Contact Form CAPTCHAS Need to Die a Horrible Death

by

We all know that spam is a productivity killer and potential security threat.

Bad CaptchaFor online companies offering free accounts or for fully-automated and resource-intensive online applications, protecting from automated “bots” is always a major challenge. If millions of virus-infected computers suddenly decided to sign up for accounts at once, it could shut down most online services.

In order to prevent these kinds of attack, a test was developed to deduce whether the person signing up is – in fact – human. These tests are called CAPTCHA, which stands for:

  • Completely
  • Automated
  • Public
  • Turing test to tell
  • Computers and
  • Humans
  • Apart

Unfortunately, this technology causes an inconvenience to the end-user for the benefit of the IT administrator. For this reason, I believe that it should NEVER be used in a company contact form.

Aside from the standard image CAPTCHAS, other sites also try to test humans by asking a text-based math question such as “How much is eight minus seven?”.

The hidden cost of a CAPTCHA

When a prospect arrives at your web site, you want to convert them as quickly as possible.

And with contact forms, your chances of getting the sale go down with each additional form field that the end-user must fill out. That’s why you want to restrict your contact form to ONLY the information which provides value to the sales process.

  • Name
  • Company
  • Phone
  • Email
  • Description

As the list of fields increases, so does your cost-per sale.

When you install a CAPTCHA on your contact form, you’re driving sales away from your site without adding any extra value to the sales process.

Of course, removing the CAPTCHA will make you the target of spam. And although it’s only a minor inconvenience for most sites, it can cause an overwhelming flood of spam for others.

For all sales-related forms, any human-detecting tests must be 100% automated on the server side.

Thankfully, since many companies design their own contact forms in PHP, there are a few features that you can easily add to your code in order to cut down on spam without punishing your clients for the misdeeds of others.

Check For A Browser

  • Since most “bots” will only be sending header information or GET/POST variables to your contact form, you may want to add another field that checks for the browser name and operating system. If this information is not present, you know that a human probably didn’t fill out the form.
  • Another way of checking for browsers is to set a cookie when the person lands on your page. If the contact form gets submitted without the proper cookie, you know that they probably didn’t use a browser. 10 years ago, this would’ve been very hit-and-miss, since many people blocked cookies. But today, everyone uses online applications that require cookies to log in… so it’s no longer a problem.
  • A third way of checking for a browser would be to include a hidden field within the form, and to have the value of this field inserted using Javascript. If this field gets sent blank or incorrect, you know that a Javascript-enabled browser was not used… and that this user is probably not human.

Check For Humans

  • Another, less intrusive way of giving a Turing Test would be to add both a Send and Cancel button to your contact form. These buttons should be images, and should switch places randomly with every page load. This is guaranteed to cut down your spam by 50%, since the end-user must pick one of 2 buttons to submit the form.

Cancel Send

  • Another option would be to create a single moving Send button which is placed at a different location every time the page loads. This can be done by creating a very large server-sided image map, with only one “hot” area that will submit the form. When the prospect clicks the image, it sends the coordinates to the server in order to determine if the end-user clicked the appropriate area on the image to submit the form.

Image Map Send

Both of these tactics are so subtle that the end-user won’t even know they’re being tested.

Form Validation

  • On your contact form, you should use a PHP script to validate the phone number and email address of the sender. This will help ensure that they aren’t just entering gibberish into these values. But please, NEVER make anyone type their email address twice for verification. (This is just a horrible idea)
  • Since many spam bots are designed to post hyperlinks on web site comments, you can also filter out any messages that contain the value “href” within its text. This will help eliminate a substantial portion of your contact form spam.
  • It also helps to have a list of keyword filters such as “viagra”, “forex”, “OEM software”, etc… This is probably one of the more traditional spam-filtering methods, and it still works very well.

These are just a few of the many tactics that you can implement of your web site for eliminating contact form spam, without inconveniencing your end-users. Now that you have no more excuses, I never want to see another contact form CAPTCHA again!

What are some other convenient tactics you can use to eliminate contact form spam?

No related posts.

2 Responses to “Contact Form CAPTCHAS Need to Die a Horrible Death”

  1. Mike

    Apr 24th, 2011

    Good ideas, I really like them. I only wish webmasters were smart enough to incorporate your ideas instead of the archaic captcha system, what a hoax.

  2. Butchas

    Dec 17th, 2011

    I like your ideas, may try some in my upcoming challenge page. Besides the typical session id and time duration tests I would include a few random questions that are site specific.

Leave a Reply