Does anybody know roughly how many of the spambots out there that support Javascript?

We've all heard of honeypots and things like that that try to catch out spambots because they render the forms they pre-fill differently. The ideal solution is extremely convenient for non-spambots (you and me) and extremely effective in keeping out the spambots (porn and viagra sellers). With a bit of Javascript you could for example do the captcha technique for the user on the assumption that spambots don't render Javascript. And for the few poor suckers who don't have Javascript but are human (e.g. lynx users, blind people, paranoids) they'll just have to complete the captcha. For example, suppose you have a captcha quiz that says : "Capital of United Kingdom: Rome, _ London, Paris" and then an AJAX request fetches the correct answer from the server, fills it in and hides the whole captcha.

The big question is: How many of the spambots out there support Javascript? I guess the best experiment would be to write a tempting form for spambots and in it you let Javascript enter some value on submission.

If it turns out that spambots do render Javascript, one could perhaps combine server side cookies with it such that the first time you complete the form you have to prove that you're human the hard way and on all consecutive entries a Javascript does it for you.

Why I like this idea is that you can write your server-side code as if Javascript didn't exist and then softly add the sugar that Javascript can be an be 100% unintrusive.

Obviously a technique like this wouldn't work on a mainstream site like * or but for the 90% of all sites out there that aren't mainstream it could work.


Ian Bicking

One anti-spambot measure I've seen is to run the javascript to change a link on mouseover. So while it's possible that spambots are using automated browsers (quite possible, I'd say) it's unlikely they are simulating the movement of the mouse around the screen.

Not sure what happens if you tab over such a link. Probably broken in that case.

Peter Bengtsson

That's a very good idea and caveat you mentioned about the tab is, just like I argued, tough. I'll keep that one in mind.


I like your idea of unobtrusively sprinkling JavaScript over a captcha.

Did you ever find out to what degree spambots are able to render JavaScript? If you did, please send me a quick note to joakimstai at the gmail domain (good luck with that one, spambots!).

Thanks :)

Your email will never ever be published.

Related posts