Further to our earlier piece on the perils of spam and how to avoid them, it appears that Bad Behavior is exceptional when it’s hooked into a database (as is the default modus operandi with Wordpress), but when you run it as a plain plug-in in PHP forms to protect them against auto-submit spammers it is not very effective (the documentation says it runs “degraded”) but our clients report that it doesn’t actually seem to make a difference.

Barriers at the source:
Another, more effective, way to block spammers auto-submitting forms at source is the “secure image verification” technique where an obscured or distorted random image of letters and numbers is shown on the screen and the website visitor asked to type it in. (The letters and numbers are distorted and obscured because there are “optical character recognition” programs that read electronic image text and work out what it is.) There are numerous methods used to implement this; one of the most advanced is the CAPTCHA project which provides very strong security though some of the implementations require good technical know-how (good article here on Wikipedia about Captcha with links to different distributions); there are also methods that use GD library including this one from devshed, or this one from Site Point. The coding is a little more elegant in the second example, though the use of a database for additional security in the first example is good too.

I’d recommend using some form of image security on input forms as a standard approach to combatting spam robots these days, and always ask your developer to consider this as an option. Unless you want all those junk mails?