Josh Lewis

A user-friendly alternative to CAPTCHA

Spam is the job of a business and it's webmaster to deal with, not the user filling in the form. When it is passed on to the user, normally in the form of am image captcha, it significantly worsens the end experience by frustrating the user and making them less likely to complete your form.

The silly thing is that dealing with spam on small-medium sized sites can be very straightforward. One of the biggest worries in detecting spam is the risk of a false positive, flagging a legitimate message as spam just because the user included a few links or wrote it in an unusual way. At the other end of the problem too many false negatives make the process of filtering spam pointless.

The Honeypot

The Honeypot is a very easy way to eliminate a very high proportion of spam messages on things like contact forms while be 100% sure you are not going to get any false positives.

It works by adding an extra field on to any form and hiding it from real users using CSS or JavaScript. Spambots which aren't very good at dealing with either of those things don't realise the field is hidden and therefore fill it out allowing you detect that the form submission is by a spambot.

Of course this test could be easily spotted by the programmer behind the spambot but for small to medium sites this is unlikely to ever happen. Of course spambots targeting specific websites can be programmed to be much smarter and so captchas are necessary on bigger sites, or in applications where the consequences of letting through someone who is a bot are higher.

The Checkbox

The inverse of this technique uses the same weakness in spambot's JavaScript support by adding a field, usually a checkbox, using JavaScript to the form. You can then check that checkbox has been checked to eliminate spam. I prefer the Honeypot to this method as even asking the user to check an inbox is adding an extra annoyance for the user.

In my experience these methods are very effective at curbing the vast majority of spam, enough to allow the intended recipient or system to receive all messages that pass it. Of course, you sometimes have to validate human created content but that is a whole different article.