Blocking the bots: a clever way to stop spammers
I encountered an interesting problem a couple of weeks ago, when a website I’d written years ago became a target for spammers.
A simple page on the site enables users to request further information, but recently the site owners had started to receive lots of spam-type requests for this. They got in touch to ask what could be done about it, since they felt they were in danger of missing genuine enquiries among the hundreds of spam requests.
It was obvious that the requests were being generated by bots automatically filling in and submitting the web form, so my first suggestion was to add a Captcha element to the form – the sort of thing that displays a series of wiggly, distorted characters and numbers that you have to recognise and type in.
It was obvious that the requests were being generated by bots automatically filling in and submitting the web form
The theory is that only humans can make sense of such images, but so much distortion is applied that often human users can’t make sense of them, either. As such – and because of a deep mutual hatred for the things – my client asked if there was an alternative solution.
I’d seen sites that display a simple sum and ask for the answer, or show a picture and ask what it is, both of which seem like possible solutions. However, while talking to the clients, I had another idea, and asked if I could try something out and get back to them.
It had occurred to me that these bots simply fill in all the form fields and submit the page, so perhaps there would be a simple way to confuse them? If we put an extra field on the form that wasn’t used, and hid this using CSS “visibility: hidden”, a human user wouldn’t see it, and so wouldn’t enter anything into it; a bot, however, would be fooled into filling the field.
All we’d then have to do is test to see if this field contained anything; if it did, we could simply dump that form, since it must have come from a bot.
I wasn’t sure this would work, since it depended on bots not using the page’s stylesheet to render it. It turns out, however, that I needn’t have worried – it worked like a dream.
Five minutes of coding was all it took to stop the spam submissions. It’s a useful technique that you’re free to use on your own sites, although my usual 5% commission applies…