Are We Still Using CAPTCHAs to Stop Form Spam?

June 13, 2013 Andrew Stein


Quick note: In reviewing this post with some non-technical friends, I realized that many people aren’t familiar with the term CAPTCHA. A CAPTCHA (or Completely Automated Public Turing Test to Tell Computers and Humans Apart) is the item pictured below -  an awkwardly hard to read combination of “letters” and “numbers” that websites make you enter before performing a task.    

When talking with potential customers, we talk an awful lot to people who have serious problems with form spam. We’re talking hundreds of submissions a day all from unique IPs on websites that get very little traffic. By the time they come to us they’ve tried everything – hidden form fields, IP validation, adding JavaScript, even adding CAPTCHAs to every form on their site.

The end result: Some pretty annoyed users from the CAPTCHA and still a ton of bot spam.

The longer we talk, the more adamant that most are that “the CAPTCHA should’ve worked.” It takes a while, but after a while we’re able to explain that not only will CAPTCHA not work, it’s pretty much never worked.

Back in 2008, James Edwards at Sitepoint wrote an excellent article called “Beyond CAPTCHA: No Bots Allowed!” outlining the problems with CAPTCHA at the time. I’m not going to rehash it, but it’s been over five years since that blog post and pretty much nothing has changed in favor of CAPTCHA. In fact, I’d argue that things have only gotten worse as bot technology has gotten better. Gone are the good old days of PHP and Perl running a list of commands one after the other with no UI, now we’re to the point in technology where we can fully automate real web browsers with plugins set to solve the CAPTCHA themselves or take screenshots of the CAPTCHA for third parties to solve.

Seriously. Most people don’t know this, but there are a whole host of services that do outsourced CAPTCHA solving. Starts at $0.70 per 1,000 images with each one done in under 15 seconds. It’s basically “Phone a Friend” for bot spammers. At this point the only people who have trouble reading CAPTCHAs are your actual users – not the bots.

So what is a website owner to do? The answer is simple: turn to more evolved systems to deal with more evolved bots.

One system to help cut down on form spam is Akismet from the team over at Auttomatic, the makers of WordPress. Akismet works by taking the data submitted to your website, validating it against their externally hosted API, and returning back to you whether they believe the submission is coming from a real person or a bot. For years it’s been the standard for WordPress form spam reduction and an absolute no-brainer for those of you fighting WordPress form spam.

There’s also what we do here at Distil Networks. It doesn’t matter whether the bot comes to your website to spam your forms or steal your data, we’ll block it and make sure it doesn’t come back to your website or anyone else on our network. There’s no additional code to install or maintain and, most importantly, no more development time devoted to keeping your forms spam free. You can get back to building and growing your business.

CAPTCHAs were born 13 years ago and since then there have been nonstop efforts and research done into circumvention and a lot of it has proven very successful.

It’s time we all take the next step.  

About the Author

Andrew Stein

Andrew Stein is Distil's Co-Founder and Chief Scientist. Getting his start running a large online kids’ game, Andrew took his passion for web development to NC State where he became the Senior Web Developer for the Department of Electrical and Computer Engineering. Working on everything from identity management programs to digital signage systems, Andrew has run into a little bit of everything and is always eager for new challenges.

Follow on Twitter More Content by Andrew Stein
Previous Article
Bots Infiltrating the Travel Industry
Bots Infiltrating the Travel Industry

Distil Networks discovered that a good portion of traffic to travel-related websites is from automated agen...

Next Article
Please Don’t Feed the Bots (or Web Scrapers and Crawlers)
Please Don’t Feed the Bots (or Web Scrapers and Crawlers)

If you stop feeding your web pages to malicious bots, scrapers and crawlers, you can improve SEO results, p...