Skip to content

How to prevent spammy form submissions

20th January 2015

3-minutes read

As a website owner or business manager, you’ll have been on the wrong end of emails that get sent to you whenever your website’s enquiry form is completed.

While an enquiry from your website is a good thing, a spam enquiry – where your form is filled with nonsense info by an automated program – is annoying and a waste of time.

Programs such as these exist because unscrupulous people (hackers) look for security flaws in websites, which they might go on to exploit for spamming purposes. And while you can’t stop these programs finding your website and its online forms, you can prevent them completing the form successfully. And if you can do this, you’ll put an end to the spam emails.

CAPTCHA

Traditionally, the way website owners have stopped unwanted form submissions is to include a question on the form that an automated program will struggle to answer

A "captcha" does just this: it is a collection of hard-to-read characters that people can interpret but computers can't. CAPTCHA stands for "Completely Automated Public Turing test to tell Computers and Humans Apart”, which reveals that it was created by a computer scientist rather than a marketer! And while it does the job, it can be very frustrating. A well-intentioned CAPTCHA often ends up being a CAPTIFU – "Completely Automated Public Turing test that Is Unreadable” – and even proper users find it impossible to complete the online form.

Friendlier alternatives to CAPTCHA

In fact, CAPTCHAs cause such frustration that you’ll often see a different approach on websites these days. Asking a simple question (such as "What is 2 + 3?”) and only processing the online form if the question is answered correctly ensures that genuine website visitors don’t feel overly challenged when completing the form but automated programs, devoid of any intuition to solve a simple maths question, can’t supply the right answer. Consequently, form submissions from automated programs won’t get processed and you can’t receive emails full of nonsense.

Gotcha… an even better alternative?

Both the traditional CAPTCHA and the simple maths question follow the same basic approach: the online form will only be processed if you supply the right answer. In terms of preventing automated form submissions, both approaches work well but the user's experience isn’t ideal.

Our preferred approach is to go at things from the other direction: rather than require the website visitor to answer a question correctly, we advocate including a question that the website visitor should ignore.

How does this work?

When building an online form for a client, we include a box that we expect to be left empty. And then we add a little bit of magic to the client’s site that prevents the box being shown on screen so the website visitor can’t see it.

Sure enough, because they don’t know it’s there, a genuine visitor makes no attempt to type anything into the box and when they submit their form, it is processed in the usual way.

Automated programs run by hackers don’t "see” the form on a screen in the same way you would: instead, they access that page’s code and work with that. Our magic only prevents the box from appearing on the screen – it doesn’t remove the box from the code – and so unaware of what we’re doing, an automated program will enter something into the box.

Our client’s website detects this when the form is submitted and knows to reject it. The result? No spam form submissions for the client but no hard-to-read CAPTCHA on their website either.

Jeremy Flight

Jeremy Flight

Technical Director

Jeremy Flight

About the author

This article was written in January 2015 by Jeremy Flight, Technical Director at Rubiqa.

He has worked in the web design industry since 1999 and has helped many private businesses and public sector organisations with complex website projects. As the technical lead at Rubiqa, he is the primary contributor to our software products and is involved with projects relating to website design, eCommerce, database systems and mobile apps.

Away from work, Jeremy is a qualified cricket coach and works with junior players at his local club. He is also interested in property investment, golf, photography, playing the piano and holidaying in France.

Connect with Jeremy Flight on LinkedIn

What we do

Send your enquiry

To prevent unwanted spam, we ask you to enter the answer to this simple sum: