CFFormProtect

CFFormProtect is a fully accessible, invisible to users form protection system to stop spam bots, and even human spammers. CFFormProtect works like some email spam protection systems, in that it uses a series of tests to find out if a form submission is from a spammer or not. Each test is given an amount of points, and each test that is failed accumulates points. Once a form submission passes the threshold of 'spamminess', the message is flagged as spam and is not posted. The points assigned to each test and the failure limit are configurable by you the developer.

CFFormProtect uses these tests to stop spam:

-Mouse movement--Did the user move their mouse? If not, it might be a spammer. This test is not very strong because lots of people, including the blind, don't use a mouse when filling out forms. Thus I give this test a low point level by default.

-Keyboard used--Did the user type on their keyboard? This is a fairly strong test, because almost everybody will need to use their keyboard when filling out a form (unless they have one of those form filler browser plugins)

-Timed form submission--How long did it take to fill out the form? A spam bot will usually fail this test because it's automated. Also, sometimes spam bot software will have cached form contents, so the form will look like it took days to fill out. This test checks for an upper and lower time limit, and these values can be easily changed to suit your needs.

-Hidden form field--Most spam bots just fill out all form fields and submit them. This test uses a form field that is hidden by CSS, and tests to make sure that field is empty. If a blind person's screen reader sees this hidden field, there is a field label telling them not to fill it out.

-Too many URLs--This function was added by Dave Shuck. Many spammers like to submit a ton of URLs in their posts, so you can configure CFFormProtect to count how many URLs are in the form contents, and raise a flag if the number is above a configured limit.

-Spam keyword list--This function was added by Mary Jo Sminkey. This test allows you to configure a list of "spammy" words and phrases that will be used to weed out spam. For example, if you use the phrase "free music", a message containing that phrase might get tagged as spam while just the word "music" will pass the test. There is a default list of words/phrases included in the ini file (thanks to Mary Jo).

-Akismet--All of the above tests can be easily bypassed if a spammer hires cheap labor to manually fill out forms. However, Akismet attempts to stop that as well. Akismet is a service provided by the folks that run WordPress (http://akismet.com/). The free service (for personal use) takes form contents as input, and returns a yes/no value to tell you if the submission is spam. This test is disabled by default because you have to obtain an API key. This is easy to do, and CFFormProtect is easy to configure if you want to use Akismet.

The beauty of CFFormProtect is that any of the above tests can fail, and the spam bot can still be stopped. And all of this is possible without making your users type in hard to read text, and without blocking the poor blind folks. And you don't have to maintain a black list or use an approval queue.