Stopping spambots with two simple captcha alternatives

If you've got an email subscribe form on your site, you've likely put some thought into how to protect it from spambots and other automated nasties that sign up using bogus information. Sure, you can make your list confirmed/double opt-in or add a captcha, but these aren't always to everyone's taste.

But before we go into the specifics of defending your subscriber lists, here's a little background on what spambots can do. On one end of the scale, they can be merely annoying - you may get a couple of fake subscribers from time to time, no biggie. But on the other, less fortunate end, there's the possibility of having your forms bombarded, or having spamtrap email addresses added to your lists. We've got built-in defenses to protect accounts from both possibilities, but whether you're building a subscribe form, contact form or an online survey, it's worth getting wise to home-grown remedies, too.

Captcha is for suckas

First, I have to tell you that I have a severe dislike of machine-generated image captchas - and I don't think I'm the only one. For starters, they penalize innocent folks who simply want to fill out a form as quickly as possible. Penalties mean less signups. Really, who wants to give away their personal details, then be forced to complete a task like this?

'Top 10 Worst captchas', IT Management and Cloud Blog

Ok, so I chose an extreme example there. But the point is, captchas can be hard work, even if you have perfect vision, no history of dyslexia or colorblindness and are fluent in English. For folks with mental and physical traits on the other end of the spectrum, captchas are often impossible to complete.

In short, we don't recommend that you use a traditional captcha. Instead, here are two friendlier alternatives.

Put a checkbox on it

A common solution to spambot woes is to add a 'I am not a spambot' checkbox to forms, which must be checked for the form to be submitted. Called a 'checkbox captcha', it uses a checkbox generated using client-side Javascript, thus making it invisible (and uncheckable) to spambots. You can see a good example in this very instructive post on 'Captchas vs. Spambots'.

While checkbox captcha is a very elegant solution, the downside is that not all humans have Javascript enabled in their browsers. As a result, it comes with the risk of making subscribe forms unusable for these people.

Hello, honeypot!

Another approach is to use a 'honeypot captcha', which works by including a form input that only spambots are tempted to fill in. This checkbox or text field is hidden using CSS, meaning that while most users won't see it, spambots will. To stop folks with screen readers from falling into the trap, a label like "If you're human, leave me blank", or something equally instructive can be added. In a recent post, Paul Boag outlined why it's his weapon of choice:

Personally, I like this approach, because it doesn't burden subscribers with extra fields. It's also easy to implement, doesn't necessarily require Javascript and allows you to easily identify and weed out dud email addresses. It likely won't stop all spambots, but it won't annoy all users like traditional captchas do.

We'd love to hear your story - do you protect your forms using double opt-in, or the methods listed above? Why did you make this choice? Let us know in the comments below.

Posted by Ros Hodgekiss

17 Comments

  • Jeff Geerling
    28th September

    I maintain a module for Drupal called Honeypot (http://drupal.org/project/honeypot) which does just this, but is much more robust than many of the homegrown solutions I’ve seen out there for spam traps. Not only does it add a hidden form field that leaves the form accessible to all but spam bots, it also employs time-based form protections that protect forms from spammy humans as well.

    A lot of smaller sites may be able to avoid spam entirely by simply using a honeypot trap, but most larger sites will need further protections.

    I also detest CAPTCHAs, and would consider other alternatives like honeypots or even paid services like Akismet or Mollom before offending my users with them.

  • Pranil Singh
    28th September

    Honeypot idea is pretty good! I quite like the js slider approach, just for something different.
    Captcha can be horrible, and it’s a great point that you should be passing the issue on to your users.
    Great post!

  • Chris Ward
    12th October

    This is a great article I always point people to whenever this topic comes up: http://www.sitepoint.com/captcha-alternatives/

    Honeypot has been doing great job on all of our forms since I read it in 2009. We’ve rarely needed to implement more than just that, although there are some other great ideas in the article too

  • Mark Wyner
    12th October

    I believe—and always have—that Captcha is the one of worst inventions to suppress spam activity on web forms. The inherent nature of how it functions serves the people behind the form before the people using it. That’s a bad practice in general.

    I’ve tried a number of techniques in my nearly 15 years of building websites and the most accessible, least obtrusive, and most effective method has been to add a single question that requires a logical answer:

    http://tumblr.markwyner.com/post/3328486592/human-verification-fields

    But this solution is even better because it further simplifies the experience for people using the form. And that’s simply brilliant.

  • Will Swain
    12th October

    We look at various factors, such as mouse movement, keyboard input, and the time taken to fill in a form, as well as the hidden form field method you mentioned. All of these can catch bots, but not real people employed to fill in these forms. For that you can use something like Akismet and Project HoneyPot, and look at things like the number of urls submitted in a form.

  • Jeff Mackey
    12th October

    To help combat spam, avoid using the terrible CAPTCHA tools. They’re terrible for conversion.

    You may want to check out the cool form “games” by the great folks over at Are You A Human? http://areyouahuman.com

  • Andrew
    12th October

    Great to see this article - CAPTCHA must die! Just one word of caution with the honeypot technique - make sure that the auto-fill feature in browsers like Chrome doesn’t accidentally fall into your trap. This happened to me in the past until I renamed my hidden field from ‘email2’ to something like ‘sdf66dsf5ffs8’.

  • Ralph
    19th October

    I’ve used honeypots for years and find them great, but have always felt a little uneasy about either 1) having a question for users to answer or 2) hiding the input but knowing that some users may see the field and have to deal with it. That’s why I was impressed when someone suggested in a forum post that a timestamp be used instead—that is, a hidden field that reads the time of the page load and aborts the form is it is submitted too quickly (as Will Swain mentioned above).

    Here was a nice solution posted in that forum thread:

    http://www.sitepoint.com/forums/showthread.php?861648-Captcha-To-Use-Or-Not-To-Use&p=5144556&viewfull=1#post5144556

    I’m now using this instead of a honeypot.

  • Benjamin
    18th January

    “While checkbox captcha is a very elegant solution, the downside is that not all humans have Javascript enabled in their browsers.”

    Humans that disable JavaScript are humans that are not interested in experiencing the Internet. I never code with them in mind and I’ve never had anyone complain that a site isn’t working correctly due to not having JavaScript enabled.

  • Jay
    7th June

    There’s another CAPTCHA alternative -http://www.minteye.com. It provides a sleeker solution for mobile devices, but not enough services are using it at the moment.

  • Phil Levine
    8th July

    I’d like to hire someone who can install a checkbox captcha on the website form I have - it’s a form that clients use to send credit card information

  • Ros Hodgekiss
    9th July

    Phil, feel free to post on our ‘Find a Designer’ forums with details, you may be able to find someone who can help you there :)

  • Eddie Jenkins
    12th July

    Spambots have unlimited resources and can try every possible combination of form input submissions until one works (i. e. leaving one field blank). I have tried this approach and the bots simply send one with different fields for every request

  • Jake
    27th September

    Thanks for this eloquent post! I, too, hate CAPTCHA’s. That is, the inaccessible ones. I’ve encountered several of these throughout my years on the web. I really like the ones that are text-based though, that ask logic questions such as math or the name of a company. I also like the ones where the user is asked to choose the item that doesn’t belong out of a series of checkboxes. Even a listbox would work with this. I came upon your post via a link on the blog for a volunteer nonprofit organization for which I work. Feel free to check us out at http://www.jjslist.com . When our website first went live in 2009, we had a forum which contained an inaccessible CAPTCHA. I immediately notified our founder, and she had the whole forum taken down.

  • Andy
    5th October

    I realise this post is quite old but I stumbled across it searching for CAPTCHA alternatives and wanted to make a comment about the first alternative you suggest, the checkbox method

    The idea is good, but if you’re going to use JavaScript to add an extra field why bother with something the user has to interact with? Just use JS to add a hidden input and you get exactly the same solution without the user needing to do a thing

  • Bo
    5th November

    I’ve had similar ideas. I replaces some CAPTCHAs today, we’ll see how it goes. :)

    http://boallen.com/captcha-alternative.html

  • Aseem Garyali
    6th January

    Does anyone have any suggestions about game based CAPTCHAs like PlayThru from AYAH? It would be great if someone can share their experience around this subject.

Got something to add?

Sign up for free.
Then send campaigns for as little as $9/month

Create an account