Some people say “captchas are a necessary evil” I prefer to think of them as just plain evil. Cruella DeVil evil.
Everyone hates them, we don’t need to get into why they suck here, we all know, we’ve all experienced the pain. This article will be about alternatives to using captchas. I’ll just state briefly that capchas are a barrier to user interaction. Most users associate them with frustration or time wasted based on past experience. (Never mind that they are easily hacked) Given that statement, solutions outlined in this article will conform to this short checklist:
- Solutions must be unobtrusive to the user
- Solutions should result in as little maintenance as possible, we don’t want to review every comment
- Solutions will not rely on user accounts
And with that out of the way, lets dive into the solutions.
Render a fake form, then replace it
Multi-step submission processes
If you want to get really clever, the first request for a token may return a full “success” HTML page that has a token hidden within it.
Add a dummy captcha field
Randomize form field names
Generate each form with unique field names every time it is rendered. For example, rather than:
<input name="email" type="text">
generate a random name like this:
<input name="786AgdYdsDj+gh8$dfg" type="text">
You will need a server side solution for tracking which random name is for which field, but that’s fairly trivial. If you get an email address in the author name field you might have caught a spam bot. (But don’t assume for sure!)
One time use forms
Forms generated on the server should be valid for submission only one time. How do we do this? Use a nonce. By providing a unique token (that we can verify we created) in each submission, we make sure no form is submitted multiple times and that the form submitter visited our web page first. Example:
<input name="nonce" type="hidden" value="my-random-nonce-value"> <input name="nonce-timestamp" type="hidden" value="12000400045">
For more information about using nonces see A Guide to Nonce
Track the time between form rendering and submission
Computers tend to do things very quickly, way faster than a human ever could. By tracking the number of seconds that pass between the time that we render the form till it gets submitted back to the server, it will give you a hint as to who is submitting the form when the response time is way too short.
Remember email/IP combinations
Once a submission is received server side you can compare the users email address (assuming your form supports one) and their IP address against past submissions. If you find a matching non-spam entry and/or no matching spam comments, that information is an indication that this may not be one either.
Monitor IP addresses for abuse
Track the source IP of form submissions, if you are seeing a lot of submissions from a single IP address in a very short period of time you may be faced with a spam bot. Worse you might be under a DOS attack.
Allow users to flag comments as spam
Adding a simple “Flag as spam” button to all displayed comments allows visiting users to flag inappropriate comments for review. Its a simple solution to recruit a little human help.
Math problems, that don’t require user input.
Some sites require users to solve a simple math problem, eg: 2 + 2. These can be less frustrating then traditional distorted word captchas, but they still fail our first requirement, its an extra step for the user. An alternate approach to this solution is to provide a math problem in hidden form field. Take the following example:
<input type="hidden" name="math-test" value="2+2">
After submission check fields values for likely spam
Akismet is a great third party solution that will analyze comments to determine if they are spam or not. Its free for personal use, and fairly reasonably priced for businesses. If you can afford it this is your best friend, if not you can implement a simple mechanism to help you detect possible spam. For example, consider flagging comments that contain external links for further review.
This solution catches one case that none of the other ones mentioned here do, real people people manually entering spam. Jerks.
No one of these solutions are perfect, they can be targeted and beat, but with the combination of multiple strategies we can reduce the amount of spam that slips through, and drastically improve the experience both on the user & the maintainer. And after all, that should always be our number one goal.
Do you have have a favorite spam barrier? Add it below in the captcha free comment form. (No spam please.)