Preventing spam in Web forms without CAPTCHAs

CAPTCHA

Many Web masters turn to the well known CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) method without carefully considering the implications.

CAPTCHAs are visual challenges, defeating most spam bots but at the same time they can also defeat humans:

'Normal' users can have difficulty reading the text: There are many people with good vision who have reported an inability to read the text from the CAPTCHA images.
Accessibility is often ignored: Users with poor vision often rely on assistive technologies to read the screen for them. Giving them a visual challenge actively creates a barrier to them being able to use Web forms. There are audio alternatives to CAPTCHA images but these are often even harder to interpret than the images as the 'background noise' used to disguise the text from bots also confuses users.
Usability: Just because someone can translate a CAPTCHA image does not mean they are going to be willing to do so. The basic rule of the Web is to make your site as easy to use for your visitors as possible. CAPTCHA technology does not fulfil this requirement.

Using a challenge (such as a CAPTCHA) will not only prevent bots but they will also cause the number of genuine submissions of your form to drop.

Is CAPTCHA actually secure?

Most people looking at the CAPTCHA debate don't even consider: "does CAPTCHA deliver the level of security that you think it is?".

The simple answer is: no!

The longer CAPTCHA has been around, and the more popular it has become, the more hackers have focused on bypassing its security. See the case study in "further reading" at the end of this article.

Alternatives to CAPTCHA

You still need to prevent spam, but there is no need to place the work-load on your visitors.

Adding spam watching methods to your web form causes no additional work for your visitors but still cause spam bots headaches:

Watching for key-words or commonly 'injected' spam code
Including a visually hidden field that entices only bots to complete it
Validating form values to ensure they are what you expect to see.

All these need to be implemented with care so as not to cause 'false-positives' which label genuine submissions as spam, or cause any usability issues.

Whilst preventing suspected spam submissions you should always consider the occasional genuine visitor who will trigger one of your spam protection rules. Don't simply send them to a nasty error message - redirect them to a page that can help them resolve the issue. You do not want to alienate visitors after all.

Conclusion

Spam is a problem and it does need to be tackled, but forcing your visitors to jump through hoops is not the right way to tackle it.

Do not rule out CAPTCHA as a method. Whilst I have detailed problems with using this method, there are situations and scenarios where it is still valuable if implemented carefully.

Before you allow your webmaster to create any barriers on your website first consider the real business implications:

Does the solution cause any additional work for the user?
Is it accessible?
Does it trap too little/too much?
Is there a fail-safe should a genuine user trigger a spam trap?

Getting the balance between spam prevention and usability right is crucial: dealing with a little bit of spam makes far more commercial sense than losing genuine business!

At Simius Web we can help you to find the best spam prevention for your website, Why not give us a call today?

Preventing spam in Web forms without CAPTCHAs

Top articles

CAPTCHA

Is CAPTCHA actually secure?

Alternatives to CAPTCHA

Conclusion

Further reading