Update When this post was written back in 2012, it was a simpler time for the internet. Today, spambots are more aggressive and smarter than ever. They come in various forms; sometimes they add obviously fake addresses that quickly bounce, and sometimes they add addresses of real individuals as a sort of harassment.
If you leave your list ‘open’ it’s likely bots will abuse your forms and poison your list. Simple checkboxes and switching your list to confirmed opt-in won’t cut it anymore, but thankfully CAPTCHA has evolved too.
There are many services which offer various kinds of CAPTCHA, some more effectual than others, but today it’s imperative to use some measure to protect your list—and your company’s reputation—from bot abuse.
If you’ve got an email subscribe form on your site, you’ve likely put some thought into how to protect it from spambots and other automated nasties that sign up using bogus information. Sure, you can make your list confirmed/double opt-in or add a captcha, but these aren’t always to everyone’s taste.
But before we go into the specifics of defending your subscriber lists, here’s a little background on what spambots can do. On one end of the scale, they can be merely annoying – you may get a couple of fake subscribers from time to time, no biggie. But on the other, less fortunate end, there’s the possibility of having your forms bombarded, or having spamtrap email addresses added to your lists. We’ve got built-in defenses to protect accounts from both possibilities, but whether you’re building a subscribe form, contact form or an online survey, it’s worth getting wise to home-grown remedies, too.
First, I have to tell you that I have a severe dislike of machine-generated image captchas – and I don’t think I’m the only one. For starters, they penalize innocent folks who simply want to fill out a form as quickly as possible. Penalties mean less signups. Really, who wants to give away their personal details, then be forced to complete a task like this?
Ok, so I chose an extreme example there. But the point is, captchas can be hard work, even if you have perfect vision, no history of dyslexia or colorblindness and are fluent in English. For folks with mental and physical traits on the other end of the spectrum, captchas are often impossible to complete.
In short, we don’t recommend that you use a traditional captcha. Instead, here are two friendlier alternatives.
Put a checkbox on it
Another approach is to use a ‘honeypot captcha’, which works by including a form input that only spambots are tempted to fill in. This checkbox or text field is hidden using CSS, meaning that while most users won’t see it, spambots will. To stop folks with screen readers from falling into the trap, a label like “If you’re human, leave me blank”, or something equally instructive can be added. In a recent post, Paul Boag outlined why it’s his weapon of choice:
We’d love to hear your story – do you protect your forms using double opt-in, or the methods listed above? Why did you make this choice? Let us know in the comments below.