Craig Sanders wrote:
formmail scripts are a different problem to guestbooks.
Well, the issue is "how do you prevent automated scripts from submitting HTML forms as though they were humans". Feedback forms, guestbooks, blog comments, etc. aren't different in that respect.
Image-based CAPTCHAs are one way of solving the problem. My point was just that a text field almost always works just as well without the accessibility drawbacks.
the best fix for formmail type scripts is to restrict the recipient addresses permissible
Ah, you thought I was talking about using this technique to prevent exploits: that is, to prevent poorly programmed feedback forms from being abused to send mail to other people. That is a different problem that should be addressed separately, as you well point out. But I was just talking about stopping spammers from posting non-exploit data to a securely coded form's intended (hard-coded) recipient list.
I have examples indicating that spammers use stupid, brute force software that submits hundreds of combinations of spammy form data on any form they come across (crap that equates to "Let's post a fake e-mail address in the first field, and our spam text in every other field... Now let's try posting a fake e-mail address in the second field, and our spam text in every other field", ad nauseum). As a result, we've had complaints about spam that our customers received through their own feedback forms, guestbooks, blogs, etc.; we always just suggest adding a text based field (and we've provided such software to users ourselves occasionally, as with the modified FormMail I mentioned). I've yet to hear of a case where adding a simple text field didn't stop the spam, so I'd recommend it as a simple, probably effective, accessible thing to try first.
-- Robert L Mathews "The trouble with doing something right the first time is that nobody appreciates how difficult it was."