Readers Respond: How Do You Protect Your HTML Forms from Spammers?

Responses: 6

By Jennifer Kyrnin, About.com Guide

See More About:

I have a number of forms on this website, and they are all protected in various ways. Some of the ways I protect my forms include:

Filters on the results
Many of my forms do not put the contents live right away. They are first filtered by spam filters to make sure the message isn't spam.
Approval by me
The contents of this page's form will not be put live until I've read it. This form is also filtered, but some spam still gets through. I don't publish the spam.
Simple CAPTCHAs
On some forms I use simple CAPTCHAs to let me know if a robot has filled out the form or not.

Hi you've given lots of good options but could you guys give an example in HTML. --- from Jennifer: unfortunately, there is no way to protect a form using just HTML.
—Guest RoninSamurai

I wanted a solution that was dynamic, challenging enough for a spambot but not for a user, and something that could overcome the issues associated with using images or JavaScript. I currently use WordPress to power the blog section of my site, and even though it has a great spam filter, I was tired of getting so many spam comments in my comment que. I wanted a way to prevent the spam comment even happening in the first place. The solution I developed asks the person to type in the first word of the title of the post they're commenting on. I like this solution because it's ridiculously simple, works w/o images, works with screen readers, and even takes the literacy of the reader into consideration (they can simply type the word they see). You can see it in action here .
—dbmartin

Some techniques can hinder accessibility, and blind users may actually be unable to complete a form. That may be the case with Steve's random picture technique. In order to give blind users a chance you'd have to put the character shown in alt text - something that spambots would be looking for presumably. The hidden fields idea interests me although some screen readers may not obey the display:none CSS statement. Also, if CSS is disabled the form field becomes visible. I guess the label for this field could say "Don't fill in this field" but do spambots actually read/interpret the label for a form field? On my own forms and to mask email address I use Recaptcha (free at http://recaptcha.net/) - also used by a growing number of other sites. Although it suffers from the pitfalls of any CAPTCHA at least you can request a new image if you don't get the first one. It also offers an audible option too - thus satisfying the WCAG2.0 accessibility guidelines.
—GrahamA

Sometimes, I include in the form a box that must be filled with the sum of today's date plus the actual year. For instance, is today is september 24, 2009, the number must be 24+2009=2033. The number must be 2033.
—VictorFRodriguez

I have created about 60 images of individual letters, upper case and lower case and numbers - I don't use zero and one, and the letters i and o. I use a random number generator to generate a number between 1 and 60 - six times consecutively. This might generate, for example: 18 32 25 42 9 12 I use this to stick 18.jpg, 32.jpg, 25.jpg etc next to each other - which creates an image containing six randomly generated images which, to the user, might look like: a7Jm2P I hold this in memory on the server and,when the form is submitted, compare what is in a particular text box with what I have held in memory. If they match, fine, if not - form is not submitted. No-one has beaten this yet, when they do, I'll ask people to enter the string backwards, or second letter first etc - so a human has to be looking.
—Guest Steve

Jennifer Kyrnin
Web Design / HTML Guide