Anyone who has a form on their website has seen their fair share of spam. Spam is a huge problem for site owners. It can cost businesses time and money. To fight spam, many sites put captchas on their forms. These captchas can stop spambots from spamming. But they can also stop users from filling out your form. That’s the last thing you want when you’re running a business.
Captchas force users to type random words that don’t make sense. Not only that, but the letters are so warped and distorted they’re hard for anyone to read. Users often have to try captchas many times to get it right. That’s why most users avoid filling out the form when they see one.
It’s good that captchas stop spam, but it shouldn’t come at the cost of losing users. The perfect captcha is one that not only stops spambots, but does it without hurting your form conversion rate.
- Source: F*ck Captcha
- Source: CAPTCHA’s Effect on Conversion Rates
Checkbox Captcha
The checkbox catpcha can stop some spambots, but not all. What’s good about this one is that it’s smaller and less intrusive than traditional captchas. All it takes is putting a checkbox generated with client-side Javascript on your form. All the user has to do is tick it–no typing necessary.
Most spambots won’t be able to tick the checkbox because they don’t parse client-side javascript shown to users. But some spambots that can detect client-side javascript through training. Although it’s less intimidating to users, it’s not 100% effective in stopping spambots.
- Example: Growmap Anti Spambot Plugin
- Example: reCAPTCHA by Google
Honeypot Captcha
Another captcha that’s less intrusive than traditional captchas are honeypots. They can stop some spambots, but not all. They may also create accessibility issues for some users.
Honeypot captchas work by hiding a text field from users through CSS. It’ll only accept entries that leave the field blank. Users can’t fill out this field because they can’t see it. But spambots will see and fill it in. The form will then reject the spambot’s entry.
Some spambots have learned to avoid honeypot text fields if they’re labeled in a way that tells users to avoid it. This presents accessibility issues for screen reader users who have CSS disabled. If the label on the honeypot field doesn’t tell them not fill out the honeypot, they won’t know to avoid it.
You could give the honeypot field a common label, such as “name”, to trick the spambot into filling it in. But it would also trick screen reader users to fill it in too. Honeypot captchas are not 100% effective at stopping spambots, nor are they accessible to all users. But they are far better than traditional captchas.
- Tutorial: Honeypot Recaptcha
Slider Captcha
The slider captcha separates itself from the rest of the pack. It stops 99% of spambots because most can’t interact with the slider. It’s also user-friendly because all users need to do is slide the knob across to verify they’re not a spambot. And all mobile users need to do is swipe.
One potential drawback is that keyboard-only users might not be able to activate the slider if you don’t make it accessible. If you use this captcha, you have to make it keyboard accessible. Follow these accessibility guidelines so that all users will be able to activate your slider.
- Example: Slider CAPTCHA
- Example: QapTcha
Final Thoughts
Traditional captchas are the worst. Stopping spam should not come at the cost of stopping users from filling out your form. In the battle of captchas versus spambots, the slider captcha is the most effective. It’s not only easy for users to use, but it fights spam without hurting form conversion rates. The war on spambots is far from over. But this is the best of what’s out there for sites who don’t want to lose users.
Nice article, but I’m wondering what happens if the user has javascript disabled.
If javascript is disabled, it’ll tell users to turn on javascript to submit the form. But most screen reader users won’t have javascript disabled: http://www.brucelawson.co.uk/2011/javascript-and-screenreaders/
Is it really likely that more users will have CSS disabled than Javascript disabled?
Most modern browsers have the capability to disable Javascript in their settings, as well as support for third party add-on, like NoScript, that disable Javascript.
I think more screen reader users have CSS disabled more than Javascript. Not having Javascript degrades the functional experience of a site. Not having CSS peels away the aesthetics of a site. Which do you think a screen reader user would rather have?
Not sure what the point is in “worrying” about the blind but airliy stating that “users just have Javascript enabled”. I care about both groups.
I use the honeypot, and it’s clearly labled. Fronteers.nl uses something similar: a final question (which is hidden with Javascript I believe, so those who *do* have it on don’t see it, don’t fill it in) asks if you’re a spammer. On the other side of the field, there’s some hint text “fill in No”. So if you don’t have JS, fine: you’re told not to leave it blank, but what you should fill in.
Users without JS do a hair more work, and unlike the javascript-created checkbox, allows ALL human users access.
When using a honeypot, you generally hide the blank field with CSS so the human users that have CSS turned on don’t even see it.
Both solutions are completely valid.
My only concern with the checkbox is that to someone who isn’t paying attention, it could look like you’re trying to get them to sign up for something.
JavaScript should not be required for performing trivial actions, such as commenting. There are many, many architectural reasons for that. Besides, many people browse with JS disable for security and privacy purposes.
How about adding two checkboxes? “I am not a spambot” and “I am a spambot”. Both are unchecked by default. The second one is hidden via CSS. This would thwart bots that check everything and fill every field.
Re captcha is too difficult to read
If you are using the plugin, as i see below.
It is doing it all wrong, the box needs to be checked and the text needs to say like it does in your image above. Then if you are not a spammer it should be unchecked.
Spam bots know how to check things, but uncheck?
We don’t get much spam in the first place, but I am going to implement this right now and see what happens.
Don’t think that’ll won’t work. If the checkbox is already checked, the spambot doesn’t have to do anything but fill in the remaining fields. Also, making the user uncheck a checkbox to submit the form, is an odd and confusing request in and of itself.
Weston’s suggestion is that condition be reversed: the server-side check is for an unchecked checkbox – i.e., if it is checked the submission is spam.
Do spam bots even run JavaScript? It seems to me that simply inserting a hidden field via JavaScript is enough to combat spam if the bots don’t run JavaScript. The checkbox itself is unnecessary.
And the argument that people surf the web with CSS disabled is no different from the argument that people surf the web with JavaScript disabled. Besides, you can still target screen readers with CSS using the “media” attribute.
I was thinking the same thing: if the assumption is that the bot is not parsing javascript, a hidden field or a modification to the submit value should be enough to do the do the test without a normal user ever seeing a prompt.
Should be enough, but it’s not. Many spambots can detect and avoid honeypot fields. You should try them all out and see which one is most effective. Would love to see the results.
Here is a javascript hidden field example. I haven’t received any spam at all this way (and I have been using it for years) and if I would it is very easy to sophisticate it.
http://eastafricasafariventures.com/contact-us
PS. Putting the “I am not a spambot.” checkbox above this textarea would make it more likely to be seen.
I also have used the hidden checkbox field for a long time (years).
Never get any spam, but obviously it requires javascript to be enabled.
http://gavinbenda.com.au/contact
The hidden verification code (vc) input stores a randomly generated MD5 hash stored in a session server side, and inserts via JS.
@Geoffrey Lee I haven’t seen any media queries that successfully target screen readers. What one do you use.
Have you tested this with users? I wonder how many ordinary users (non geeks) know what a spambot is and hence, know what the question is asking and how to answer it.
I’d make the checkbox say “I am human”. That’s clear to everybody 🙂
So, if no spam bot can execute client side code, why don’t you just insert a hidden field client side that has a value that needs to be there in order for the form to validate?
Google bot executes JavaScript, so i suppose spam bots will too.
It surely does work if a small percentage of people use it. However if it becomes more popular and less unique, it will be easy to work around.
The traditional Captchas are mainly used because they don’t require javascript.
If you decide to use javascript (I do) then there is no point in having a checkbox at all as you can easily generate a hidden field with an obfuscated string. No spam – no checkbox – no (visible) captcha 🙂
This depends on the nature of your site.
If you have a simple comments section that you’re trying to avoid the majority of generic spambots spamming, then this will work fine, as will any javascript approach (using jQuery to capture the onSubmit event and adding a hidden field prior to the http post would also do the trick), providing, as Stéphane points out, javascript is enabled.
However, if you’ve a site which you’re trying to prevent automated sign-ups, and there is any value to someone writing a specific bot for your site (which is really very little work to do), then it is trivial for them to bypass this. You could randomise the field name and match it to a session variable (CSRF token style) which would make their life harder, but there’s a good reason why Google et. al. have fallen back to the captcha, despite its very real issues.
If people are really targeting your site, captchas do not protect against spam signups either. They can use services like decaptcha which hire cheap typers to “solve” these images in bulk. If your site is worth targetting against, a signup will probably be worth more than 1/10 of a cent.
It doesn’t work. If the spambot simply records the submit request sent to the server, it will include the checkbox tick and it can repeat it as often as it wants.
captchas work because the server sends a coded message and only a human can return the message.
Any solution involving javascript will not work.
Even if you get javascript to generate a captcha, you will have to give javascript the unencoded word to generate. The spambot will be able to get the unencrypted word to pass back.
You’re right, it’s not 100%. But it eliminates a lot more spam than not having anything at all.
Is not complicated to write a spam bot that can run javascript 🙂
Totally agree. And no need even to write it. Just use a fake browser like the ones we use to test interfaces. In fact, it’s called “Fake” 😛
Although current spam bots couldn’t get around these captchas on your website, it is super trivial to write one that can. They will only work to stop spam until someone writes a spam bot specifically for the site, which won’t take a whole lot of effort. All it needs to do is submit the same information in the form that a valid form would have.
I agree with checkbox captcha. However, i am not sure that all robots could not fill javascript…
This stuff does my head in. What about generating a random string and random string index to be used as the session index for the token ($_SESSION[$_SESSION[‘index’]]), stored in a server side session for each page load, then ajax posting the index and string to receive a psudeo random token based on the previous random string (only if $_SESSION[$_SESSION[‘index’]] is set and equal to the random requested index/string) which is stored in a server side session variable then injected into the form in a hidden field that is generated on the fly (so cannot be detected on a page load, as it is injected into the DOM when the doc is loaded) which is posted at submit time and compared to the token that was generated and stored server side?
Best captcha is hidden email field. Real email field have a different name. Spam bot always put email in hidden email field, but really user couldn’t do this.
I made some css hidden fields with the name website and a hidden field with the name url. If one of those fields are filled in IP comes in a database of blocked ip’s. Nothing for the user to be required. Thats the perfect user experience :).
I was going to write a similar blog concerning this topic, you beat me to it. You did a nice job! Thanks and I well add your RSS to our blogs. Thanks so much, Jon B.
Tools like Selenium make it easy to do automated UI regression testing, but also makes it easy to make spam bots that use JavaScript.
But, blocking non-JS bots might be enough for you. If you get spam every once in a while, a checkbox, hidden field, or even JS that changes the form action URL might be enough.
Nice article, and interesting idea, but I like the honeypot method.
I believe JS must be supported. But not because of screen reader users; same percentage of those user have JS enable as “regular” users. Remember 1% or so of 100,000 is still 1,000 users you’re blocking. Cases includes low-end mobile devices, corporate firewalls, broken JS, very old browsers, and text-only browsers.
There are many other accessible non-captcha methods here:
http://webaim.org/blog/spam_free_accessible_forms/
This method doesn’t work… if someone wants to register 1000 users in your site, he programs the bot to send a checkbox, or to not complete the “hidden field”… in that case you have to use traditional captcha
Luciano
But it does work. I have proved it on my own site. Using Akismet I was often getting hundreds of spam a day. Now using Growmap Anti-Spambot Plugin (GASP) with the checkbox I get a big fat ZERO amount of spam.
A typical designer’s idea.
You need to take into account exactly what a CAPTCHA is, and what it’s designed to do.
A CAPTCHA is designed to prevent a script or program from filling out a form many times automatically, be it to make hundreds of spam email accounts, or to flood a messageboard with spam comments.
The idea behind a captcha is as follows: humans can perform the task, but a script cannot.
Your checkbox idea is not a CAPTCHA because It is simple to make a script that clicks the checkbox, just as a user might.
While the checkbox may decrease the number of users who decide not to sign up, you might end up with thousands of spam elements, and a waste of crucial server resources.
The bottom line: if you’re going to have something that doesn’t require human intellegence to pass, you might as well not have anything at all.
I totally agree with this last comment from Jason. This checkbox model can easily be defeated by a custom script. All you have is security by (slightly) obscurity.
Of cause it will help a lot. Because all the automated spambots that crawls the web, do not work. But it will not work for anyone how target your site specificity.
This is the same as writing your email as name(a)host.com – It will only work until somebody writes a bot that replaces (a) with @. BTW I had great success replacing @ with @ in the HTML code.
In the end you can do something even simpler the achieve the same goal.
AAARG, I had to enbale javascript to post this comment… FAIL!
I love this alternative to the ugly captcha. How about if javascript is turned on show checkbox, if not show the ugly captcha? Seems like the number of people with javascript turned off would be minimal so this should work…and still stops the spammers. I also think like everything else, the method used depends on your audience. If you have a lot of people with JS turned off this is not for you.
Seems a lot of people in prevous comments are critical of the checkbox type setup. I hate having to type out captchas. If they are hard to read you have to keep clicking the refresh to get one you can read. I use GASP with the checkbox & it works so well I have uninstalled Akismet completely. Every time I check my Spam folder the amunt is always ZERO…
Easy to criticize something if you haven’t tried it. GASP is the ultimate in anti-spambot defence.
Akismet is not accurate in targeting spam. Sometimes it’ll mark real comments as spam.
Both CAPTCHAs have their advantages and shortcomings, but when it comes to the ordinary user, who is not going to spam your website, he should have some solution which would help him complete CAPTCHA verifications.
And here comes Captcha Monster, a completely automated Firefox add-on which lets you forget about CAPTCHAs forever!
I’m willing to try the Checkbox Captcha, but am not a WordPress user (or any blogging software, for that matter).
The Growmap site offers a plug-in for WordPress, but does not suggest any script for non-Wordpress or non-blogger pages (i.e.: ordinary HTML).
I’ve searched the keyword string [“Checkbox Captcha” script], but was unable to find anything useful. Any suggestions as to where I should look?
Why do you not use JavaScript to offer the Send-Button? If a spambot have no Send-Button I think they can’t send it.
Interesting. I think that works too, but some spambots will still be able to interact with it.
Thank you for your answer. I prefere to hide the whole form with the submit-Button, because the visitors of my site don’t recognize that I make this check. So I do not disturb the contact-workflow.
It should also work if you show the whole form with javaScript. So you could be sure, that bots without JavaScript “see” nothing.
Is it surely right that bots don’t use JavaScript. Are there any bots who use JavaScript?
I be thankfull if you could answere me in a short comment.
An interesting concept and a great solution for smaller websites, however, this wouldn’t work for high-volume websites (traffic or revenue or both) because hackers would spend the time to develop a bespoke solution as the reward is worth the effort.
Appreciate your write-up about this method.
I am looking to incorporate captcha for our registration page. Because we also have a TOS that needs to be agreed to before sign-up occurs, I am considering using the checkbox as an agreement to the TOS. This way, we subvert spambot submissions while also not displaying an obvious captcha to the user.
Use an image next to the box if they have css disabled that says this is only for spambots to fill in. Then the spambot won’t see the text.
There is something I’m not getting with this somewhat popular technique. Since this technique forces the user to have Javascript enabled, why bother with a checkbox? Why not have a Javascript function that will put an obfuscated value in a hidden field, and you check the value of that field on the server. It’s as safe (or should I say unsafe) as the checkbox technique, but you won’t need the user to click on anything.
A safer technique would be to use an Ajax call to set a random value in a hidden field, a value that was also saved in the user’s session on the server. This way, the spammer would actually have to simulate sessions and call the Ajax script. Doable, but more work for them.
I’m surprised no one had even bother using an input text field which is hidden through css, which means normal users wouldn’t be able to see it.
Simple really, if it is filled, then the request is invalid since it didn’t come from a “normal” user.
You can do the checking on client or server side as well.
Some bots DO run Javascript, and some browsers/plugins will autofill honeypot field even though it’s hidden.
I’ve actually suffered that on a couple of sites; I could not use the contact form or login, because the hidden field was being auto-filled by the browser.
You should read this: http://www.mindscapehq.com/blog/index.php/2011/04/03/a-failed-attempt-at-stopping-spam-bots/
Stating that the Javascript solution is better than the honeypot one is just stupid. There are enough people who have Javascript turned off, or their smartphone/mobile computer just doesn’t support it.
Very good article..The captcha in facebook and re captcha are hard to read.Even a human also cannot pass it..
I use Growmap Antispam Plugin for WordPress and it works perfectly – I forgot what spam is ;D
sometimes spammers use manual entry but it is rare
best regards!
This is totally pointless and protects nothing, if I want to attack the specific site with spam, it takes 1 line of JS to make this useless.
Anything that is pure client-side is useless.
It will stop the lousy random bots, but it will not stop someone who decides to attack your website – post comments, register users, try sql injection etc etc.
I can write from the scratch a bot that posts multiple times in under 15 minutes.
A client/customer who doesn’t want to fill the captcha, is perhaps better off moving to Facebook, anyway.
A checkbox thing, does not work, it can easy checked by spam bots. c’mon.
Besides, just go and check the “WordPress” Growmap Anti Spambot Plugin, what a joke!
Seriously, one need to wonder if you wrote this article with a second thought in your mind!
The checkbox idea is good. But Can I just create one of my own though the Form Mail that I have setup on my site?
Pseudo Code we will be using: (NO JAVASCRIPT, CSS MANIPULATION, SERVER SIDE CODE FOR CHECKING)
#start_timer { display:none; }
#email { display: none; } /* Spambot trap: If not empty, deny */
#email_address { position:absolute; left:-9000px; } /* Off screen trap for bots that can ignore display:none */
//Hidden field from the user
//Hidden field from the user
//Legit field that needs to be filled in for the real e-mail
############## SUBMIT CHECKER ##############################
DIM error_message
error_message = “Double Authentication Required: You have been detected as a Spam Bot.”
error_message = error_message & “If you received this message in error and would like to submit your e-mail: ”
error_message = error_message & “Please Click Here To Continue Sending E-mail >> ”
error_message = error_message & “An e-mail will be sent to “& customers_email &”. Please click on the link in the e-mail to verify you are human. Thank-You!”
IF email = “” OR email_address = “” OR email = NULL OR email_address = NULL THEN
IF Total_Time_To_Submit <= 5 THEN
Call Spam_Bot_Error(error_message) 'Double authentication required
ELSE
Call SEND E_MAIL
END IF
ELSE
Call Spam_Bot_Error(error_message) 'Double authentication required
END IF
Guess what percent of the people have JavaScript disabled as of 2014? or have CSS disabled.
1% or 2%
Try an invisible captcha on http://www.invisible-captcha.com 😉
I’m wondering what happens if the end user is physically disabled, cannot use a mouse, and has to rely on keyboard commands to facilitate use on a web page: unless you can select the element and use the arrow keys to nudge the button across, this is an enormous usability fail.
I’m wondering what happens if the end user is physically disabled, cannot use a mouse, and has to rely on keyboard commands to facilitate use on a web page: unless you can select the element and use the arrow keys to nudge the button across, this is an enormous usability fail.