Will a spam bot be able to submit a form if there is no submit button on the page?

Question

Will a spam bot be able to submit a form if there is no submit button on the page?

It's just interesting if anyone knows if a spam bot can submit a form if there is no submit button on the page. Just trying to make a very simple spam prevention without using CAPTCHA. The idea is to use jQuery to render the submit button if the user somehow interacts with the form. Any thoughts would be appreciated.

+7

jquery

Mike muller Apr 4 '11 at 20:25

source share

7 answers

Pointy · Answer 1 · 2011-04-04T20:30:29+0000

A spambot consisting of a shell of code around WebKit or another browser core can simply cause the DOM "submit ()" to run, or (even more radical) just start its POST transaction.

It is best to think of spambot as a massive powerful evil robot with a browser that does not follow any rules related to atomic energy rays, with its robot brain. But this is a robot that cannot read very well.

ashurexm · Answer 2 · 2011-04-04T20:34:01+0000

A bot can definitely find your message button, if only infrequently.

A very popular method, like trying to create a honeypot form element. Editable honeypot fields on a form are invisible to humans (you can use jQuery / CSS to hide these form elements). They are checked when these forms are published, and if they contain any input, then the submitter must be some kind of bot.

Using hidden field names and validation can also stop these bots. If the email field must have the @ sign and the bot cannot determine which field the email is in and what is not, the likelihood that it will make a successful recording will be significantly reduced.

Femaref · Answer 3 · 2011-04-04T20:30:40+0000

Yes, the bot may not need a submit button.

If you have (pseudohtml):

<form action="POST" target="posting.php"> <input name="something"/> <!-- some logic for the submit button --> </form>

The bot can simply parse the form tag and field names on the form and call POST its own without touching the submit button.

Blender · Answer 4 · 2011-04-04T20:31:53+0000

Yes, they can. The button is not needed completely:

 $('#form_id').submit(); /* This is a jQuery trigger */

But the bot can be nasty and issue its own POST request to your server, since it is not so difficult to do.

But if you created <input type="hidden" /> with a secret value (known by the server and dynamically obtained for each session) using jQuery and only accepted messages, if this value was present, you will stop all non-JS bots.

The downside is that you would prevent users who do not support JS from using your web page. But what a constant battle you have to fight to kill spammers ...

Altabear · Answer 5 · 2011-12-02T19:43:46+0000

Usually we create a hidden field with a “juicy attractive” name, such as “FirstName”.

Then in codebehind we run something like:

 if FirstName.text <> "" Then <insert your "what I want to happen" code. maybe a popup saying "oops an error has been made" or just not submit the form. maybe redirect to a fake error page. like response.redirect("thisisabot.aspx") endif

korona · Answer 6 · 2011-04-04T20:33:09+0000

Having never encoded a spam bot, I can only make assumptions. But I would suggest that having a submit button doesn't really matter much. Most likely, he looks at the <form> -tag and determines based on where if should make a POST / GET request. The best bet (but by no means flawless) would be to not use <form> , but to manually make $ .post (since you mentioned the use of jQuery) when a button or link of your choice is pressed, collecting POST data from elements "on the fly".

user1609889 · Answer 7 · 2013-01-21T14:19:12+0000

There is no need to display the submit button as often as data is sent from a remote server, rather than populated from the page itself. CAPTCHA is terrible, sometimes so incomprehensible that I do not understand what he is saying. I use three methods at the same time to stop the bots.

Comparing the source IP address of the form with the destination IP address, if they do not match, further processing will not be performed.
A field hidden by CSS that remains empty if filled, it is a bot and is ignored.
Another field that gets a predefined JavaScript value when submitting the form. No match, no further processing.

I also recorded attempts with IP addresses in the database table. Attempts failed one, two, or all tests.

However, stopping spammers at sweatshop is a completely different story. Sweatshop spiders are people who are cheaply used to manually send spam. If you have a large site, it may be worth using a service that deals with this spam. Some services also refer to cruel language.

Will a spam bot be able to submit a form if there is no submit button on the page?

More articles: