Captchas vs. Spambots: Why the Checkbox Captcha Wins

by on 04/21/11 at 5:07 am

Anyone who has a form on their website has seen their fair share of spam. Spam is a huge problem for site owners. It can cost your business time and money. To fight spam, many websites put captchas on their forms. These captchas stop spambots from spamming the site. However, these captchas can also stop users from filling out your form. That’s the last thing you want when you’re running a business.

Captchas display words that users can barely read. The words are often random so they don’t make sense. They’re also warped and distorted so that letters are hard to make out. Imagine how that affects dyslexic users, who already have trouble seeing words straight. Captchas make users think and work harder than they need. And they’re often hard to get right. It’s no wonder most users avoid forms with captchas on them.

Checkbox Captcha

It’s good that captchas stops spam, but it shouldn’t come at the cost of discouraging users from filling out your form. And clearly it does. The perfect catpcha is one that not only stops spambots, but does it without hurting your form conversion rate.

That’s why the checkbox catpcha is the perfect captcha. It stops spambots without discouraging users from filling out your form. No other captcha does this.

Most captchas are big and complicated. But the checkbox captcha is small and simple. All it takes is a checkbox generated with client-side Javascript. Spambots can’t check the checkbox because it’s only displayed to users on the client-side. Only users will be able to see and check the checkbox. When it’s checked, the form is allowed to go through.

A checkbox captcha is smaller and less intrusive than traditional captchas. This makes it less intimidating for users when they see your form. Users don’t have to work hard to figure anything out. They don’t even have to type. All they have to do is simply check a checkbox to confirm they’re not a spambot. With a checkbox captcha, you’ll stop spam without stopping your users.

Honeypot Captcha

Another kind of captcha that is less intrusive than traditional captchas are honeypot captchas. They are second to checkbox captchas because advanced spambots can bypass them. They can also create accessibility issues for some users.

Honeypot catchas work by hiding a textfield from users through CSS. This textfield is left blank by users because they can’t see it. However, spambots will see it and fill it in. The form will reject the spambot’s entry, and will only accept entries that leave the textfield blank.

However, users that browse the web with CSS disabled (i.e. screen readers, text-only browsers, mobile devices) will see the blank textfield. This can confuse them and make them wonder what the textfield is for. It also goes against their habit and expectation of filling in textfields. If you label it properly, they probably won’t fill it in. But they probably won’t complete your form either due to the uncertainty it brings.

Honeypot catpchas also need careful and specific labeling. Certain spambots have learned to avoid honeypot textfields if they’re labeled in a way that tells users to avoid it. If you were to give the textfield a common label, such as “name”, it would trick the spambot into filling it in. However, it would also trick users who have CSS disabled into filling it in.

Honeypot captchas are difficult and complicated to get right. They’re certainly better than traditional captchas, but they aren’t perfect. They can stop some spambots, but not all. They can hurt your form conversion rate on users who browse your site with CSS disabled. If you can’t put a checkbox catpcha on your form, a honeypot catpcha is a good second option.

Conclusion

Traditional captchas are the worst. Stopping spam should not come at the cost of stopping users from filling out your form. In the battle of the captchas, the checkbox captcha comes out on top. It effectively fights spam without hurting your form conversion rate. It’s simple for users to understand and easy for developers to execute. For a captcha, what more can you ask for?

61 Responses to “Captchas vs. Spambots: Why the Checkbox Captcha Wins”

  1. Stéphane Rangaya

    Apr 21st, 2011

    Nice article, but I’m wondering what happens if the user has javascript disabled.

    • anthony

      Apr 21st, 2011

      If javascript is disabled, it’ll tell users to turn on javascript to submit the form. However, most users won’t have javascript disabled.

      • john

        Apr 23rd, 2011

        Is it really likely that more users will have CSS disabled than Javascript disabled?

        Most modern browsers have the capability to disable Javascript in their settings, as well as support for third party add-on, like NoScript, that disable Javascript.

        • anthony

          Apr 24th, 2011

          Even if we were to assume that the number of users who disable CSS and Javascript were equal, a textfield is much more intrusive than a checkbox. It’s bigger, easy to take notice to and users always make sure they fill in every textfield. So, saying “don’t fill in this textfield” goes against their form habits and expectations. It also makes users wonder why they have to not fill in this textfield, when they’ve filled in the others. That’s why honeypots aren’t as good as checkboxes.

          I don’t think there’s anything wrong letting users know that you’re trying to fight spam, and offering them a checkbox to tell you they’re not a spambot. I don’t know why so many people are against this when it’s the simplest approach that requires little to no effort from the user.

          • Stomme poes

            Apr 30th, 2011

            Not sure what the point is in “worrying” about the blind but airliy stating that “users just have Javascript enabled”. I care about both groups.

            I use the honeypot, and it’s clearly labled. Fronteers.nl uses something similar: a final question (which is hidden with Javascript I believe, so those who *do* have it on don’t see it, don’t fill it in) asks if you’re a spammer. On the other side of the field, there’s some hint text “fill in No”. So if you don’t have JS, fine: you’re told not to leave it blank, but what you should fill in.

            Users without JS do a hair more work, and unlike the javascript-created checkbox, allows ALL human users access.

          • Anna Funk

            Jun 7th, 2011

            When using a honeypot, you generally hide the blank field with CSS so the human users that have CSS turned on don’t even see it.

            Both solutions are completely valid.

            My only concern with the checkbox is that to someone who isn’t paying attention, it could look like you’re trying to get them to sign up for something.

      • Gambler

        Jul 21st, 2011

        JavaScript should not be required for performing trivial actions, such as commenting. There are many, many architectural reasons for that. Besides, many people browse with JS disable for security and privacy purposes.

        How about adding two checkboxes? “I am not a spambot” and “I am a spambot”. Both are unchecked by default. The second one is hidden via CSS. This would thwart bots that check everything and fill every field.

    • Thomas

      Apr 1st, 2013

      Re captcha is too difficult to read

  2. weston deboer

    Apr 21st, 2011

    If you are using the plugin, as i see below.

    It is doing it all wrong, the box needs to be checked and the text needs to say like it does in your image above. Then if you are not a spammer it should be unchecked.

    Spam bots know how to check things, but uncheck?

    We don’t get much spam in the first place, but I am going to implement this right now and see what happens.

    • anthony

      Apr 21st, 2011

      That won’t work. If the checkbox is already checked, the spambot doesn’t have to do anything but fill in the existing fields for the form to go through.

      • MarQ

        Apr 23rd, 2011

        Weston’s suggestion is that condition be reversed: the server-side check is for an unchecked checkbox – i.e., if it is checked the submission is spam.

  3. Geoffrey Lee

    Apr 21st, 2011

    Do spam bots even run JavaScript? It seems to me that simply inserting a hidden field via JavaScript is enough to combat spam if the bots don’t run JavaScript. The checkbox itself is unnecessary.

    And the argument that people surf the web with CSS disabled is no different from the argument that people surf the web with JavaScript disabled. Besides, you can still target screen readers with CSS using the “media” attribute.

    • Matt

      Apr 22nd, 2011

      I was thinking the same thing: if the assumption is that the bot is not parsing javascript, a hidden field or a modification to the submit value should be enough to do the do the test without a normal user ever seeing a prompt.

    • anthony

      Apr 22nd, 2011

      A textfield generated with client-side javascript seems like a good idea in theory. But it also seems to have its drawbacks because it’s a textfield. Bots are more adept at reading and filling in textfields than checking checkboxes.

      I can confirm that the checkbox captcha does work effectively. But I can’t confirm that a textfield captcha works. Does anyone have any experience with this?

      • Jonas

        Apr 25th, 2011

        Here is a javascript hidden field example. I haven’t received any spam at all this way (and I have been using it for years) and if I would it is very easy to sophisticate it.

        http://eastafricasafariventures.com/contact-us

        PS. Putting the “I am not a spambot.” checkbox above this textarea would make it more likely to be seen.

        • Gavin

          Apr 27th, 2011

          I also have used the hidden checkbox field for a long time (years).
          Never get any spam, but obviously it requires javascript to be enabled.

          http://gavinbenda.com.au/contact

          The hidden verification code (vc) input stores a randomly generated MD5 hash stored in a session server side, and inserts via JS.

    • Stomme poes

      Apr 30th, 2011

      @Geoffrey Lee I haven’t seen any media queries that successfully target screen readers. What one do you use.

  4. Dey Alexander

    Apr 21st, 2011

    Have you tested this with users? I wonder how many ordinary users (non geeks) know what a spambot is and hence, know what the question is asking and how to answer it.

  5. Jonas Arnklint

    Apr 22nd, 2011

    So, if no spam bot can execute client side code, why don’t you just insert a hidden field client side that has a value that needs to be there in order for the form to validate?
    Google bot executes JavaScript, so i suppose spam bots will too.

  6. Tim

    Apr 22nd, 2011

    It surely does work if a small percentage of people use it. However if it becomes more popular and less unique, it will be easy to work around.

  7. Jonas

    Apr 22nd, 2011

    The traditional Captchas are mainly used because they don’t require javascript.

    If you decide to use javascript (I do) then there is no point in having a checkbox at all as you can easily generate a hidden field with an obfuscated string. No spam – no checkbox – no (visible) captcha :)

  8. David

    Apr 22nd, 2011

    This depends on the nature of your site.

    If you have a simple comments section that you’re trying to avoid the majority of generic spambots spamming, then this will work fine, as will any javascript approach (using jQuery to capture the onSubmit event and adding a hidden field prior to the http post would also do the trick), providing, as Stéphane points out, javascript is enabled.

    However, if you’ve a site which you’re trying to prevent automated sign-ups, and there is any value to someone writing a specific bot for your site (which is really very little work to do), then it is trivial for them to bypass this. You could randomise the field name and match it to a session variable (CSRF token style) which would make their life harder, but there’s a good reason why Google et. al. have fallen back to the captcha, despite its very real issues.

    • Wladimir

      Apr 22nd, 2011

      If people are really targeting your site, captchas do not protect against spam signups either. They can use services like decaptcha which hire cheap typers to “solve” these images in bulk. If your site is worth targetting against, a signup will probably be worth more than 1/10 of a cent.

  9. David Reynolds

    Apr 22nd, 2011

    It doesn’t work. If the spambot simply records the submit request sent to the server, it will include the checkbox tick and it can repeat it as often as it wants.
    captchas work because the server sends a coded message and only a human can return the message.
    Any solution involving javascript will not work.
    Even if you get javascript to generate a captcha, you will have to give javascript the unencoded word to generate. The spambot will be able to get the unencrypted word to pass back.

  10. Constantin

    Apr 22nd, 2011

    Is not complicated to write a spam bot that can run javascript :)

    • tupolev

      May 2nd, 2011

      Totally agree. And no need even to write it. Just use a fake browser like the ones we use to test interfaces. In fact, it’s called “Fake” :P

  11. Anon

    Apr 23rd, 2011

    Although current spam bots couldn’t get around these captchas on your website, it is super trivial to write one that can. They will only work to stop spam until someone writes a spam bot specifically for the site, which won’t take a whole lot of effort. All it needs to do is submit the same information in the form that a valid form would have.

  12. Ramenos

    Apr 25th, 2011

    I agree with checkbox captcha. However, i am not sure that all robots could not fill javascript…

  13. Brad

    Apr 25th, 2011

    This stuff does my head in. What about generating a random string and random string index to be used as the session index for the token ($_SESSION[$_SESSION['index']]), stored in a server side session for each page load, then ajax posting the index and string to receive a psudeo random token based on the previous random string (only if $_SESSION[$_SESSION['index']] is set and equal to the random requested index/string) which is stored in a server side session variable then injected into the form in a hidden field that is generated on the fly (so cannot be detected on a page load, as it is injected into the DOM when the doc is loaded) which is posted at submit time and compared to the token that was generated and stored server side?

  14. Chefil

    Apr 26th, 2011

    Best captcha is hidden email field. Real email field have a different name. Spam bot always put email in hidden email field, but really user couldn’t do this.

  15. Ruben Vandenbussche

    Apr 26th, 2011

    I made some css hidden fields with the name website and a hidden field with the name url. If one of those fields are filled in IP comes in a database of blocked ip’s. Nothing for the user to be required. Thats the perfect user experience :).

  16. Jon

    Apr 26th, 2011

    I was going to write a similar blog concerning this topic, you beat me to it. You did a nice job! Thanks and I well add your RSS to our blogs. Thanks so much, Jon B.

  17. Peter J. Hart

    Apr 26th, 2011

    Tools like Selenium make it easy to do automated UI regression testing, but also makes it easy to make spam bots that use JavaScript.

    But, blocking non-JS bots might be enough for you. If you get spam every once in a while, a checkbox, hidden field, or even JS that changes the form action URL might be enough.

  18. Web Axe

    Apr 30th, 2011

    Nice article, and interesting idea, but I like the honeypot method.

    I believe JS must be supported. But not because of screen reader users; same percentage of those user have JS enable as “regular” users. Remember 1% or so of 100,000 is still 1,000 users you’re blocking. Cases includes low-end mobile devices, corporate firewalls, broken JS, very old browsers, and text-only browsers.

    There are many other accessible non-captcha methods here:
    http://webaim.org/blog/spam_free_accessible_forms/

  19. Luciano

    May 5th, 2011

    This method doesn’t work… if someone wants to register 1000 users in your site, he programs the bot to send a checkbox, or to not complete the “hidden field”… in that case you have to use traditional captcha

    Luciano

    • Tony McGurk

      May 28th, 2011

      But it does work. I have proved it on my own site. Using Akismet I was often getting hundreds of spam a day. Now using Growmap Anti-Spambot Plugin (GASP) with the checkbox I get a big fat ZERO amount of spam.

  20. Jason

    May 9th, 2011

    A typical designer’s idea.

    You need to take into account exactly what a CAPTCHA is, and what it’s designed to do.

    A CAPTCHA is designed to prevent a script or program from filling out a form many times automatically, be it to make hundreds of spam email accounts, or to flood a messageboard with spam comments.

    The idea behind a captcha is as follows: humans can perform the task, but a script cannot.

    Your checkbox idea is not a CAPTCHA because It is simple to make a script that clicks the checkbox, just as a user might.

    While the checkbox may decrease the number of users who decide not to sign up, you might end up with thousands of spam elements, and a waste of crucial server resources.

    The bottom line: if you’re going to have something that doesn’t require human intellegence to pass, you might as well not have anything at all.

  21. CableCat

    May 9th, 2011

    I totally agree with this last comment from Jason. This checkbox model can easily be defeated by a custom script. All you have is security by (slightly) obscurity.

    Of cause it will help a lot. Because all the automated spambots that crawls the web, do not work. But it will not work for anyone how target your site specificity.

    This is the same as writing your email as name(a)host.com – It will only work until somebody writes a bot that replaces (a) with @. BTW I had great success replacing @ with @ in the HTML code.

    In the end you can do something even simpler the achieve the same goal.

    AAARG, I had to enbale javascript to post this comment… FAIL!

  22. John

    May 18th, 2011

    I love this alternative to the ugly captcha. How about if javascript is turned on show checkbox, if not show the ugly captcha? Seems like the number of people with javascript turned off would be minimal so this should work…and still stops the spammers. I also think like everything else, the method used depends on your audience. If you have a lot of people with JS turned off this is not for you.

  23. Tony McGurk

    May 28th, 2011

    Seems a lot of people in prevous comments are critical of the checkbox type setup. I hate having to type out captchas. If they are hard to read you have to keep clicking the refresh to get one you can read. I use GASP with the checkbox & it works so well I have uninstalled Akismet completely. Every time I check my Spam folder the amunt is always ZERO…
    Easy to criticize something if you haven’t tried it. GASP is the ultimate in anti-spambot defence.

    • anthony

      Jun 2nd, 2011

      Akismet is nowhere near as good as GASP. The only reason Akismet is so popular is because it was created and promoted by the developers who made WordPress. But the truth is that it’s value is mostly all hype.

  24. Captcha Monster

    Jun 6th, 2011

    Both CAPTCHAs have their advantages and shortcomings, but when it comes to the ordinary user, who is not going to spam your website, he should have some solution which would help him complete CAPTCHA verifications.

    And here comes Captcha Monster, a completely automated Firefox add-on which lets you forget about CAPTCHAs forever!

  25. Ian

    Jun 13th, 2011

    I’m willing to try the Checkbox Captcha, but am not a WordPress user (or any blogging software, for that matter).

    The Growmap site offers a plug-in for WordPress, but does not suggest any script for non-Wordpress or non-blogger pages (i.e.: ordinary HTML).

    I’ve searched the keyword string ["Checkbox Captcha" script], but was unable to find anything useful. Any suggestions as to where I should look?

  26. Thomas

    Jun 27th, 2011

    Why do you not use JavaScript to offer the Send-Button? If a spambot have no Send-Button I think they can’t send it.

    • anthony

      Jul 3rd, 2011

      I think that works too. Any form element using Javascript would stop spam as long as the element is required by the user. I chose to use a checkbox because it’s a WordPress plugin that’s easy to do and it makes it clear for people to see when talking about it.

      • Thomas

        Jul 4th, 2011

        Thank you for your answer. I prefere to hide the whole form with the submit-Button, because the visitors of my site don’t recognize that I make this check. So I do not disturb the contact-workflow.

  27. Thomas

    Jun 30th, 2011

    It should also work if you show the whole form with javaScript. So you could be sure, that bots without JavaScript “see” nothing.

    Is it surely right that bots don’t use JavaScript. Are there any bots who use JavaScript?

    I be thankfull if you could answere me in a short comment.

  28. Craig Smith

    Aug 1st, 2011

    An interesting concept and a great solution for smaller websites, however, this wouldn’t work for high-volume websites (traffic or revenue or both) because hackers would spend the time to develop a bespoke solution as the reward is worth the effort.

  29. Matt

    Aug 7th, 2011

    Appreciate your write-up about this method.

    I am looking to incorporate captcha for our registration page. Because we also have a TOS that needs to be agreed to before sign-up occurs, I am considering using the checkbox as an agreement to the TOS. This way, we subvert spambot submissions while also not displaying an obvious captcha to the user.

  30. Mike

    Feb 17th, 2012

    Use an image next to the box if they have css disabled that says this is only for spambots to fill in. Then the spambot won’t see the text.

  31. Willy

    Feb 20th, 2012

    There is something I’m not getting with this somewhat popular technique. Since this technique forces the user to have Javascript enabled, why bother with a checkbox? Why not have a Javascript function that will put an obfuscated value in a hidden field, and you check the value of that field on the server. It’s as safe (or should I say unsafe) as the checkbox technique, but you won’t need the user to click on anything.

    A safer technique would be to use an Ajax call to set a random value in a hidden field, a value that was also saved in the user’s session on the server. This way, the spammer would actually have to simulate sessions and call the Ajax script. Doable, but more work for them.

  32. Jovino Margathe

    Mar 19th, 2012

    I’m surprised no one had even bother using an input text field which is hidden through css, which means normal users wouldn’t be able to see it.

    Simple really, if it is filled, then the request is invalid since it didn’t come from a “normal” user.

    You can do the checking on client or server side as well.

  33. The Rata

    Jul 14th, 2012

    Stating that the Javascript solution is better than the honeypot one is just stupid. There are enough people who have Javascript turned off, or their smartphone/mobile computer just doesn’t support it.

  34. Thomas

    Apr 1st, 2013

    Very good article..The captcha in facebook and re captcha are hard to read.Even a human also cannot pass it..

  35. Siegfried

    Apr 15th, 2013

    I use Growmap Antispam Plugin for WordPress and it works perfectly – I forgot what spam is ;D
    sometimes spammers use manual entry but it is rare

    best regards!

  36. Nikolay Krustev

    Aug 23rd, 2013

    This is totally pointless and protects nothing, if I want to attack the specific site with spam, it takes 1 line of JS to make this useless.

  37. TheDarkSide

    Feb 12th, 2014

    Anything that is pure client-side is useless.
    It will stop the lousy random bots, but it will not stop someone who decides to attack your website – post comments, register users, try sql injection etc etc.
    I can write from the scratch a bot that posts multiple times in under 15 minutes.

  38. Mitch

    Feb 24th, 2014

    A client/customer who doesn’t want to fill the captcha, is perhaps better off moving to Facebook, anyway.

    A checkbox thing, does not work, it can easy checked by spam bots. c’mon.

    Besides, just go and check the “WordPress” Growmap Anti Spambot Plugin, what a joke!

    Seriously, one need to wonder if you wrote this article with a second thought in your mind!

Leave a Comment