Captchas, Form Validators & Web Form Spam in Focus

Web forms are an essential part of the digital experience but often websites don't make it easy for users to complete their submission. In many ways CAPTCHA's are to blame as they can make it near impossible for a user to submit which can be quite frustrating for everyone involved. 

Fortunately, there are some interesting solutions which are addressing the Web form spam problem such as HookForms. Rather than relying on users correctly interpreting CAPTCHAs, HookForms uses a mix of honey pots, human questions, and analysis of content, IP address and cache to filter out spammers. It not only a creative and effective solution to a real problem but is actually quite easy to integrate for developers as well - requiring a single script and one line of code.

 

Website Magazine posed a few question to HookForms co-founder Logan Thompson about the problem of Web spam on forms, why CAPTCHA's just aren't doing the job any longer and how Hookforms is different from its form validator competition.


 

LT: Form spam is much more dangerous than regular, direct-email spam. Spammers attacking through your forms are probing, in hopes to strike gold in the form of a vulnerability in your mail server - vulnerabilities a lot of PHP mail servers will have, especially if they're out of date. This is an enormous risk people don't necessarily consider, and they think of spam as just a nuisance.

 

What these creeps really want is to hijack your mail server and use it to relay their spam, effectively turning your own server into a spam factory to then attack more people. This would also probably end with your server getting blacklisted, basically turning it into a very expensive paperweight.

 

Unfortunately, form spam is still extremely prevalent and getting much smarter all the time. If you google " contact form spam," "stop spam" or something similar, you'll find the most popular tips and tricks for stopping spam. then all ways spammers are keeping up with those beating them. These usually include things like honeypots, where you drop a "hidden" field into your form to see if a bot will fill it out. If it does, you don't allow the form to submit. The problem is, it's extremely easy to program a spambot to skip these hidden fields based on their CSS or other things that make them not-so-hidden.

 

Security comes into play here as well. Often times company employees will click links that look very legitimate, and nothing says legitimacy like, "Message from your website." If a spammer can get you to click a link in there, they have you.

 

 

LT: Form spam is much more dangerous than regular, direct-email spam. Spammers attacking through your forms are probing, in hopes to strike gold in the form of a vulnerability in your mail server - vulnerabilities a lot of PHP mail servers will have, especially if they're out of date. This is an enormous risk people don't necessarily consider, and they think of spam as just a nuisance.

 

What these creeps really want is to hijack your mail server and use it to relay their spam, effectively turning your own server into a spam factory to then attack more people. This would also probably end with your server getting blacklisted, basically turning it into a very expensive paperweight.

 

Unfortunately, form spam is still extremely prevalent and getting much smarter all the time. If you google " contact form spam," "stop spam" or something similar, you'll find the most popular tips and tricks for stopping spam. then all ways spammers are keeping up with those beating them. 

 

In the end, we know Captchas can do some good, but they've served their purpose. In 2016 Captchas are no longer necessary, as we have access to much more data at our disposal that has no chance of inconveniencing people.

 

 

- Content Scoring - We check for successions of weird characters in content, repeat content, flagged or 'spammy' words, and more

- Form caching - Spambots will cache your form en route to spamming you and trying to hijack your mail server

- Time spent on the page before submitting

- IP address switching (hand-offs)

- Form HTML tampering - This is one of the coolest ones; we actually detect any sort of manipulation of the form, including adding and removing fields, changing the ID or class name, etc.

 

These take the burden off of real users (instead of forcing captchas on them, for example), AND they all work alongside traditional front-end spam filters like honeypots and random, human-friendly questions - which we also generate and insert dynamically.

 

Hook Forms are also 100% customizable, because they're 100% your own code. We don't jam a heavy, insecure iFrame into your website like some of the others. I'm sure readers are familiar with the issues involved with iFrames, and if not I'd encourage them to look into it. We also don't put in a bunch of inline styling. We trust developers to handle that, and we want it to be easy to style your form in absolutely any way you like.

 

All submissions are SSL encrypted. Some other form processors only do this if you pay a certain premium, or limit SSL. To us, there is only one way to submit user data, and we will never let anything leave the page unencrypted.

 

It's compatible with absolutely any website on any platform. I've gotten several questions about WP integration. It'll work with WordPress, totally custom forms, Jekyll, anything at all. Just add the HF id to the form, drop in the JS and it will do its business.

 

For the technical guys, you can have form content posted to a URL somewhere so you can stop spam on, say, a signup form. Hook Forms lets you take that data as you would any POST and continue to create users on your server like you would have normally. You just get the added benefit of blocking spammy sign-ups and clogging your database with fake users in this case.

 

Some of the standard form-routers offer a 'free' version, but it's often very limited and they are really just funneling you into a paid plan. The features tend to stay the same, but they'll give you more submissions and then you're already stuck with something that either doesn't use SSL, makes you use a 'theme' for styling, and/or puts an iframe into the middle of your website. Then there's that whole spam thing.

 

+ How important is integration with third-parties like Shopify or Wix?

 

LT: It's essential - not as a plugin, but even simpler. We wanted you to be able to simply turn any form within those platforms into a Hook Form. We put a lot of energy into making Hook Forms compatible with any website out there, and we love to see examples of that implementation. So no matter what you use, the process is the same. Just drop in the code and go.