I have a simple spam filter (to prevent spam form submission) setup on a website by generating a random number and having the user enter it in. For some reason spam is still able to get through without even entering the random number. Does anyone have any ideas as to how this could be happening?
Here’s the code:
var randomnumber=Math.floor(Math.random()*1001);
var isNumberEnteredCorrect = false;
var whatevertheyentered;
function checkUserInput(whatevertheyentered){
if(whatevertheyentered == randomnumber){
return true;
}
else {
return false;
}
}
function validateForm()
{
var x = document.forms["myForm"]["random_number"].value;
if(x == randomnumber){
return true;
}
else{
alert("The number you've entered is incorrect.");
return false;
}
}
The user submits the form by pressing this button:
<input name="Submit" type="submit" class="button" value="Send Message" />
On of the options, why spam bots are getting trough is that they don’t use JavaScript and do direct submissions of the form.
One of the options, though is to send form asynchronously with AJAX. It would probably save you from some of the bots (and users, who have JavaScript disabled).
I don’t know how spam bots internal logic, but I assume that that the bot searches for “form” tag and tries to post form contents to the form’s action parameter.
It this case “split-string encoding” of action form parameter and AJAX form submission might help.
However, keep in mind, that this trick will work only if your’s site is not primary target for the bots.