Stop Bots from Spamming Your Client's CAPTCHA

Kayla Foran
May 14, 2014
Web Development , Web Strategy

As a web developer, taking measures to prevent spammers from flooding form requests on a website is definitely a best practice that should be kept in mind. As with technology, spamming software has expanded and improved over time. Hackers are getting smarter day by day, modernizing the way bots react to spam prevention to keep above the curve.

I learned this when one of our clients reported that their contact us forms were being spammed. The spamming was happening multiple times a day by bots causing it to be extremely difficult for them to find legitimate form submissions. Originally we added a standard CAPTCHA to the form - one that had an image of text and a text box that you had to enter the exact text from the image shown above.

The Honey Pot Trap

Unfortunately this did not keep the bots from being able to spam our client. They still reported hundreds of spam emails being received by their system. I did some research and discovered that hackers are programming bots that are "smarter" now. I had to determine what could keep the bots from spamming our client. I found a solution called a 'Honey Pot Trap'. The idea of the Honey Pot Trap  is to have a hidden field in the form. Since bots scan the form for all fields and enter data into them, this hidden field would no longer be empty upon submission of the form. Although this has worked in the past, bots have evolved past this prevention and can now determine whether a field is hidden or not.

The Reverse Honey Pot Trap

I discovered that although bots can simulate button clicks they cannot simulate a hover state. With this discovery, I decided to create what I call a ‘Reverse Honey Pot Trap’. I created a hidden field on the form with the text that says “I am a spammer”. This hidden field is emptied when the user hovers over the submit button. So upon submission of the form, the code checks the hidden field andif the hidden field is empty, we know the user is not a spammer and the form submission is from a human user.

Staying Ahead of the Spammers

If the hidden field still has a value, it triggers the code to write to a log file, keeping track of the spamming. The user interface stays the same in both scenarios because we don’t want the hacker realizing their hacking didn’t work. With spam bots and hackers ever evolving, we must too. This is just one of many examples in which a little bit of research and critical thought can go a long way.

Have you tried solving this issue? Or have you had success with the Honey Pot Tap? Let us know in the comments about your experience!

comments powered by Disqus