Everyone who has a web form (e.g. Contact Us, Comment, Request an Appointment, etc.) on their website has to deal with the spam submissions problem. The never-ending flow of spam into your inbox is an issue that can be dealt with through different methods, each having their pros and cons. Spammers operate their “business” using computers, called “bots,” which, after finding a web form, perform thousands of submissions to “advertise” their products. These usually include such dubious wares as Viagra and other drugs, all without a prescription, sweepstakes entries for millions of dollars, college degrees in less than a week, or access to the bank account of a Nigerian prince. So how do you stop this annoying spam from ever hitting your inbox?
- CAPTCHA is an image containing text that the user must read and input to unlock the web form submission. It prevents spam submissions because bots have a hard time understanding the fuzzy image. Our brains, on the other hand, are optimized for pattern recognition and it comes naturally to us. This method is usually very effective at filtering spam, however the cons might outweigh the pros. CAPTCHA can be difficult to install and sometimes the images are too distorted even for our brains. This can lead to user frustration and fewer form submissions.
- The CSS method is also very popular and easy to do. When setting up the form, we can add dummy fields that are invisible to anyone viewing the page. Bots usually don’t analyze the whole page and the underlying code; rather, they usually only focus on the form itself. Not realizing that the fields are invisible, they input values into them. This exposes the bots for what they are and filters out their submissions. The pros for this method are its easy implementation and effectiveness. The cons are minimal, just some extra HTML coding work, but overall the method ranks high and is a good return-on-investment spam fighter.
- Submission time length might well be the easiest method to implement. The mechanism of this spam stoppage method is very simple. When a web form is opened, we timestamp it. We then compare this time to the time that the form was actually submitted. Say for example that it takes at least 15 seconds to fill out the fields and submit the form. If the difference is less than that, we can filter out the submission because it must be a bot. Sometimes, there is no opening timestamp at all because the bots don’t even open the form and instead just do a straight data submission. We can also place a constraint on how long it might take to submit the form. If the difference is in thousands of seconds, it might be a bot too as it’s hard to explain why it would take days to submit a form, unless the form consists of hundreds of fields and someone fell asleep half way through.
There are many other methods and/or combinations of the aforementioned ones. Some of these other methods might pose a quite a challenge to implement. Before heading into the deeper water, look at methods 2 and 3. If these don’t fix your spam problems, try implementing method 1. Generally, if your website is not receiving a ton of traffic, one of these simple solutions should be enough to work. Sites receiving more traffic and the attention of hackers will usually have to try more complicated implementations. Hackers will customize their code for busier sites to expose any loopholes. Regular sites are hit with generic code that targets millions of sites. This generic code is optimized to do the most submissions in the least amount of time, therefore those attacks are easily stopped.