Blocking Spambots

How to filter out spam submitted through website forms by spambots

Blocking spambotsProbably the most commonly known method of blocking spambots is with a CAPTCHA. You know those annoying form fields with a picture of random letters and numbers that you have to try to read and retype? Yeah those. Those are CAPTCHAs. Well, robots can’t fill those fields in, because they can’t read the images. So CAPTCHAs stop spambots very well, hence their frequent appearance in forms all over the internet.

CAPTCHAs are fun… Not!

Although CAPTCHAs are very effective in blocking spam, nobody likes them. Not everyone understands what the added step is for and it often discourages people from filling out the form altogether. Fortunately, there are other solutions.

The Honeypot method

(because robots like honey too)

In quite the reverse fashion, the honeypot gives the extra work to the spambot. A honeypot is a field in a form which robots see and humans don’t. If the field is filled in, then the form will not submit. A Honeypot can be a field for anything, but in theory the most effective field would be a URL. “What’s you web address, Spambo?” Spambots like to provide URLs. So they fill this field in, but the field isn’t displayed on the screen so people leave it blank. This solution works behind the scene, allowing the user to have a far more sound experience.

Screen readers and the blind

A small percentage of our visitors (yet no less important) are those who can’t see. Here we have humans relying on robots (screen readers) to aid them in navigating through your website. Screen readers can’t read images any better than spambots, so a CAPTCHA that only provides an image for a clue not only trumps the spambot, but our visually-impaired humanoid friends as well. That’s why some CAPTCHAs provide an audio option (an often scratchy recording of letters, numbers and/or words). Not exactly thrilling for the blind either.

What about the honeypot method?

If you guessed that the blind will inevitably stumble upon the honeypot field, you get a bright glowing star. Screen readers see the honeypot field just as spambots do. That’s why the honeypot field should always include a hidden message that says, “Leave this field blank,” “This field is for robots only,” or something of that nature. Of course, spambots can read this message just the same as screen readers can, but they don’t know what it means. So this solution works for the blind too, they just have to read the message and ignore the honeypot field. That’s better than giving them a shoddy recording and making them give it back to you.

More spam prevention methods

There are other spam blocking solutions, some of them very similar to CAPTCHAs, but using other visual techniques to make users prove they are not robots. These generally have the same pros and cons as traditional CAPTCHAs.

One can also run form submissions through a spam detection service such as Akismet. Spam detection services check the email address submitted with the form against a blacklist. Then they allow the submission to pass only if the email address is not found in the list. This is a good idea for additional spam prevention, but probably shouldn’t be the only line of defense. I consider the honeypot plus a spam detection service to be the best combination.

Surely there are yet more solutions out there, but after finding the amazing honeypot solution, I stopped searching. So I’ll leave the rest for other bloggers to write about.

What about the evolution of spambots?

Yes, spambots can evolve… but why would they? There are so many websites on the internet (and new ones each day) and enough of them unprotected or poorly protected. There isn’t any need for spammers to invest in more advanced spambots that can out smart the tricks we pull on them to protect our inboxes and email addresses. It’s more worth while for spammers to have their robots continue digging up new websites to attack. Perhaps someday, such advancements will be developed in the realm of spamming… like when all cars fly.