7 minute read time
Stopping Spambots with Two Simple Captcha Alternatives
Campaign Monitor - Apr 24, 2019
Article first published in November 2012, updated April 2019
When this post was written back in 2012, it was a simpler time for the internet. Today, spambots are more aggressive and smarter than ever. They come in various forms; sometimes they add obviously fake addresses that quickly bounce, and sometimes they add addresses of real individuals as a sort of harassment.
If you leave your list “open,” it’s likely bots will abuse your forms and poison your list. Simple checkboxes and switching your list to confirmed opt-in won’t cut it anymore but, thankfully, CAPTCHA has evolved too.
There are many services that offer various kinds of CAPTCHA, some more effectual than others, but, today, it’s imperative to use some measure to protect your list—and your company’s reputation—from bot abuse.
If you’ve got an email subscribe form on your site, you’ve likely put some thought into how to protect your email from spam and other automated nasties that sign up using bogus information. You can make your list confirmed/double opt-in or add a CAPTCHA, but these aren’t always to everyone’s taste.
What do Spambots do?
However, before we go into the specifics of defending your subscriber lists, here’s a little background on what spambots can do.
By definition, a spambot is an automated program that collects email addresses by crawling the internet and uses them to send large quantities of unsolicited emails to these addresses: spam. These emails are collected through web sites, chat room conversations, newsgroups, and many other online platforms.
Once these emails are collected, spammers or hackers usually send them for hacking, advertising, or fraudulent business purposes.
On one end of the scale, they can simply be annoying. You may get a couple of fake subscribers from time to time, which isn’t a huge problem. However, on the other, less fortunate end, there’s the possibility of having your forms bombarded, or having spam trap email addresses added to your lists. We’ve got built-in defenses to protect accounts from both options but, whether you’re building a subscribe form, contact form, or an online survey, it’s worth becoming acquainted with some getting DIY remedies too.
CAPTCHA
Most people have a severe dislike of machine-generated image CAPTCHAs. For starters, they penalize innocent people who simply want to fill out a form as quickly as possible. Penalties mean fewer signups. Who wants to give away their personal details, then be forced to complete a task like this?
“Top 10 Worst captchas,” IT Management and Cloud Blog
CAPTCHAs can be hard work, even if you have perfect vision, no history of dyslexia or colorblindness and are fluent in English. For folks with mental and physical traits on the other end of the spectrum, CAPTCHAs are often impossible to complete.
In short, we don’t recommend that you use a traditional captcha. Instead, consider these two friendlier alternatives.
Put a checkbox on it
A common solution to spambot woes is to add an “I am not a spambot” checkbox to forms, which must be checked for the form to be submitted. Called a “checkbox CAPTCHA,” it uses a checkbox generated using client-side Javascript, thus making it invisible (and uncheckable) to spambots. You can see a good example of this very instructive post on “Captchas vs. Spambots.”
While a checkbox CAPTCHA is a very elegant solution, the downside is that not all humans have Javascript enabled in their browsers. As a result, it comes with the risk of making subscribe forms unusable for these people.
Hello, honeypot!
Another approach is to use a “honeypot CAPTCHA,” which works by including a form input that only spambots are tempted to fill in. This checkbox or text field is hidden using CSS, meaning that, while most users won’t see it, spambots will. To stop folks with screen readers from falling into the trap, a label like “If you’re human, leave me blank,” or something equally instructive can be added. In a recent post, Paul Boag outlined why it’s his weapon of choice:
“I like this approach, because it doesn’t burden subscribers with extra fields. It’s also easy to implement, doesn’t necessarily require Javascript and allows you to identify and weed out dud email addresses easily. It likely won’t stop all spambots, but it won’t annoy all users as traditional captchas do.”
Stopping Bots in 2019
1. reCAPTCHA
Google has introduced reCAPTCHA (currently reCAPTCHA v3), and it’s definitely a lot more user-friendly than its predecessor. Instead of the frustrating CAPTCHA challenges, reCAPTCHA functions by returning a score so you can decide on the most appropriate action to take for your site. A user who is marked as “suspicious” would have to go through a challenge such as the one below. This program is not perfect, although Google assures that it protects against most spambots.
Source: TheSoftwareDude
2. Akismet
Akismet is one of your best measures for spam protection. Akismet works to block blog comments and pingback spam. It is so effective that, on average, it keeps around 7.5 million pieces of spam off the web. Ensuring that you have this Plugin installed and activated on your site will help to filter those spam messages.
3. Creating a custom user registration form
WordPress advises that you build your own user registration form. The User Registration Addon is more secure than the default registration forms that are available, and this is a great defense from spam registrations. This link will give you the step-by-step directions in creating this form for your site.
4. Opting for Administrator Approval
Administrator Approval for new users helps you to review each new registration. This is a secure way to check for authenticity before a user can join your site. You can activate this feature by setting the “User Registration” prompt to be set to “Manual Approval.” This function will allow you to control all aspects of new registrations, as shown in the image below.
Source: WeDevs
How do I protect my email from spam?
Besides your website, your mailbox is also a common spambot target. For HTML email spam protection, we advise using a combination of the following methods:
1. Never reply to spam
Replying to a spam email indicates to the sender that your email address is functional. This will cause them to start targeting it specifically.
2. Don’t give out your email address publicly
Remember that spambots are constantly lurking the internet, looking for email addresses. If, for instance, you post your email address in the comments section of your online chat group, it might be detected. Be careful not to give out your address on any public platform.
3. Get anti-virus software and spam filtering tools
Anti-virus software and spam filtering tools have, for many years, been a great HTML email protection defense measure to take against spam. These tools will help to ensure that any content with malware that makes its way to your email address gets immediately quarantined, preventing you from opening them.
Wrap up
There is currently no perfect solution for protecting yourself from spambots. Every program out there has its strengths and weak points. But one thing we do know for sure is that, with the advancement of AI and technology, these defensive programs are becoming better, smarter, and more efficient. Our natural optimism tells us that we’ll soon have a full proof protection program from spambots. In the meantime, make sure that you use the above tips and tools in order to protect yourself.
For more details about spam and how to protect yourself, check out our post that dives deep into everything email marketers need to know about spam.
We’d love to hear your story. Do you protect your forms using double opt-in or the methods listed above? Why did you make this choice? Let us know in the comments below.