On Thu, 9 Nov 2006 14:42:22 -0700 "Daniel Mitchell" <DanielMitchell@xxxxxxxxxxxxx> wrote: > I'm not sure if I'm explaining that correctly, so here's the link: > > http://isc.sans.org/diary.php?storyid=1836 The described idea wouldn't work to well with the recent targeted attacks. The spammer identifies the needed fields once manually, then he configures his script with the correct field names and runs the script with a a list of page names (obtained through google). But in the comments was something that could work nearly like a captcha but without user interaction: Ed writes: "So far I have been successful by using a session variable that is set when the form is requested via http get. If the submitted form doesn't have the session variable set, I dump the email and return a bogus error message." Another idea could be to create such a verification key automatically from some browser user data and an encryption key - like the one we use to protect the auth cookie from being stolen. This could really work :-) Thanks for your input. Andi -- http://www.splitbrain.org