Will a spam bot be able to submit a form if there is no submit button on the page?

Just wondered if an开发者_运维百科yone knows if a spam bot will be able to submit a form if there is no submit button on the page. Just trying to do some very basic spam prevention without using CAPTCHA. The thought is to use jQuery to render the submit button if the user interacts with the form in some way. Any thoughts would be appreciated.

A spambot that consists of a code wrapper around WebKit or some other browser core can just force the DOM "submit()" to be run, or (even more radical) just launch a POST transaction of its own.

It's best to think of a spambot as a massively powerful evil robot with a browser that follows no rules attached by atomic energy beams to its robot brain. But it's a robot that can't read very well.

A bot most definitely will be able to find your post button, if only infrequently.

A very popular method sort of like what you are trying is to create a honeypot form element. The editable honeypot fields on the form are invisible to people (you can use jQuery/CSS to hide these form elements). They are validated when the form data is posted and if they contain any input then the submitter must be a bot of some sort.

Using obscured field names, and validation can also stop these bots. If the email field must have an @ sign, and the bot can't tell which field is email and which isn't, the chances it will make a successful post have been greatly reduced.

Yes, it would be possible, a bot doesn't need a submit button.

If you have (pseudohtml):

<form action="POST" target="posting.php">
<input name="something"/>
<!-- some logic for the submit button -->
</form>

The bot could simply parse the form tag and the names of the fields in the form and issue the POST on its own, without ever touching the submit button.

Yes, they can. The button isn't completely needed:

$('#form_id').submit(); /* This is a jQuery trigger */

But the bot could be nasty and issue its own POST request to your server, as it's not that hard to do.

But if you created an <input type="hidden" /> with a secret-ish value (known by the server and retrieved dynamically for each session) with jQuery and only accepted submits if that value was present, you'd stop all non-JS enabled bots.

The downside is that you'd prevent non-JS enabled users from using your webpage. But that's the constant battle you have to fight to kill the spammers...

Typically we make a hidden field with a "juicy attractive" name like "FirstName".

Then in codebehind we run something like:

if FirstName.text <> "" Then

    <insert your "what I want to happen" code. maybe a popup saying "oops an error has been made" or just not submit the form.  maybe redirect to a fake error page. like

    response.redirect("thisisabot.aspx")

endif

There is no need to render the submit button as often the data is sent from a remote server rather than filled out from the page itself. CAPTCHA is horrible, sometimes it is so unclear that I don't understand what it says. I use three methods at once to stop bots.

1. Comparing the forms source IP address with the destination IP address, if they don't match, then no further processing will take place.
2. A field hidden by CSS that is left blank, if filled in, it's a bot and is ignored.
3. Another field that receives a predetermined value by JavaScript when the form is submitted. No match, no further processing.

I also recorded the attempts with the IP addresses to a database table. The attempts failed one, two or all of the tests.

However, stopping sweatshop spammers is another story altogether. Sweatshop spammers are people cheaply employed to manually send spam. If you have a larger site, it may be worth using a service that deals with this kind of spam. Some services also deal with abusive language as well.

Having never coded a spam bot, I can only make assumptions. But I would assume the presence of a submit button wouldn't really make much difference. More likely, it's looking at the <form>-tag and determining based on that where if should make a POST/GET request. A better bet (but by no means fool-proof) would be to not use a <form>, but manually do a $.post (since you mentioned using jQuery) when a button or link of your choice is clicked, collecting POST-data from elements on the fly.