Skip to Main Content

Captchas, Form Validators & Web Form Spam in Focus

Posted on 5.09.2016

Web forms are an essential part of the digital experience but often websites don't make it easy for users to complete their submission. In many ways CAPTCHA's are to blame as they can make it near impossible for a user to submit which can be quite frustrating for everyone involved. 

Fortunately, there are some interesting solutions which are addressing the Web form spam problem such as HookForms. Rather than relying on users correctly interpreting CAPTCHAs, HookForms uses a mix of honey pots, human questions, and analysis of content, IP address and cache to filter out spammers. It not only a creative and effective solution to a real problem but is actually quite easy to integrate for developers as well - requiring a single script and one line of code.

Website Magazine posed a few question to HookForms co-founder Logan Thompson about the problem of Web spam on forms, why CAPTCHA's just aren't doing the job any longer and how Hookforms is different from its form validator competition.

 SUBSCRIBE to Website Magazine & Accelerate 'Net Success

WM: Just how significant is form spam?

LT: Form spam is much more dangerous than regular, direct-email spam. Spammers attacking through your forms are probing, in hopes to strike gold in the form of a vulnerability in your mail server – vulnerabilities a lot of PHP mail servers will have, especially if they’re out of date. This is an enormous risk people don’t necessarily consider, and they think of spam as just a nuisance.

What these creeps really want is to hijack your mail server and use it to relay their spam, effectively turning your own server into a spam factory to then attack more people. This would also probably end with your server getting blacklisted, basically turning it into a very expensive paperweight.

Unfortunately, form spam is still extremely prevalent and getting much smarter all the time. If you google “contact form spam,” “stop form spam” or something similar, you’ll find the most popular tips and tricks for stopping form spam. Then you’ll find all the ways spammers are keeping up with those and beating them.

These usually include things like honeypots, where you drop a “hidden” field into your form to see if a bot will fill it out. If it does, you don’t allow the form to submit. The problem is, it’s extremely easy to program a spambot to skip these hidden fields based on their CSS or other things that make them not-so-hidden.

Security comes into play here as well. Often times company employees will click links that look very legitimate, and nothing says legitimacy like, “Message from your website.” If a spammer can get you to click a link in there, they have you.

WM: What is the problem with Captchas today?

LT: Captchas put the burden of proving humanity on the real people. We want to reverse this notion, so real people can be left alone. By checking back-end criteria and catching bots based on automated behavior, we can take away that burden and encourage a smoother, more secure data exchange.

If you don’t make your site easy to use, people won’t use it.

Difficult-to-read, scrambled word tests annoy people (who are also afraid to get it wrong) and drag out their process. Google’s image-based Captchas are often even more confusing, asking people to ‘select all images that match this one,’ then show you varying levels of matching.

People don’t want to feel as if you distrust them; and beyond that, they don’t want to jump through hoops for the privilege of filling out a form.

The newest reCAPTCHA uses a checkbox to verify you. This sounds great, but the creepy part of it is the way it verifies you. reCAPTCHA is a Google product, and it uses the data it has mined on you from searches, email and other Google magic to say, “Okay, you’re probably human.” Using that data in that way gives me the willies. And because reCAPTCHA is well-known and its front-end position makes it very obvious to identify, it is now target number one on spammers’ list of things to beat.

In the end, we know Captchas can do some good, but they’ve served their purpose. In 2016 Captchas are no longer necessary, as we have access to much more data at our disposal that has no chance of inconveniencing people.

WM: In what way does Hook Forms differentiate from the competition?

LT: There’s really nothing out there like Hook Forms in terms of spam-blocking techniques. We like what the other guys have started; they began down a nice road, and now we are taking it to the logical next step.

This idea of smarter, built-in spam blockers was really the nexus of Hook Forms. Most of these are listed on, and include things you won’t see anywhere else – for example:

• Content Scoring – We check for successions of weird characters in content, repeat content, flagged or ‘spammy’ words, and more

• Form caching – Spambots will cache your form en route to spamming you and trying to hijack your mail server

• Time spent on the page before submitting

• IP address switching (hand-offs)

• Form HTML tampering – This is one of the coolest ones; we actually detect any sort of manipulation of the form, including adding and removing fields, changing the ID or class name, etc.

These take the burden off of real users (instead of forcing captchas on them, for example), AND they all work alongside traditional front-end spam filters like honeypots and random, human-friendly questions – which we also generate and insert dynamically.

Hook Forms are also 100% customizable, because they’re 100% your own code. We don't jam a heavy, insecure iFrame into your website like some of the others. I’m sure readers are familiar with the issues involved with iFrames, and if not I’d encourage them to look into it. We also don’t put in a bunch of inline styling. We trust developers to handle that, and we want it to be easy to style your form in absolutely any way you like.

All submissions are SSL encrypted. Some other form processors only do this if you pay a certain premium, or limit SSL. To us, there is only one way to submit user data, and we will never let anything leave the page unencrypted.

It's compatible with absolutely any website on any platform. I've gotten several questions about WP integration. It'll work with WordPress, totally custom forms, Jekyll, anything at all. Just add the HF id to the form, drop in the JS and it will do its business.

For the technical guys, you can have form content posted to a URL somewhere so you can stop spam on, say, a signup form. Hook Forms lets you take that data as you would any POST and continue to create users on your server like you would have normally. You just get the added benefit of blocking spammy sign-ups and clogging your database with fake users in this case.

Some of the standard form-routers offer a ‘free’ version, but it’s often very limited and they are really just funneling you into a paid plan. The features tend to stay the same, but they’ll give you more submissions and then you’re already stuck with something that either doesn’t use SSL, makes you use a ‘theme’ for styling, and/or puts an iframe into the middle of your website. Then there’s that whole spam thing.

+ How important is integration with third-parties like Shopify or Wix?

LT: It’s essential – not as a plugin, but even simpler. We wanted you to be able to simply turn any form within those platforms into a Hook Form. We put a lot of energy into making Hook Forms compatible with any website out there, and we love to see examples of that implementation. So no matter what you use, the process is the same. Just drop in the code and go.

Today's Top Picks for Our Readers:
Recommended by Recommended by NetLine

Leave Your Comment

Login to Comment

Become a Member

Not already a part of our community?
Sign up to participate in the discussion. It's free and quick.

Sign Up


Leave a comment
    Load more comments
    New code