Prevent bot form submissions

There are 3 publicly available forms on the Tech Club application website: member registration, client registration and contact. Inevitably, these forms will be submitted by automated programs, or bots, in order to distribute spam or for some other unpleasant purpose. This section will talk about ways to avoid this. It will just be a short section for now, with more description than code, but I may come back to it in the future.

The measures we need to take in order to reduce bot submissions depends on whether or not we are specifically targetted. If a spammer is prepared to spend the time to modify his program in order to get past our defenses, then we will need to use the strongest measures. But unless you work for a well-known organization, this is normally not the case, and even simple measures will stop most automated attacks.

The strongest measures should be avoided if they are not needed, because they are annoying or difficult for the user and create a barrier to the submission of the form. Here, in order of preference, are some measures we can take:

Measure For user For developer Description
Hidden form field Invisible Very easy We have a field in the form which is invisible to the user but not to bots, therefore if it is filled in, we reject the submissoin. It is the measure implemented on the Tech Club forms and described further in Explanation: forms and emails.
Time-based checks Invisible Moderate This means for example disallowing multiple submissions from a given IP address within a given timeframe, or rejecting submissions which occur within a few seconds of the page loading (because no human could fill it in that fast).
Checkbox Very easy Easy The user clicks a checkbox. This seems to be the way things are going now as an easy "pre-check" to reCAPTCHA - see here.
Slider Very easy Easy We have a Javascript-based tool such as a slider, where the user just needs to make a single mouse movement to unlock the form.
Trivial question Very easy Very easy We have a field asking for the answer to a trivially simple question like "What is 2 + 2?" or "What color is the sky?".
Drag-and-drop game Usually easy Easy We have a Javascript-based visual mini-game which the user needs to solve by dragging and dropping in order to unlock the form.
reCAPTCHA Average to hard Easy The user needs to decipher distorted words. Everyone knows this one from creating accounts with big companies like Google.


comments powered by Disqus