For full details of how CFFormProtect works, see the project page at http://cfformprotect.riaforge.org/

Installation

Copy the cfformprotect folder into your web root.
On your form page, add this line of code: <cfset Cffp = CreateObject("component","cfformprotect.cffpVerify").init() />
Put <cfinclude template="/cfformprotect/cffp.cfm"> somewhere between your form tags.
On your processing page include the following code:
<cfset Cffp = CreateObject("component","cfformprotect.cffpVerify").init() />

<cfif Cffp.testSubmission(form)>

<cfelse>

</cfif>
Setup your email settings and Akismet in cffp.ini.cfm, if you want to use those features (if you leave the email settings blank, you won't receive an email when spammer tries to attack your forms)

Customization

You can change the values in cffp.ini.cfm if you want to tweak how CFFormProtect operates. Descriptions of the values are below.
You'll probably want to change what happens when a spam message is found. I have it set to display an error, send you an email (if you configured this feature) and then cfabort. You can change this at the bottom of cffpVerify.cfm. You can use two variables for information on why the message was flagged as spam, testsThatFailed and totalPoints. This will help you tweak the settings to your liking (to allow more or less messages through)

If you use the Akismet feature, modify your site's "send email" code that sends you good emails, so that it contains the Akismet link to notify Akismet of spam that got through their filters. This step is optional but very recommended, because Akismet is free, and all they ask is that you feed data back into the system when necessary to help them improve it. Here is the code I have in my sites for this:

<cfif Cffp.getConfig().akismet>
	<!--- The following few lines build the URL to allow the user to submit a missed spam notification to Akismet if this is not spam --->
	<cfset missedSpamURL = replace("#Cffp.getConfig().akismetBlogURL##cffpPath#/akismetFailure.cfm?type=spam","://","^^","all")>
	<cfset missedSpamURL = replace(missedSpamURL,"//","/","all")>
	<cfset missedSpamURL = replace(missedSpamURL,"^^","://","all")>
	<cfset missedSpamURL = missedSpamURL&"&user_ip=#urlEncodedFormat(request.remoteAddr,'utf-8')#">
	<cfset missedSpamURL = missedSpamURL&"&referrer=#urlEncodedFormat(cgi.http_referer,'utf-8')#">
	<cfset missedSpamURL = missedSpamURL&"&comment_author=#urlEncodedFormat(form[Cffp.getConfig().akismetFormNameField],'utf-8')#">
	<cfif Cffp.getConfig().akismetFormEmailField neq "">
		<cfset missedSpamURL = missedSpamURL&"&comment_author_email=#urlEncodedFormat(form[Cffp.getConfig().akismetFormEmailField],'utf-8')#">
	</cfif>
	<cfif cffpConfig.akismetFormURLField neq "">
		<cfset missedSpamURL = missedSpamURL&"&comment_author_url=#urlEncodedFormat(form[cffpConfig.akismetFormURLField],'utf-8')#">
	</cfif>
	<cfset missedSpamURL = missedSpamURL&"&comment_content=#urlEncodedFormat(form[cffpConfig.akismetFormBodyField],'utf-8')#">
	<p>Akisment thinks this is not spam, if it is please mark this as
	missed spam by <cfoutput><a href="#missedSpamURL#">clicking here</a></cfoutput>.</p>
</cfif>

Tip: You can enter "viagra-test-123" as your Name when testing your form, and Akismet will automatically mark the form submission as spam.

If you want to use Project Honey Pot, sign up for an API key at http://www.projecthoneypot.org/, and then configure the Project Honey Pot directives according to the directions below.
You can specify a different config file than the default (cffp.ini.cfm) in your init code. Check out the init function in cffpVerify.cfc to see how to do this.

INI File settings (cffp.ini.cfm)
Most of the values can be left as default, if you want, but you'll need to provide values for Akismet and Project Honey Pot if you want to use those tests. Thanks to Yves Prignon for creating this table for the INI settings.

Config Name	Default	Type	Accepted Values	Description
mouseMovement	1	boolean	1, 0	Enable/disable the mouse test. This test makes sure the user moved their mouse.
usedKeyboard	1	boolean	1, 0	Enable/disable the keyboard test. This test makes sure the user used their keyboard.
timedFormSubmission	1	boolean	1, 0	Enable/disable the timed form test. This test check how long the form entry and submission took.
hiddenFormField	1	boolean	1, 0	Enable/disable hidden form field test. This test makes sure a CSS hidden form field is empty.
akismet	0	boolean	1, 0	Enable/disable the akismet test. Uses the public Akismet service to test if form contents are spam. This is off by default, because you have to provide the details in the second section for Akistmet to work. Akistmet is not a free service and require the application to exchange data with the outside world.
LinkSleeve	1	boolean	1, 0	Enable/disable the LinkSleeve test. Uses the public LinkSleeve service to test if form contents are spam.
tooManyUrls	1	boolean	1, 0	Enable/disable the tooManyUrls test. This test will add up the number of URLs that are found in all of the submitted form fields, and mark the submission as spam if the total exceeds the limit configured by the tooManyUrlsMaxUrls variable in the ini file.
teststrings	1	boolean	1, 0	Enable/disable the teststrings test This test will compare the words in the form submission to a list of configurable "spammy" words, and mark the submission as spam if one of these words is found. The list can be edited by editing the spamstrings variable in the ini file.
projectHoneyPot	0	boolean	1, 0	Enable/disable the Project Honey Pot test. Project Honey Pot is a free web service that will check the IP address of your site's visitor. they maintain a huge database of known Spammer IP addresses, and when a user submits your form, this test will check their IP address. This is off by default, because you have to provide the API key in the second section.
Individual Test Config
timedFormMinSeconds	5	numeric	whole number only	The minimum seconds allowed for a user to fill out the form.
timedFormMaxSeconds	3600	numeric	whole number only	The maximum seconds allowed for a user to fill out the form.
encryptionKey	JacobMunsOn	string	longest is better	Used in the timedForm test, to encrypt the time so it can be stored in a hidden form field (to help fool the spammers).
akismetAPIKey	[null]	string	valid Akismet key	This is the api key that you received from Akismet.
akismetBlogURL	[null]	string	valid URL	The URL for your site here, it's a required value for the Akismet service.
akismetFormNameField	[null]	string	valid field name	The name of your "Name" form field.
akismetFormEmailField	[null]	string	valid field name	The name of your "Email address" form field (optional).
akismetFormURLField	[null]	string	valid field name	The name of your "URL" form field (optional).
akismetFormBodyField	[null]	string	valid field name	The name of your "Comment" form field.
tooManyUrlsMaxUrls	6	numeric	whole number only	The maximum amount of URLs that can be passed in the form contents.
spamstrings	free music, download music, music downloads, viagra, phentermine, viagra, tramadol, ultram, prescription soma, cheap soma, cialis, levitra, weight loss, buy cheap	string	coma separated list	A list of strings that form contents will be compared to.
projectHoneyPotAPIKey	[null]	string	valid Project Honey Pot key	This is the api key that you received from Project Honey Pot at http://www.projecthoneypot.org/.
Failure Limit
mouseMovementPoints	1	numeric	whole number only	Points given for the mouse movement test.
usedKeyboardPoints	1	numeric	whole number only	Points given for the used keyboard test.
timedFormPoints	2	numeric	whole number only	Points given for the timed form test.
hiddenFieldPoints	3	numeric	whole number only	Points given for the hidden field test.
akismetPoints	3	numeric	whole number only	Points given for the Akismet test (if used).
linkSleevePoints	3	numeric	whole number only	Points given for the LinkSleeve test.
tooManyUrlsPoints	3	numeric	whole number only	Points given for the URL count test.
spamStringPoints	2	numeric	whole number only	Points given for the spam string test.
projectHoneyPotPoints	3	numeric	whole number only	Points given for the Project Honey Pot test (if used).
failureLimit	3	numeric	whole number only	The total amount of points you will allow before flagging a message as spam. Each test that fails will assign "failure points" to the form submission. If the total point exceeds the failureLimit, the message will not be sent.
Email Settings
emailFailedTests	0	boolean	1, 0	Enable/disable emailFailedTests to receive email reports in case of spam detection.
emailServer	[null]	string	valid address	Email sever address.
emailUserName	[null]	string	valid username	Email account user name.
emailPassword	[null]	string	valid password	Email account password.
emailFromAddress	[null]	string	valid email address	Email address used for the "from" field.
emailToAddress	[null]	string	valid email address	Email address used for the "to" field.
emailSubject	[null]	string	valid email subject	Email subject.
Logging
logFailedTests	1	boolean	1, 0	Enable/disable logging of spam submissions.
logFile	[null]	string	Valid file name	To specify a different log file name.

CFFormProtect is governed by the mozilla public license version 1.1.
See the included License.txt or http://www.mozilla.org/MPL/ for details