Hi hubbardude,

CAPTCHA codes are a great way to do this. This basically dynamically generates an image that the user MUST type in to verify that they're a living person and not a bot!.

There's a free script available at THIS LINK

This might help you understand how it works, and may prove useful to write your own CAPTCHA function.

There's a lot of resources on google for this, and i'm sure there are a lot more if you search the forum.

Hope this helps,

Davey C

www.recaptcha.net is a good CAPTCHA option to look at. It includes a full PHP API that allows you to implement it with just a few lines of code where you want to use it on a form page and in the form validation. It also helps to digitize printed books as a side effect.

Captcha is VERY GOOD, but many of the bots out there have OCR readers that are setup to get through them. I had the same problem with my message forum (even with CAPTCHA). What I found worked was a MOD I found for phpBB2.

You create an input field and require it to only have 1 value. So there is a 'Registration Code' field in my Registration Form. I then put a message telling what the code was. Unless someone actually reads the post -- they can't register. The nice thing is that if you find that some after a while -- you start get bot registrations -- you can easily change the code.

I was getting about 20 registrations a DAY for my forum (even with CAPTCHA on)... when I installed that mod -- 0 !!! None in the first month I've had it installed.

So that's my experience on the subject.

You could also design a simple text-based CAPTCHA by asking the user a simple question (ex. What is two plus 3?) if an image CAPTCHA becomes consistently bypassed on your site.

Also note that not all CAPTCHA's are created equal - many are terribly simple to read by OCR software while others have a much lower % success.

The problem with captchas is they discourage the majority of human visitors (unless your registration form is for something they REALLY want).

I recommend that you use a simple piece of Javascript to identify users of lame-bots, and have an efficient moderation system which allows you to bulk-delete any spam entries which get through.

It is very unlikely someone will make a bot specifically for your site, so you only have to worry about general-purpose ones. They very rarely run any actual Javascript, so a simple check that some JS code is executed can stop them (say set a hidden field to "1") - they also usually fill in every field in the page, even ones that you tell your users to leave blank. One option is to add two email fields to the page and instruct your (human) users to leave the 2nd one blank. Bots will fill it in anyway (typically).

Moderation is the best way though. Vet all registrations manually, either individually or in bulk. Provide an efficient way of mass-deleting spammy registrations.

Mark

Just to add my two cents. I've been using recaptcha for some time (had a home-brewed version before that. Text images were not as formidable as recaptcha's and I like the idea of helping to digitize books.) I really like it. However customer's tell me that, recently, some spam is coming through. I can't imagine OCR software good enough to read it so I assume they are using real people to solve them (like re-preseting a captcha on a porn site, etc.) Impossible to tell really. I have tried another dirty little trick just today to thwart spammers. I heard about it on a podcast. I simply put a decoy input field in my html and then give it a css class which effectively hides it from a real person. I then check for that decoy post value. If it is there, I still say "thank you" and all, but I do not forward the request. I do not know how effective it will be. Only time will tell. But there you have it, another suggestion.
[Edit]
Actually, it's the same suggestion as on the previous post with a different twist: I attempt to hide the decoy field.

You can do a certain amount (such as including extra decoy fields) to try to trick the majority of spam bots, but someone who coded a bot specifically your site could bypass that easily. Even a system reliant on Javascript could be got around if someone actually hired a programmer to do it.

The best solution in all cases is to moderate postings if at at all possible.

The ways around captchas (re-presenting them to real users, or using cheap labour to actually fill them in for real) can get around other measures too.

Don't use a captcha unless you're Google.

Mark