Less Reverse Captcha
written by Steven on October 08, 2008
We just released a new open source plugin for rails called Less Reverse Captcha. This is another way of doing captchas. This reverse captcha plugin does not require the user to do anything. Instead it has a hidden form field that won't be filled out by people (because it's hidden) but will be filled out by bots. If the field has a value the model won't validate. That's it, easy peasy. This plugin is similar to Erik Peterson's negative_captcha. The big differences being that the Less plugin acts at the model layer, not the controller and so only needs two lines of code to make work, one for the helper method and one in the model. This plugin is already in use in Lovd By Less and now can be used in your app too!
The default error messages is configurable and obscure: "You can not create this because you are the sux."
It's easy to use:
new.html.erb
<= flash[:notice] %>
<%= error_messages_for :comment %>
<% form_for @comment do |form| %>
<%= form.text_area :comment %>
<%= less_reverse_captcha_field :comment %>
<%= submit_tag %>
<% end %>
comments_controller.rb
def create
@comment = Comment.create params[:comment]
if @comment.new_record?
render :action=>'index'
else
redirect_to comments_path
end
end
comment.rb
class Comment < ActiveRecord::Base
validates_less_reverse_captcha
That's it!
Leave a Comment
Steven Bristol has written code for the past 20 years. He like green vegetables and kittens, oh and butterflies too. He loves to throw ninja stars at his enemies.
13 Comments
Awesome. This is going onto my “always use” list.
This is a great idea. Definitely goes into my “why didn’t I think of that?” file.
Great idea. Curious as to how this would work with screen readers though. Do these “hidden” fields show up in a screen reader?
Ahh…very sweet guys. This is a much better solution for people looking to not penalize users and potential customers when they are making an effort to reduce spam.
Nicely done.
Why would a bot fill it out? None of the bots I’ve ever written would do something stupid like that…
@Brennan,
What I’ve seen in the forms I’ve put out there in my blog and contact us forms and that sort of thing is that bots fill out every field in an attempt not to miss a required field.
steve
I have been doing this (ahem, manually) for over a year now on just about every form exposed outside of authentication. It works fairly well and reduces spam by around 90% in my experience.
@Steve: I didn’t look at the plugin, yet… what name do you give the “hidden” field? In my experience, if the fields is of a type=hidden, the bots will NOT fill it out. Also, I found that it works much better to have a name that the bots find tempting, like ‘home_email’, or ‘email_pot’ and then hide it with CSS. Sweeten the pot, eh?
FYI, this is also called a Honey Pot (to help anyone googling around)
@Karl,
1. It’s not a hidden field, it’s a text field with a style that hides it.
2. The name is “less_value_for_text_input.” I thought of using a more inviting name, but I didn’t want to clash with existing form names ever. Plus in my experience, all fields get filled out anyways so it didn’t really matter.
We had a spam problem over at bostonrb.org for a while (no wonder, considering anyone can post anything). Tried implementing something very similar to this, and it helped for a week or so, and then the spambots got smarter. They started not filling in the form. Then the spam returned.
Ended up using http://github.com/ambethia/recaptcha, and haven’t seen any spam since.
@Josh,
Interesting. Maybe we should change it so the name is a random word.
steve
I have used a similar approach before and found that in general it doesn’t work. The bots seems to figure it out and I still get spam.
Interesting approach.
I think the random name would help. Trying to implement this in a project reveals if someone wants to attack your site in particular, this doesn’t help. They’ll tailor their bot to only hit the required fields and voila!