will be an option in the next release of FormM@iler.

Anyone else have tips or tricks to try? As this didn't stop it all yet, so many are still just plain text...

I am wondering of the effectiveness of populating a hidden field with a time stamp from the server, then checking on submission...if the difference is like 5 seconds or less, it's a bot...or something along those lines...anyone tried that? Sounds like something that probably could stop some as bots are usually almost instantaneous and if POSTing directing won't even have the time stamp at all...and it'd be pretty easy to add...

hmmmmm...

I have a version of FormM@iler ready if anyone wants to test it...

it has four anti-spam options that can turn on and off individually

- hidden field bot tricker option with customizable field name
- character scan looking for < and > or [ and ] in pairs, just one < won't trigger it, but < and > will for example
- the timer option with customizable timer length
- a "sorta-CAPTCHA"

If anyone using FormM@iler has a spamming problem, let me know at my FormM@iler forum or my contact form and I'll hook you up.

Well, the hidden field track and the character scan seem to work very well based on some testing a couple users are doing, none of them have the form itself on a PHP page so they can't test the timer or sorta-CAPTCHA features, as they require the form to be PHP. If anyone would like to help test those features, let me know.

FYI, I will be releasing a new version of FormM@iler, hopefully this weekend. The anti-spam tests have proven quite successful. In addition to the tactics mentioned above I also added a configurable number of URL's that will be allowed in specified fields.

Reports have been very positive that spam has come to a virtual halt being sent thru contact form and have had no reported false positives (there is also an option to flag the subject of messages) being flagged.

Hopefully this weekend if time permits.

Anyone else have tips or tricks to try? As this didn't stop it all yet, so many are still just plain text...

If it helps, the general problem for most CMS tools is that the spammer totally bypasses the form and just submits right to the script. So for the spams submissions you still see, that may be just what is going on.

A moderately effective approach for the script-submitting spammers: .htaccess. If the referrer is not your domain, then deny the submission. (It should be, because a human needs to visit the page to submit--hence the referrer is the domain for them.)

How about using something like Akismet? They've got an API to plug in to.

Yeah, that's exactly the problem, bypassing the form altogether, which is easy to deal with, at least with my FormM@iler, cuz the script itself has all the filtering built in it.

.htaccess is a good idea too, never thought about that.

I have found myself that the most effective of the 5 or 6 different tactics has simply scanning for HTML tags, bbCode tags and URL's. That stopped a MASSIVE percentage of the spam being allowed thru. The URL scan helps stop the plain text emails that were giving me problems. The user of the next version will be able to set how many URL's are allowed before it is flagged as spam...and which fields are checked...

A public beta is available at http://www.dbmasters.net/forum.php?id=3&tid=1140 for those people that want to try it out.