6 Modern Solutions to Protect Web Forms from Spam

6 Solutions You Can Use to Protect Your Web Forms from Spam

Spam Avalanche
Image courtesy Tim Robberts / Stone / Getty Images

If you have any web forms to collect information from your customers you are probably very aware of spam. Spam is a huge problem even on forms that don't do anything that could conceivably benefit the spammer. Spammers use web forms to try and promote their own businesses and sites and they use them for more malicious purposes as well. Blocking spammers from your web forms can be an important productivity tool and will keep your website comment section from looking shabby.

In order to protect your web forms you need to make it difficult or impossible for an automated tool to fill in or submit the form, while keeping it as easy as possible for your customers to fill out the form. This is often a balancing act, as if you make the form too hard to fill out your customers will not fill it out, but if you make it too easy you'll get more spam than real submissions.

Methods to Protect Your Forms

There are a number of ways you can protect your web forms, including:

  • Add fields that only spam bots can see and fill in.
  • Use a CAPTCHA.
  • Use a human-friendly bot-unfriendly test question.
  • Use session tokens that are applied at the site level and required by the form.
  • Record data from the form submissions like IP address and use that to block spammers.
  • Use a tool like Akismet to scan and delete spam submissions.

Add fields that only spam bots can see and fill in. This method relies on either CSS or JavaScript or both to hide form fields from customers visiting the site legitimately, while displaying them to robots which only read the HTML.

Then, any form submission that contains that form field can be considered spam and deleted by your form action script. For example, you could have the following HTML, CSS, and JavaScript:

<html>
  <head>
    <meta charset=utf-8>
    <title>Simple Form</title>
    <link href=styles.css rel=stylesheet>
    <script src="http://ajax.googleapis.com/ajax/libs/jquery/1.11.0/jquery.min.js"></script>
  </head>
  <body>
    <form>
      <label id=email1>Email address: <input id=email></label>
      <label id=email2>Email: <input id=email_add></label>
      <input type=submit value=submit>
    </form>
    <script src=script.js></script>
  </body>
</html>

CSS in styles.css file

#email2 { display: none; }

JavaScript in script.js file

$(document).ready(
  function() {
    $('#email2').hide()
  }
);

The spam robots will see the HTML with the two email fields, and fill in both of them because they don't see the CSS and JavaScript that hides it from real customers. Then you can filter your results and any form submissions that include the email_add field are spam and can be deleted.

This method works well with less sophisticated spam bots, but many of them are getting smarter and are reading CSS and JavaScript. Using both CSS and JavaScript will help, but won't stop all the spam. This is a good method to use if you aren't terribly worried about spam but would like to make it slightly harder for the spam bots. Your customers won't notice it at all.

Use a CAPTCHA. A CAPTCHA is a script to block spam bots from accessing your forms while humans can (for the most part) get through. You can get a free CAPTCHA solution from ReCAPTCHA.

CAPTCHAs can be effective at blocking spam. Some CAPTCHA systems have been hacked, but it's still an effective block. The problem with CAPTCHAs is that they can be very difficult for people to read. ReCAPTCHA includes an audible version for blind people, but many people don't realize they can listen to something and get through.

This method works well for important forms you want to protect like registration forms. But you should avoid using CAPTCHAs on every form on your page, as that can deter customers from using them.

Use a human-friendly bot-unfriendly test question. The idea behind this is to put a question that a human can answer, but a robot would have no idea how to fill it in. Then you filter the submissions to look for the correct answer. These questions are often in the form of a simple math problem like “what is 1+5?”. For example, here is the HTML for a form with a question like this:

<form>
  Email address: <input id=email><br>
  A zebra is black and <input id=stripes><br>
  <input type=submit>
</form>

Then, if the stripes value is not “white” you know it's a spam bot and you can delete the results.

This method works great as long as you ask a question that all your customers will know the answer to.

But if you ask a question that, for whatever reason, your customers don't understand, you will block their access to the form.

Use session tokens that are applied at the site level and required by the form. This menthod uses cookies to set session tokens when a customer visits the website. This is an excellent deterent for spam bots because they don't set cookies. In fact, most spam bots arrive directly at the forms, and if you have the session cookie not set on the form, that will ensure that only people who visited the rest of the site are filling out the form. Of course, this could block people who bookmarked the form. Cookies - Write Your First HTTP Cookie

Record data from the form submissions like IP address and use that to block spammers. This method is less of a front-line defense and more of a way to block spammers after the fact. By collecting the IP address in your forms, you can then detect patterns of use. If you receive 10 submissions from the same IP in a very short period of time, that IP is almost certainly spam.

You can collect the IP address using PHP or ASP.Net and then send it with the form data.

PHP:

$ip = getenv("REMOTE_ADDR") ;

ASP.Net

ip = '<%= Request.UserHostAddress>';

This method works well if you don't get a lot of continuous spam, but instead get periodic bursts of activity, such as with a sign in form. When you see people attempting to access your protected areas multiple times knowing their IP so you can block them can be strong protection.

Use a tool like Akismet to scan and delete spam submissions. Akismet is set up to help bloggers block comment spam on their forms, but you can also buy plans to help you block spam on other forms as well.

This method is very popular among bloggers because it is so easy to use. You just get an Akismet API and then set up the plugin.

The Best Spam Management Strategy Uses a Combination of Methods

Spammers are getting more and more creative in their ways of getting around spam blocking tools. They have more sophisticated spam bot programs and some are even employing low-paid people to post their spam messages directly.

No one solution is going to catch every type of spam. So using multiple methods can help.

But remember, don't use multiple methods that the customer can see. For example, don't use both a CAPTCHA and a human-answerable question on the same form. This will annoy some customers and will lose you legitimate submissions.

Specific Tools for Fighting Comment Spam

One of the most common places people see spam is in comments, and this is often because they use a standard blogging package like WordPress. If you are hosting WordPress yourself, there are a few things you can do to fight comment spam specifically. And these work for any blogging system that you have access to the files:

  • Don't use standard URLs for forms.
    Most comment spam is automated, and they go out to WordPress and other blog sites and just attack the form directly. This is why you will sometimes see comment spam even if you have comments removed from your template. If the comment file (usually called comments.php) exists on your site, spammers can and will use it to post spam comments to your blog. By changing the file name to something else, you can block these automated spam bots.
  • Move your form pages periodically.
    Even if you're not using a standard file name for your comments or form fields, spammers can find them if they are linked on your site. And there are many spam businesses where all they do is sell lists of URLs to forms where spammers can write their posts. I have a couple of form pages that have not been active in over five years that still get periodic hits by spammers. They get a 404 and I see that in my stats, so I know I shouldn't use that page again.
  • Change the name of your form action scripts periodically.
    But just like the form pages, you should periodically change the name of any scripts you point to in the action attribute of your forms. Many spammers point directly to these scripts, bypassing the forms completely, so even if you move your form page, they still can submit their spam. By moving the script, you drive them to a 404 or 501 error page instead. And just like the previous suggestion, I have scripts that have been deleted from my server for years that spammers still try to hit.

Spammers are really annoying, and as long as the cost to send out the spam is so much lower than the return, there will always be spammers. And the arms race of protection tools versus spammer bots will continue to escalate. But hopefully with a combination of the tools listed here, you will have a strategy that will last a few years.