Stopping form spam without compromising UX

Stopping spam on website forms can be very important for Wiliam’s clients, but they often do not want to compromise the user experience using a captcha.  There are many alternatives that can be very effective against spam but invisible to the user!

A very common method to generating form spam is using a playback bot which will record the post data of a real submission and then repeat that with its spam appended to the submitted data.  The other is a form filling bot which simply finds a form in the page and fills out the fields with spam and submits it.

Here are some clever techniques we can use to protect against such bots submitting spam to your website without the use of a captcha:

Honeypot: This is a field we make invisible (using CSS, HTML, or JavaScript) and when the form is submitted we check it was left blank – whilst users will not see the field and therefore leave it blank most bots will not process the CSS/HTML/JS rendering rules and therefore will blindly fill out the honeypot field.

Unique hash: Create a hash based on facts that are unique to the request – for example make a hash of the timestamp, client IP address, and a random secret and then when receiving the form submission recreate the hash using the timestamp, client IP address, and the secret and validate that the hashes match – if they don’t, it has been tampered with or is not from the same client.

Timestamp: Encrypt the current timestamp and hide this in the form – then, when a form post is received, decrypt and check the timestamp is valid, within a certain threshold of time into the past, and not in the future.  The timestamp doesn’t even need to be encrypted if a “unique hash” (previously mentioned) including the timestamp is made as any tampering with the timestamp would fail that test.

With the quality of user experience our clients expect, it is understandable that the mentioned techniques are sometimes appropriate.  For more information and further depth on this topic, check out Ned Batchelder’s page