Many web site forms and comment forms are plagued by “web form spam”.   Automated programs crawl the Internet looking for web forms.  When found, they start submitting spam advertisements through the forms in the hopes that some of the recipients of these form submissions will see the ads and act on them.  Almost nobody does … but the spam still comes and gets worse and worse over time.

Using a Captcha Code

Many forms solve this problem using Captcha — they show you some word or words that are somehow distorted or obscured in an image.  You have to figure out what is written and type it in the box.  If you get it right — you prove you are a “real person” (computers can figure these things out too … but in general that requires more computer resources than the spammers want to spend on each form).  This method actually works really well.  In fact, systems like reCaptcha use this to help analyze digital books for scanning errors by putting our collective brains to good use.

However, the step of entering a Captcha does slow down the filling out of forms and is annoying to many people.  As the marketing people will tell you, the less your web site visitor has to do, they happier they are and the more likely you are to make a sale.  Can the form bots be stopped without use of Captcha?

Stopping Bots with Cookies and JavaScript

For the same reason that the majority of all web form spam bots will not try to read and solve Captchas, they also do not process web site Cookies and JavaScript … it takes a lot of work.

If the entity filling out your form is using a web browser that supports web cookies and can fully run JavaScript commands on your page, then it is almost always an actual person.  That person can choose to write spam advertisements in your form … but they can also solve a Captcha and do the same thing.

So, a good trick to use to verify that a person is filling out you form is for the form to:

1. Include some JavaScript
2. The JavaScript will generate a unique code (perhaps by loading data from the server or using some pre-defined formula)
3. The JavaScript will save this code as a cookie
4. When the user submits the form, this cookie will be sent along with it
5. Your server-side form processor then checks for this cookie and makes sure it is correct — if it is, then you know that cookies and JavaScript were in use by the submittor and that it is probably a “real person”.

This process is invisible to the end user and does not require Captcha or any other steps.  It also stops almost all form spam.

Quick and Easy Implementation with SecureForm

With LuxSci’s SecureForm service, you point your forms to our servers — the data is posted securely to us.  We collect the data and save it for you or email it to you.  No server-side scripts to setup and keep secure.

The SecureForm service also includes web form spam blocking via Cookies and JavaScript as described above.  All you have to do to implement it is add one line of code to your web form HTML. Quick and easy.

Similar Posts:

• 6 ways to improve your web site forms
• Lock Down Your Web Site’s Contact Us Form
• Web Site Forms or PDF Forms: Pros and Cons
• Capture all of your Web Form Data. Suppress unwanted fields.
• SecureForm: Protect Yourself from Form Post Failures Using AJAX