Home Resources Blog

Update When this post was written back in 2012, it was a simpler time for the internet. Today, spambots are more aggressive and smarter than ever. They come in various forms; sometimes they add obviously fake addresses that quickly bounce, and sometimes they add addresses of real individuals as a sort of harassment.

If you leave your list ‘open’ it’s likely bots will abuse your forms and poison your list. Simple checkboxes and switching your list to confirmed opt-in won’t cut it anymore, but thankfully CAPTCHA has evolved too.There are many services which offer various kinds of CAPTCHA, some more effectual than others, but today it’s imperative to use some measure to protect your list—and your company’s reputation—from bot abuse.

If you’ve got an email subscribe form on your site, you’ve likely put some thought into how to protect it from spambots and other automated nasties that sign up using bogus information. Sure, you can make your list confirmed/double opt-in or add a captcha, but these aren’t always to everyone’s taste.

But before we go into the specifics of defending your subscriber lists, here’s a little background on what spambots can do. On one end of the scale, they can be merely annoying – you may get a couple of fake subscribers from time to time, no biggie. But on the other, less fortunate end, there’s the possibility of having your forms bombarded, or having spamtrap email addresses added to your lists. We’ve got built-in defenses to protect accounts from both possibilities, but whether you’re building a subscribe form, contact form or an online survey, it’s worth getting wise to home-grown remedies, too.


First, I have to tell you that I have a severe dislike of machine-generated image captchas – and I don’t think I’m the only one. For starters, they penalize innocent folks who simply want to fill out a form as quickly as possible. Penalties mean less signups. Really, who wants to give away their personal details, then be forced to complete a task like this?

Top 10 Worst captchas‘, IT Management and Cloud Blog

Ok, so I chose an extreme example there. But the point is, captchas can be hard work, even if you have perfect vision, no history of dyslexia or colorblindness and are fluent in English. For folks with mental and physical traits on the other end of the spectrum, captchas are often impossible to complete.

In short, we don’t recommend that you use a traditional captcha. Instead, here are two friendlier alternatives.

Put a checkbox on it

A common solution to spambot woes is to add a ‘I am not a spambot’ checkbox to forms, which must be checked for the form to be submitted. Called a ‘checkbox captcha’, it uses a checkbox generated using client-side Javascript, thus making it invisible (and uncheckable) to spambots. You can see a good example in this very instructive post on ‘Captchas vs. Spambots‘.

While checkbox captcha is a very elegant solution, the downside is that not all humans have Javascript enabled in their browsers. As a result, it comes with the risk of making subscribe forms unusable for these people.

Hello, honeypot!

Another approach is to use a ‘honeypot captcha’, which works by including a form input that only spambots are tempted to fill in. This checkbox or text field is hidden using CSS, meaning that while most users won’t see it, spambots will. To stop folks with screen readers from falling into the trap, a label like “If you’re human, leave me blank”, or something equally instructive can be added. In a recent post, Paul Boag outlined why it’s his weapon of choice:

Personally, I like this approach, because it doesn’t burden subscribers with extra fields. It’s also easy to implement, doesn’t necessarily require Javascript and allows you to easily identify and weed out dud email addresses. It likely won’t stop all spambots, but it won’t annoy all users like traditional captchas do.

We’d love to hear your story – do you protect your forms using double opt-in, or the methods listed above? Why did you make this choice? Let us know in the comments below.

  • Jeff Geerling

    I maintain a module for Drupal called Honeypot (http://drupal.org/project/hone… which does just this, but is much more robust than many of the homegrown solutions I’ve seen out there for spam traps. Not only does it add a hidden form field that leaves the form accessible to all but spam bots, it also employs time-based form protections that protect forms from spammy humans as well.

    A lot of smaller sites may be able to avoid spam entirely by simply using a honeypot trap, but most larger sites will need further protections.

    I also detest CAPTCHAs, and would consider other alternatives like honeypots or even paid services like Akismet or Mollom before offending my users with them.

  • Pranil Singh

    Honeypot idea is pretty good! I quite like the js slider approach, just for something different.
    Captcha can be horrible, and it’s a great point that you should be passing the issue on to your users.
    Great post!

  • Chris Ward

    This is a great article I always point people to whenever this topic comes up: https://www.sitepoint.com/captcha-alternatives/

    Honeypot has been doing great job on all of our forms since I read it in 2009. We’ve rarely needed to implement more than just that, although there are some other great ideas in the article too

  • Mark Wyner

    I believe—and always have—that Captcha is the one of worst inventions to suppress spam activity on web forms. The inherent nature of how it functions serves the people behind the form before the people using it. That’s a bad practice in general.

    I’ve tried a number of techniques in my nearly 15 years of building websites and the most accessible, least obtrusive, and most effective method has been to add a single question that requires a logical answer:


    But this solution is even better because it further simplifies the experience for people using the form. And that’s simply brilliant.

  • Will Swain

    We look at various factors, such as mouse movement, keyboard input, and the time taken to fill in a form, as well as the hidden form field method you mentioned. All of these can catch bots, but not real people employed to fill in these forms. For that you can use something like Akismet and Project HoneyPot, and look at things like the number of urls submitted in a form.

  • Jeff Mackey

    To help combat spam, avoid using the terrible CAPTCHA tools. They’re terrible for conversion.

    You may want to check out the cool form “games” by the great folks over at Are You A Human? http://areyouahuman.com

  • Andrew

    Great to see this article – CAPTCHA must die! Just one word of caution with the honeypot technique – make sure that the auto-fill feature in browsers like Chrome doesn’t accidentally fall into your trap. This happened to me in the past until I renamed my hidden field from ’email2′ to something like ‘sdf66dsf5ffs8’.

  • Ralph

    I’ve used honeypots for years and find them great, but have always felt a little uneasy about either 1) having a question for users to answer or 2) hiding the input but knowing that some users may see the field and have to deal with it. That’s why I was impressed when someone suggested in a forum post that a timestamp be used instead—that is, a hidden field that reads the time of the page load and aborts the form is it is submitted too quickly (as Will Swain mentioned above).

    Here was a nice solution posted in that forum thread:


    I’m now using this instead of a honeypot.

  • Benjamin

    “While checkbox captcha is a very elegant solution, the downside is that not all humans have Javascript enabled in their browsers.”

    Humans that disable JavaScript are humans that are not interested in experiencing the Internet. I never code with them in mind and I’ve never had anyone complain that a site isn’t working correctly due to not having JavaScript enabled.

  • Jay

    There’s another CAPTCHA alternative –http://www.minteye.com. It provides a sleeker solution for mobile devices, but not enough services are using it at the moment.

  • Phil Levine

    I’d like to hire someone who can install a checkbox captcha on the website form I have – it’s a form that clients use to send credit card information

  • Ros Hodgekiss

    Phil, feel free to post on our ‘Find a Designer’ forums with details, you may be able to find someone who can help you there :)

  • Eddie Jenkins

    Spambots have unlimited resources and can try every possible combination of form input submissions until one works (i. e. leaving one field blank). I have tried this approach and the bots simply send one with different fields for every request

  • Jake

    Thanks for this eloquent post! I, too, hate CAPTCHA’s. That is, the inaccessible ones. I’ve encountered several of these throughout my years on the web. I really like the ones that are text-based though, that ask logic questions such as math or the name of a company. I also like the ones where the user is asked to choose the item that doesn’t belong out of a series of checkboxes. Even a listbox would work with this. I came upon your post via a link on the blog for a volunteer nonprofit organization for which I work. Feel free to check us out at http://www.jjslist.com . When our website first went live in 2009, we had a forum which contained an inaccessible CAPTCHA. I immediately notified our founder, and she had the whole forum taken down.

  • Andy

    I realise this post is quite old but I stumbled across it searching for CAPTCHA alternatives and wanted to make a comment about the first alternative you suggest, the checkbox method

    The idea is good, but if you’re going to use JavaScript to add an extra field why bother with something the user has to interact with? Just use JS to add a hidden input and you get exactly the same solution without the user needing to do a thing

  • Bo

    I’ve had similar ideas. I replaces some CAPTCHAs today, we’ll see how it goes. :)


  • Aseem Garyali

    Does anyone have any suggestions about game based CAPTCHAs like PlayThru from AYAH? It would be great if someone can share their experience around this subject.

  • Eric S

    you can certainly download a form page, read the javascript, alter the form and resubmit with php- or any other server side scripting code. Especially if the code is not obfuscated.

    Also requiring Javascript for your form is dumb because then you have to be doubly weary of xss – Which is why corporate people never use this method.

  • Shar Marachi
  • Al Mamun

    personally i don’t like automatic machine generated captcha, but it can be more successive if we use numeric captcha. Thanks for great resource.

  • Donna

    This is a memo to the admin. I discovered your page via Bing but it was hard to find as you were not on the front page of search results. I know you could have more visitors to your website. I have found a site which offers to dramatically improve your rankings and traffic to your website: http://anders.ga/-fn4j I managed to get close to 1000 visitors/day using their services, you could also get many more targeted visitors from search engines than you have now. Their service brought significantly more traffic to my website. I hope this helps!

  • spiderman authentic costume

    The actual statement made in this informative article (extract below) is actually completely wrong.
    spiderman authentic costume http://ps-c.com.au/tmp/index.php?ID=9

  • Rodrigo Conceição

    I think that if you set-up a checkbox captcha and a honeypot it’s much better than using captchas, thanks for the post!

  • Manu M

    The method is pretty simple and can be effective as well. But what if the hacker tries to avoid that field in the input and send the request. The server may interpret that the request may come from a ‘human’ right?

  • Lion

    thanks for post …….


This blog provides general information and discussion about email marketing and related subjects. The content provided in this blog ("Content”), should not be construed as and is not intended to constitute financial, legal or tax advice. You should seek the advice of professionals prior to acting upon any information contained in the Content. All Content is provided strictly “as is” and we make no warranty or representation of any kind regarding the Content.
Straight to your inbox

Get the best email and digital marketing content delivered.

Join 250,000 in-the-know marketers and get the latest marketing tips, tactics, and news right in your inbox.


See why 200,000 companies worldwide love Campaign Monitor.

From Australia to Zimbabwe, and everywhere in between, companies count on Campaign Monitor for email campaigns that boost the bottom line.

Get started for free