Spam-bots are getting smarter. I've seen bots that fill out forms with close to perfect information. I've seen bots that copy blog comments and then add in their spam. I've seen bots that adapt to their situations. What I have not seen are bots that can look at a form like a human does.
Let me give you a situation. House of Fusion has a sign-up form that not only allows for the standard contact information but also allows for multiple alternate email addresses. I've been seeing some spam coming through that has multiple emails of the same value. This reminded me of something very simple about forms - multiple form fields with the same name become a comma delimited list on submit.
This means that two input boxes named email that are both filled with "email@example.com" will result in a variable of form.email with a value of "firstname.lastname@example.org,email@example.com". This is wonderful!
All we have to do to block some of these new 'thinking' bots is have a form with two input fields called email. The display for the first will be email while the display for the second will be alternate email.
On the action page we just have to check that the form.email has 2 items and if they are the same to block the post as spam.
---spam code here---
This works great but there are always alternates. While giving this to Clark Valberg for use on the Developers Circuit contact form, he modified the idea into which led to another modification. The first is to take the second email input and label it as something other than email. Zip code is a perfect example as it is something not always required. To a human it looks like a standard form with zip and email but to a bot there's no zip but 2 emails. The second modification is to exchange form fields. Have the email form field labeled zip and the zip labeled email. A human will read the label and enter what is expected (zip in email field, email in zip field) while a bot will enter the wrong values.
These are simple checks that can defeat many of the spam-bots out there today and they all depend on the difference between how a human and a bot sees a page - something that will always be in our favor.