The most common spam blocking technique for web forms used nowadays are captchas. I think this is the most effective way, too, as it is difficult to process and read the captcha images automatically and it is quite expensive in terms of CPU and memory resources.

There are a lot of alternative way out there, more or less brilliant, more or less useful. All of those anti spam measures I know not using captchas would not work if they would find a wide usage, as with a little bit more of spam bot intelligence they would be useless.

• Referrer check: A simple one, known to not work as this can be (and is actually) faked easily in automatic HTTP requests.
• Using a token as described here years ago using the user session is easy to break implementing sessions and cookies into the spam bot.
• A mathematical question: This is used in Flatpress’ accessible antispam plugin and there is an extension for Typo3 implementing this, too. It is not widely used in comparison to captchas and this might be the reason that it might work for some cases. It would be easy to break.

Especially the last one is, in my eyes, nonsense. It requires user interaction where there is absolutely no need to. This is no turing test, this is a simple calculation test. And who is faster in simple calculations than computer programs? The only problem for a computer program would be to read the problem. Of course, this could be made difficult hiding it in a separate element somewhere in the html document, using CSS and JavaScript to display it to the human user where it should appear. Although this may reduce the accessibility.

There is another way to achieve the same level of spam protection making it significantly more user friendly:

<form name="commentform">
    <label for="intput_a">Name:</label><input name="intput_a" type="text"/>
    <label for="intput_b">Email:</label><input name="intput_b" type="text"/>
    <label for="intput_c">Web:</label><input name="intput_c" type="text"/>
    <label for="intput_d">Leave this field empty!</label><input name="intput_d" type="text"/>
    <label for="intput_e">Comment:</label><textarea name="intput_e"></textarea>
</form>

Know what I mean? Why asking the user to put something and why not asking him to explicitly put nothing?

You could use CSS to hide the label and input which should be left empty so that a normal user won’t be bothered. You could even leave the label text out and hide the input with CSS if you assume that all user agents visiting your site support a basic kind of CSS.

Spam bots will try to fill something in this field and so you can recognize easily the spam entries. I use this method on a site with not so few traffic, so this is not just a gedankenexperiment, it works. Of course, it is not as solid as captchas, but faster, easier and more user friendly. And it is at least as good as the mathematical problem measure, if not better.

P.S.: Sorry that I still have the math question in my blog comment form. I did not write the Flatpress plugin implementing the empty field yet. But I will.