Help with captcha forms, nothing works(!)

[WebDesignBob]

Not yet found a captcha form ("enter the code in the box") which actually does a good job of preventing bots from sending spam through contact forms.

Has anyone got any tried and tested recommendations to make, with a link perhaps?

Its as frustrating for me, as it is for my clients.
Thanks chaps.

 

[jacobc]

Hi,

Have you looked at: http://www.google.com/recaptcha

Regards,

Jacob

 

[DanSoftBridge]

What do you mean doesn't do a good job? Have you suffered posts from bots?

 

[WebDesignBob]

Hi,

Have you looked at: http://www.google.com/recaptcha

Regards,

Jacob

Yes. Amongst others. My developers have set this up on a number of sites, one of which I monitor, it lets in tonnes of crap.

I wonder whether a custom made 2-question (multiple choice) drop down set of questions, would help.

My theory is that popular captcha systems like recaptcha have had sufficient attention from spammers, that their lettering is well enough known to be bypassed with scripts, whereas a custom captcha form may be (little known, and) infallible. Opinions, anyone?

 

[Peter Bowen]

Here is a solution I use: http://www.pete-bowen.com/the-inner-geek/preventing-bot-spam-without-using-captcha/

It's been working for the last few years. I expect at some stage that will change if enough spammers read this post or my writeup .

 

[JulieMcNamee]

There's a nice one called Are You a Human where your visitor plays a very simple game. Great alternative.

 

[FIZIX Agency]

I wouldn't recommend games and things, they might work but they just get in the way of users.

I would also be wary of using hidden fields that bots get caught up in, honeypots like that do work but they can pose an accessibility issue where screen readers are concerned.


I would recommend a honeypot, but in a more obscure way that can't interfere with users. On our agency site we have had a timer mechanism that's so short a normal user will not get caught up in it, but long enough that a bot will.

Store the page load time, if the submit is less than x seconds later; take some kind of action. Such as sending the email to a "possible junk" account, denying the message entirely or showing a screen where the user verifies they are human with some kind of question and answer.

Note: A bot will submit a form very quickly, faster than a legitimate human ever will. We log every attempt and on average bots are < 2 seconds to submit and nobody has got caught up in the trap. Well there are a few obvious human attempts to trip the mechanism after I've discussed it online

 

[fisicx]

A simple maths question will clear out 99% of the junk.

Another useful trick is to have a hidden field with a radio field question such as 'are you male or female'. The bots will often make a selection. When you validate the form is there is an answer in either box just junk it.

 

[lynxus]

The way I do it is through a custom made one.

Example here : http://www.imsupporting.com/register_action_mainpage.php

It is simply a static image made so bots cant read it. On the next page it statically checks someone entered the correct value.

As it never changes there is no need for complicated code. However it works wonders because its CUSTOM and bots are not designed to understand it.

I find it works 100% and is so simple.

 

[Peter Bowen]

There are some great solutions here thanks. I might add a few of these ideas to mine if it ever attracts enough attention to cause someone to program around it. Defense in depth is a good thing.

I think the important thing to remember is that getting a 100% solution is going to take a lot more work than getting a 99% solution. Finding something that stops every single bot, is friendly to every single screen reader and works on the 0.00001% of the internet who use a custom build of Opera v0.95 on the second Blackberry ever made is just not worth it. Any of these solutions is quick to implement, gets out of the way and will stop enough of the spam to make it worthwhile.

 

[FIZIX Agency]

A simple maths question will clear out 99% of the junk.

Another useful trick is to have a hidden field with a radio field question such as 'are you male or female'. The bots will often make a selection. When you validate the form is there is an answer in either box just junk it.

The problems there are that some bots can answer maths questions etc.

Also some screen readers will fall for your gender trap; so blind users could get blocked.

 

[fisicx]

The problems there are that some bots can answer maths questions etc.

Also some screen readers will fall for your gender trap; so blind users could get blocked.

Yes there are some clever bots but I was plagued by spam on a site, added the maths checker and they stopped.

The hidden field can have a caveat: 'do not answer this question - it's a spam trap'.

The point is that the captcha isn't working so you need to try the alternatives. You won't know if the work until you try.

Another trick is to rename you labels and field names. Don't use 'email', change it to 'shoe size'. These things do reduce accessibility but they all help.

 

[FIZIX Agency]

Yes there are some clever bots but I was plagued by spam on a site, added the maths checker and they stopped.

The hidden field can have a caveat: 'do not answer this question - it's a spam trap'.

The point is that the captcha isn't working so you need to try the alternatives. You won't know if the work until you try.

Another trick is to rename you labels and field names. Don't use 'email', change it to 'shoe size'. These things do reduce accessibility but they all help.

Sure, I was just commenting on pitfalls and overall suggesting a more behind the scenes, non intrusive approach.

 

[EBIT]

double post.

 

[EBIT]

The way I do it is through a custom made one.

Example here : Can't post URL yet

It is simply a static image made so bots cant read it. On the next page it statically checks someone entered the correct value.

As it never changes there is no need for complicated code. However it works wonders because its CUSTOM and bots are not designed to understand it.

I find it works 100% and is so simple.

I answered your maths question correctly and clicked 'Sign up now' and was directed to a page that said "Sorry, You didnt enter a password. It must be just Numbers and Letters, Click Here to try again."

 

[ITsoldUK]

Not yet found a captcha form ("enter the code in the box") which actually does a good job of preventing bots from sending spam through contact forms.

Has anyone got any tried and tested recommendations to make, with a link perhaps?

Its as frustrating for me, as it is for my clients.
Thanks chaps.

Obvious question....what CMS (if any) are you using?

 

[lynxus]

I answered your maths question correctly and clicked 'Sign up now' and was directed to a page that said "Sorry, You didnt enter a password. It must be just Numbers and Letters, Click Here to try again."

The reason for that is simply you wouldnt normally visit that page directly. ( I only linked to it here as an example )
You would enter your username , password, email on another page. That then takes your data d passes you to this page for verification and if you answer 15. It would then sign you up.

Its expected behavior.

 

[ITsoldUK]

The way I do it is through a custom made one.

Example here : http://www.imsupporting.com/register_action_mainpage.php

It is simply a static image made so bots cant read it. On the next page it statically checks someone entered the correct value.

As it never changes there is no need for complicated code. However it works wonders because its CUSTOM and bots are not designed to understand it.

I find it works 100% and is so simple.

Boom, and there is the generic answer for all who suffer.

Removing text (not just for sign ups but also emails etc) and converting to an image is extremely simple AND we have found ultra reliable (with an audio file for accessibility).

Be it custom or otherwise...this is my preferred way to go.