Web Form Spam – Block Spam without a Captcha Code

February 4th, 2014

Many contact us forms and comment forms are plagued by “web form spam.” Automated programs crawl the internet looking for web forms. When found, they start submitting spam advertisements through the forms hoping that some of the recipients of these form submissions will see the ads and act on them. Almost nobody does, but the spam still comes and gets worse and worse over time.

Using a Captcha Code

Many forms solve this problem using Captcha — they show you some words that are somehow distorted or obscured in an image. You have to figure out what is written and type it in the box. If you get it right — you prove you are a “real person” (computers can figure these things out too, but in general, that requires more computer resources than the spammers want to spend on each form). This method works well. Systems like reCaptcha use this to help analyze digital books for scanning errors by putting our collective brains to good use.

However, entering a Captcha slows down the filling out of forms and is annoying to many people. As the marketing people will tell you, the less your website visitor has to do, they happier they are and the more likely you are to make a sale. Can the form bots be stopped without the use of Captcha?

Stopping Bots with Cookies and JavaScript

For the same reason that the majority of all web form spam bots will not try to read and solve Captchas, they also do not process website cookies and JavaScript; it takes a lot of work.

If the entity filling out your form is using a web browser that supports web cookies and can run JavaScript commands on your page, it is almost always an actual person. That person can choose to write spam advertisements in your form, but they can also solve a Captcha and do the same thing.

An excellent trick to verify that a person is filling out your form is:

  1. Include some JavaScript
  2. The JavaScript will generate a unique code (perhaps by loading data from the server or using some pre-defined formula)
  3. The JavaScript will save this code as a cookie
  4. When the user submits the form, this cookie will be sent along with it
  5. Your server-side form processor then checks for this cookie and makes sure it is correct — if it is, you know that cookies and JavaScript were in use by the submitter and that it is probably a “real person.”

This process is invisible to the end-user and does not require Captcha or other steps. It also stops almost all form spam.

Quick and Easy Implementation with Secure Form

When using theĀ Secure Form service to process your form submissions, you point your form’s “action” address to LuxSci’s servers — the form data is posted securely to us. We collect the data, save it for you, and email it to you. Integration requires you only to update one line of your web form, with no software to install.

The Secure Form service also includes web form spam blocking via cookies and JavaScript. To implement it, all you have to do is add one line of code to your web form HTML. It can’t be much simpler to save time and eliminate frustrating spam.