[nfbcs] More About CFFormProtect
Mary Donahue
braille at satx.rr.com
Fri Mar 2 21:22:40 UTC 2012
Good afternoon again everyone,
Below is more about CFFormProtect and how it works.
>From the Web Site:
http://www.goziggy.com/2011/05/17/protecting-form-from-spam-with-cfformprote
ct/
Protecting Forms with CFFormProtect
<http://www.goziggy.com/2011/05/17/protecting-form-from-spam-with-cfformprot
ect/>
By <http://www.goziggy.com/author/admin/> Justin Scott on May 17, 2011
One of the things that web developers have to deal with on a regular basis
is abuse of the applications we write. Anything that is made available on
the public Internet (and even private Intranets in some cases) will be
subject to probing and attack. One "attack" vector that spammers like to use
is automated form submissions.
The idea is that if you have a contact form on a website, the information
entered into that form will be forwarded to a human being for review and
action. It may also end up getting pushed into a database and displayed
somewhere else on the site. Since the spammers work on sheer numbers, they
will do whatever they can to get their message in front of as many people as
possible using any means necessary. With web forms, if their content ends up
getting displayed on the website then it has the added benefit of providing
them with additional "link juice
<http://thekeywordacademy.com/link-juice-explained> " pointing back to their
website. More links mean a higher ranking, and higher rankings mean more
visitors, and therefore more sales. It's a nasty game they play.
Anyone who has been building websites with public forms for any amount of
time knows that spam bots will come by and regularly submit garbage and spam
into forms. The traditional response has been to put a CAPTCHA into the form
and make people figure out the words or numbers that have been distorted in
ways that make them visible to human eyes, but that OCR software may have
trouble figuring out. These are annoying, unfriendly, and if poorly
implemented can be a roadblock to people with visual impairments. Services
such as reCAPTCHA <http://www.google.com/recaptcha> have done a good job at
making CAPTCHA more friendly and accessible, but still get in the way of the
user. For most websites, using a CAPTCHA does not make the customer
experience any better and is there for the sole purpose of protecting the
website.
A Better Way
A while back, someone in the ColdFusion community (Jake Munson
<http://www.techfeed.net/blog/> ) got sick of dealing with CAPTCHA
implementations and wrote CFFormProtect <http://cfformprotect.riaforge.org/>
. This little gem consists of a ColdFusion component which can be called
when a form is displayed, and then again when the form processing code is
called. It essentially includes some JavaScript code on the form page, as
well as a hidden form field. The JavaScript code tracks basic user behaviors
such as use of the keyboard and mouse. When the form is submitted, it packs
up this information, along with some other metrics, and sends it along with
the submitted information.
On the processing side, it inspects the metrics and assigns scores to each
one. If it did not detect mouse movement, some points are added. If it
didn't detect keyboard use, some points are added. If certain keywords are
found, points are added. And so on. It can also talk to external spam
services such as Akismet <http://akismet.com/> and make a more detailed
inspection if you want to go that route. In the end, if the points "earned"
by the submission go over a certain amount, it's considered spam and you can
take a different action on the input rather than the normal submission
process.
Collecting and analyzing data points and metrics like this is very effective
and much more convenient for end users than a CAPTCHA could ever be. The
best part is that CFFormProtect takes all of about five minutes to put in
place on a ColdFusion website running on ColdFusion MX 6 or higher (we're at
version 9 as of this writing, so pretty much everyone should be able to use
it).
Tools like this continue to make ColdFusion developers some of the most
productive developers around, and help me "wow" my clients by solving an
annoying problem for them without having to resort to putting a burden on
the potential customers. Everybody wins, except the spammers, of course.
Peter Donahue
More information about the NFBCS
mailing list