Managed Hosting



Project Home Blog Forums Known Issues Screenshots Contact Project

Author: Jake Munson (All RIAForge projects by this author)
Last Updated: April 7, 2013 11:43 AM
Version: 2.3
Views: 196,433
Downloads: 10,551
License: Mozilla Public License


CFFormProtect is a fully accessible, invisible to users form protection system to stop spam bots, and even human spammers. CFFormProtect works like some email spam protection systems, in that it uses a series of tests to find out if a form submission is from a spammer or not. Each test is given an amount of points, and each test that is failed accumulates points. Once a form submission passes the threshold of 'spamminess', the message is flagged as spam and is not posted. The points assigned to each test and the failure limit are easily configurable by you.

CFFormProtect uses these tests to stop spam:

-Mouse movement--Did the user move their mouse? If not, it might be a spammer. This test is not very strong because lots of people, including the blind, don't use a mouse when filling out forms. Thus I give this test a low point level by default.

-Keyboard used--Did the user type on their keyboard? This is a fairly strong test, because almost everybody will need to use their keyboard when filling out a form (unless they have one of those form filler browser plugins)

-Timed form submission--How long did it take to fill out the form? A spam bot will usually fail this test because it's automated. Also, sometimes spam bot software will have cached form contents, so the form will look like it took days to fill out. This test checks for an upper and lower time limit, and these values can be easily changed to suit your needs.

-Hidden form field--Most spam bots just fill out all form fields and submit them. This test uses a form field that is hidden by CSS, and tests to make sure that field is empty. If a blind person's screen reader sees this hidden field, there is a field label telling them not to fill it out.

-Too many URLs--This function was added by Dave Shuck. Many spammers like to submit a ton of URLs in their posts, so you can configure CFFormProtect to count how many URLs are in the form contents, and raise a flag if the number is above a configured limit.

-Spam keyword list--This function was added by Mary Jo Sminkey. This test allows you to configure a list of spammy words and phrases that will be used to weed out spam. For example, if you use the phrase 'free music', a message containing that phrase might get tagged as spam while just the word 'music' will pass the test. There is a default list of words/phrases included in the ini file (thanks to Mary Jo).

-Akismet--Most of the above tests can be easily bypassed if a spammer hires cheap labor to manually fill out forms. However, Akismet attempts to stop that as well. Akismet is a service provided by the folks that run WordPress (http://akismet.com/). The free service (for personal use) takes form contents as input, and returns a yes/no value to tell you if the submission is spam. This test is disabled by default because you have to obtain an API key. This is easy to do, and CFFormProtect is easy to configure if you want to use Akismet.

-LinkSleeve--LinkSleeve is similar to Akismet, but it is free for everybody including commercial use. No API key is required. I don't think LinkSleeve is as popular as Akisment (yet), but in my testing it worked pretty well. Unlike Akismet, I turned this test on by default because it is free and you don't have to do anything special to configure it for your site.

-Project Honey Pot--Like Akismet, Proj. Honey Pot can stop manual spammers as well. Project Honey Pot is a free web service that identifies spammers by their IP address. They maintain a huge database of known spammer IP addresses. If you chose to use this service, CFFP will verify the IP address of your site's visitors before it will allow them to submit data through your forms.

The beauty of CFFormProtect is that any of the above tests can fail, and the spam bot can still be stopped. And all of this is possible without making your users type in hard to read text, and your forms are accessible. And you don't have to maintain a black list or use an approval queue.

If you use PHP, there is a PHP port of CFFormProtect called phpFormProtect created by Dan McCarthy which can be found here: https://github.com/mccarthy/phpFormProtect.

Last Update:

A bug fix for older versions of ColdFusion.


ColdFusion MX 6 or better
Railo 3.x
BlueDragon 6 or better
OpenBD 1.0

CFFormProtect might work on other versions of ColdFusion, or Railo/BlueDragon. If you know it works on your version, please let me know.

Issue Tracker:

16 Null Pointers are another name for undefined values. Closed 10/23/12 2:33 PM
14 Timed Form Submission Bug in Railo Windows Fixed 10/05/12 10:02 AM
15 Use of form scope in testTimedFormSubmission() Fixed 10/05/12 9:59 AM
12 Documentation Bug Fixed 03/01/10 4:01 PM
13 CONFIGFILENAME is undefined in CFFP Fixed 03/01/10 4:01 PM

View All Issues

To enter issues for this (or any other) project, you must be logged in.

Subversion Access:

You may access this project's Subversion repository with your client here: http://svn.riaforge.org/cfformprotect.

To view files and changelists associated with this repository, go here: http://cfformprotect.riaforge.org/index.cfm?event=page.svnbrowse.

Anonymous users have read access to the repository while the administrator has write access.

This project is sharing its code via Subversion. Subversion is an open source source control method. You may find more information about Subversion here: http://subversion.tigris.org/