How to block spam on contact forms?

Over the past years, we’ve seen an increase in spam that our clients and we received. It’s known that having a form on your website is an open invitation for spam submission. Unfortunately, there is no one solution to fix all spam, but rather a combination of measures, each with their own pros and cons. We also need to be careful between walking the line of our convenience as well as our user convenience.

Today, we will take a look at different approaches to stop spam and how annoying they are for the end user.

reCAPTCHA v2

reCAPTHCA v2 is one of the most popular version of spam preventing. It eliminates the ugly and hardly readable text with a checkbox “I’m not a robot”. This was a leap in the right direction and all it required was one click from the user. It works by monitoring your activity and the IP address and if you are not suspicious, the form would just submit.

There are many times when you can be flag as a bot (as I personally often am, probably because of the number of users there are on my network or the user of a VPN), reCaptcha will display a small puzzle. Is a grid composed of single or multiple images where you have to select the requested pictures from a grid. This can take time from your users and if the API messes up you can end up in a never-ending loop of solving puzzles.

reCaptcha Puzzle Grid

reCAPTCHA v3

The new version of reCAPTCHA is completely invisible but behind the scene, it works very similar to reCAPTCHA v2. It gives the user a score, and if you pass the test you will not see anything and the form will submit. Based on this score, we take different actions, for example, show the user the grid puzzle or if the form is a login form, you can require the user to use 2-factor authentication.

Word & Math Quizzes

Word & math problems are a simpler version of reCAPTCHA. This method is quite easy to implement since the quiz never changes. If the answer provided is wrong, the form simply does not submit. While is not as used today, it can sometimes be effective. The challenge is to find a question that is not hard for the end user but harder for the bots to figure it out.

Word & Math Quizzes CAPTCHA

“Advancements in AI have all but guaranteed that bots would eventually find ways around CAPTCHA, leaving users with the same spam problem they would have without it.”

Gravity Forms

Honeypot – invisible input

The “Honeypot” method of spam filtering is one of the least intrusive ways and our favorite way of stopping spam. While is not as reliable as Google reCAPTCHA by itself, you can combine it with another method like reCAPTCHA v2 & v3 as well as math and word quizzes. for better support. The Honeypot method is used successfully by many forms and services like MailChimp.This method entails adding a field from the user and let the bot fill the input. Since the bot is able to see the input by parsing the HTML, it will be able to fill in the input. Now you can filter your submission by elimination the submissions that have this field filled out or better yet, stop the submission on the form completely.

The downside of this is that bots are becoming smarter and better every day. Another downside of this method is that has some accessibility issues, and before we implement this method, make sure is hidden from regular users, well labeled for users with accessibility needs and that bots are able to read it.

Takeaway

Unfortunately, we cannot eliminate 100% of the spam, and not all the spam is made by bots. Some are real humans, paid to bypass the spam blockers. The key to combating spam is to find a good balance between eliminating spam and not frustrating your end users.