An alternative to irritating CAPTCHAs

by Jean du Plessis

We have all been faced with the sometimes daunting task of having to guess what those little numbers/letters are at the bottom of the form, that will classify you as a human being. Some people seem to be less human than others, since they either have trouble understanding the concept of what to do, or have trouble reading it.

So that leaves us with the question:

"What can we do to make it easier/less annoying for the visitor to fill in our forms and at the same time prevent our inbox (or comments box) from being filled with those nasty spam messages."

After reading Darren's post on CAPTCHAs, I decided to write about a method that we here at Quirk have been evaluating and will now, with the publishing of this post, be implementing on GottaQuirk, to determine if we can do away with the need for a CAPTCHA.

First, I have to give credit to an article that appeared at Internet Storm Center, from where this solution was born. Our solution is based on checking two things that do not require any human input:

Get a spambot to fill in a field in the form that is not visible to a human and do a check to see whether that field was filled in
Work out the time that it took for the form to be submitted

Here is how you can implement the two checks:

1. Get a spambot to fill in a field in the form that is not visible to a human and do a check to see whether that field was filled in

Add a text input field to your form and give it a name that makes sense, like "subject" or "telephone", or any other name, as long as it does not already occur in the form.
Then with some CSS hide the table row or div that the input field is in by using the "display:none;" style.
Lastly add some code that checks that the hidden field was not filled in.

Some things to keep in mind:

If this is an existing form that has already been spammed then you will want to change the form's action to something new. The reason for this being that spambots tend to cache your form and by changing the action name you force them to at least re-cache the modified form with the hidden field.
The code that checks whether the hidden field has been filled in cannot be a client side script like some javascript function as spambots will hit the form's action url with the parameters directly.
Also, if for some reason the visitor's browser ignores the CSS that hides the field, add a message in the form that explains that the field should not be filled in and that it is used for spambot detection. Of course make sure that this message is in the table row or div that you hide.
Don't just ignore the form submission if it is submitted with the hidden field filled in. Rather return to the form with an error message that explains that the form field should not be filled in.

2. Work out the time that it took for the form to be submitted

In your form, add a hidden variable and set its value to the time stamp of when the form was loaded. This is easy to achieve with PHP or Java.
Then, once the form has been submitted, get a new time stamp value and compare the two values.
If the new value is less than say about 5 seconds (or how ever long you estimate it will take a human to fill in your form, remembering that spambots will do it almost instantaneously) then you can return to the form with a error message stating that the form was submitted in too short a time period.

We have used these two methods separately with great success in each case. Together, they should keep you ahead of those spambots for just a while longer...till they get more advanced.

There probably are some shortcomings with these methods, and I don't for one moment try to say that they are 100% spam proof - especially if the spammer is not a bot but a human that actually goes to your page and submits the form, but this should keep you ahead of those spammers for a while and keep your inbox or your blog clean of "Cheap Viagra" specials.

If anyone has any suggestions that might improve these methods, please feel free to share them. Who knows, maybe we can someday come up with a complete solution that will rid us of these spam messages for good.

2006/12/07 | permalink | comments (7) | trackbacks (0)

Comments

post a comment

It seems like a great idea. My only concern is that if the stylesheet doesn't load properly, or has been disabled, then a user would fill in the first, hidden field. The plus side is that this method seems a lot more accessable than normal captchas, as they no longer rely on vision for the visitor to prove their 'human-ness'

Posted by andrew on 2006/12/07

Great post Jean! I have to agree with Andrew though, false positives worry me too. Perhaps we could send suspected bots to a captcha? That way if they really are just an incredibly fast human with disabled stylesheets then they can still get through.

Posted by Rob on 2006/12/07

@andrew - They would still have to fill in field clearly marked "Do not fill in".

Posted by Craig on 2006/12/07

@andrew, @rob - regarding the style sheet question - I didn't put the rule in a style sheet but actually used an inline-style so the problem of a style sheet not loading is eliminated. And if a visitor somehow submits the form in less than 5 seconds it does give him a warning and asks him to slow down a bit

Posted by Jean on 2006/12/07

It's easy enough to create a bot that reads inline styles and ignores hidden fields. Once that happened you'd be writing obfuscated css to hide the field trying to confuse the bot. Also, putting the form creation time in another hidden field just invites posting the form with that time changed! If you want to store the form creation time you are going to need to store it in the server-side session. If you are going to have a minimum time before the form can be entered, why not show a little JS countdown? I will admit if I saw that on a form I would find it a bit odd. I second the idea of sending suspected bots to a captcha. Users are already used to captcha's, so only being required to use one in special circumstances is not too burdensome. In the end, there's not going to be any future-proof way of preventing bots. This battle against spam bots is the ultimate Turing test.

Posted by Gavin on 2006/12/07

The only problem with the comment above is that it uses non-broken English with punctuation marks. Haven't seen a spambot do that before ;-)

Posted by Jean on 2006/12/08

Sheesh, you had me at hello. Not being a script kiddi, could you do this rather... http://sethgodin.typepad.com/seths_blog/2006/12/commercializing.html then use the data recieved to sell to companys as a measure of their brand awareness on the net. You will have the demographic etc huh? hows dem apples!

Posted by Smith on 2006/12/08

Visit our Website

Post feed
Comment feed

RSS to Email

Get our latest blog posts delivered straight to your inbox.

eMarketing News

Subscribe to our fortnightly newsletter which is packed with interesting eMarketing news, views and other quirky titbits.

January

S	M	T	W	T	F	S
				1	2	3
4	5	6	7	8	9	10
11	12	13	14	15	16	17
18	19	20	21	22	23	24
25	26	27	28	29	30	31

« Dec

Feb »

Recent Comments

Kat on Engaging as a Company

I agree with you. There are some things that should ideally not be discussed by an employee in the public sphere.
Would a communications policy have stopped the said journo from speaking out? He/she must have known a huge risk was being taken? I suppose it's also an incredibly difficult thing to predict. The lack of control can be alarming.
I'm definitely interested in seeing a more specific list, so if you find it do share.
Thank you for your comments :). Here's hoping there's a good coffee shop close to you..
vincent on Engaging as a Company

I guess the mark of a well crafted brand starts at HR policy for new recruits - ensuring that they fit the brand's/corporate's persona. So in that sense yes you could argue that left to their own devices employees would, regardless of an online communications policy, communicate in a style the sponsor would approve of. Not sure if that's always the case but I'm inclined to agree with this generalization.
I think what is also important is that the individual writing within the bounds of a sponsor's site does so in a restricted locale. You can police your own domain if you're a corporate, you can't necessarily control the individuals mouth outside of it. For instance on twitter, personal blogs and forums. Owing to the nature of niche stardom you could argue that the employee comes to represent the brand, more so than that personifies the brand in organic conversation with consumers and would carry significant weight both within corporate sites and externally. Making some individuals very wary to write for their companies at all.
For instance in our not too distant past a prominent journo got the boot for publishing his gripes with his employers and their professional ability - he was promptly fired...He would no doubt have been policed on a company blog but owing to the fact that he chose to represent the company elsewhere he took his brand and the papers brand with him - dragging both through the mud as traipsed on towards epic-failuredom...
So to come back to a point, there is definitely a sense that the policies as listed above are quite ambiguous. Even you yourself suggest that requisite legalese is absent, and I have to assume that such legalese would include a fairly long list of do's and dont's. I have a list somewhere laying about which dictates in a very bland corporate fashion how to represent the brand in public - if I find it I will share it with you.
Perhaps its worthwhile to enforce points like "don't tell secrets" and my own favourite, "for the love of god don't gripe about the boss who you've publicly named online"...
That's my mental-riff for the day, I'm afraid I veered rather uncharitably off course but such is the nature of thought.
Now if only the company I worked for had some decent coffee!!
Kat on Engaging as a Company

Transparency is a key issue - as is allowing people to carve their own niche.
My thinking is that people engage with a personality - an individual personality - in conversation more than with a collective. It's just easier. A company personality surely reflects the people who work there as well as a crafted (constructed?) image that the stakeholders choose to present. While you want engagement it's not the same as speaking to an individual.
There are definite risks involved - but I would lean towards allowing people to carve a niche.
vincent on Engaging as a Company

Couldn't have said it better. Nice post, it is most certainly something corporates are going to struggle with. How much transparency is too much? Who should be allowed to represent a brand and to what extent should the individual be given the opportunity to carve their own niche rather than extol the virtues of the mother - brand?
Who knows. We shall soon see as this year pans out and we find out how the big media players tackle the rise of the cost effective digital media channel.
Kat on Engaging as a Company

It is a tough issue, and I can understand why you've never published. I would encourage you to do so though - you probably have a feeling for when your writing reflects your voice and when it doesn't - and the rewards are worth it.
Thanks for reading Wendy. :)

More photos of the QuirkStars At Play

Name:
Friends of Quirk
Websites:
www.quirk.biz

Skribit: Social Suggestions

Name:
E-mail:
Url:
Comments:
Markup guide: makes text bold // makes text italic // -- creates a link -- (two dashes, no http://)
Remember personal info?
Notify me of follow-up comments?
SPAMCHECK:
Captcha:

An alternative to irritating CAPTCHAs

by Jean du Plessis

Comments

Subscribe

RSS to Email

eMarketing News

January

Archives

Categories

Recent Posts

Recent Comments