I work for a company that has an online store, and we constantly have to deal with a lot of spam product reviews, and bogus customer accounts. These are all created by automated systems and are more of a nuisance than anything.
What I am thinking of (in lieu of captcha, which can be broken) is adding a sort of form key solution to all relevant forms. I know for certain some of the spammers are using XRumer, and I know they seldom request a page before sending us the form data (Is this the definition of CSRF?) so I would think that tying a key to each requested form would at least stem the tide. I also know the spammers are lazy and don’t check their work, or they would see that we have never posted a spam review, and they have never gained any revenue from our site.
Would this succeed in significantly reducing the volume of spam product reviews and customer account creations we are seeing?
EDIT: To clarify what I mean by “Form Keys”: I am referring to creating a unique identifier (or “key”) that will be used as an invisible, static form field. This key will also be stored either in the database (relative to the user session) or in a cookie variable. When the form’s target gets a request, the key must be validated for the form’s data to be processed. Those pesky bots won’t have the key because they don’t load the javascript that generates the form (they just send a blind request to the target) and even if they did load the javascript once, they’d only have one valid key, and I’m not sure they even use cookies.
7
What you’re suggesting sounds like the honeypot method. I’ve used this on forms that were getting a lot of spam and found it works quite nicely. It wasn’t perfect but it did cut our spam down quite a bit with no impact on legitimate users — they didn’t have to decode a cumbersome CAPTCHA or stop to think what 2 + 1 is equal to.
Now when we compared the honeypot against forms with reCAPTCHA, reCAPTCHA was waaaaay more effective, pretty much blocking everything.
It’s not clear from your question but requiring an account to post a review and requiring email verification of said account (i.e., person signs up, you send an email with activation link, they click activation link before they can do anything on the site) can also go a long way to cutting down spam.
To specifically address you question: yes, this tactic will reduce spam, but you’re likely to still get a decent volume of spam if you rely on it alone.
I’d start with a honeypot on your forms and see how it goes. It’s easy to implement and is low impact on users. If the results are acceptable then be happy and move on to something else. If not, look into something like reCAPTCHA. You mentioned that management isn’t too psyched at the idea of a CAPTCHA, likely because they fear a reduced number of legit reviews. In this case doing an A/B test of non-CAPTCHA vs CAPTCHA form submissions will give you some insight into whether this is actually a concern.
1