Revisiting Form Spam
After having the code outlined in my previous post deployed for a while, I thought I'd share some points which have come up.
The form is still working (for me at least!) - the only odd behaviour I got at first was this - which I got from the error handling in my applicaton:
14-11-07 : 19:55 - "{ts" is an invalid date or time string.
What was happening here? I started logging ALL the form submissions, to see if there were any common traits - I was particularly interested in the "hidden" timestamp field; After all, if the form was submitted properly, it shouldn't really have been an issue.
What I found was that the spam bots were unintelligently replacing ALL the form fields, hidden or not, with junk.
So my nice hidden form field which should have read:
<input id="timeloaded" name="timeloaded" type="hidden" value="{ts '2007-11-16 09:50:39'}" />
Was being replaced with:
<input id="timeloaded" name="timeloaded" readonly="readonly" type="hidden" value="{ts <br>spamMe@domain.com<br>" />
As I'm not checking to see whether the TimeStamp was a valid one, it was triggering the global error handling. The question is now whether to change this - but I don't think I will. The spam bots seem quite happy tripping up on it, and it's only because it's throwing an error that I even noticed it - but I'm just surprised that THAT is what is stopping the spam, rather than all the other bits!
Go figure... :)