Web Form Spam – Block Spam without a Captcha Code

February 4th, 2014

Many contact us forms and comment forms are plagued by “web form spam”.   Automated programs crawl the Internet looking for web forms.  When found, they start submitting spam advertisements through the forms in the hopes that some of the recipients of these form submissions will see the ads and act on them.  Almost nobody does … but the spam still comes and gets worse and worse over time.

Using a Captcha Code

Many forms solve this problem using Captcha — they show you some word or words that are somehow distorted or obscured in an image.  You have to figure out what is written and type it in the box.  If you get it right — you prove you are a “real person” (computers can figure these things out too … but in general that requires more computer resources than the spammers want to spend on each form).  This method actually works really well.  In fact, systems like reCaptcha use this to help analyze digital books for scanning errors by putting our collective brains to good use.

However, the step of entering a Captcha does slow down the filling out of forms and is annoying to many people.  As the marketing people will tell you, the less your web site visitor has to do, they happier they are and the more likely you are to make a sale.  Can the form bots be stopped without use of Captcha?

Stopping Bots with Cookies and JavaScript

For the same reason that the majority of all web form spam bots will not try to read and solve Captchas, they also do not process web site Cookies and JavaScript … it takes a lot of work.

If the entity filling out your form is using a web browser that supports web cookies and can fully run JavaScript commands on your page, then it is almost always an actual person.  That person can choose to write spam advertisements in your form … but they can also solve a Captcha and do the same thing.

So, a good trick to use to verify that a person is filling out you form is for the form to:

  1. Include some JavaScript
  2. The JavaScript will generate a unique code (perhaps by loading data from the server or using some pre-defined formula)
  3. The JavaScript will save this code as a cookie
  4. When the user submits the form, this cookie will be sent along with it
  5. Your server-side form processor then checks for this cookie and makes sure it is correct — if it is, then you know that cookies and JavaScript were in use by the submittor and that it is probably a “real person”.

This process is invisible to the end user and does not require Captcha or any other steps.  It also stops almost all form spam.

Quick and Easy Implementation with SecureForm

When using the SecureForm service to process your form submissions, you point your form’s “action” address to LuxSci’s servers — the form data is posted securely to us.  We collect the data and save it for you and/or email it to you.  Integration requires you only updating one line of your web form … no software to install.

The SecureForm service also includes web form spam blocking via Cookies and JavaScript as described above.  All you have to do to implement it is add one line of code to your web form HTML.  Can’t be much simpler to save time and eliminate lots of frustrating spam.