SamuelDistil Networks

Are We Still Using CAPTCHAs to Stop Form Spam?

Quick note: In reviewing this post with some non-technical friends, I realized that many people aren’t familiar with the term CAPTCHA. A CAPTCHA (or Completely Automated Public Turing Test to Tell Computers and Humans Apart) is the item pictured below -  an awkwardly hard to read combination of “letters” and “numbers” that websites make you enter before performing a task.

When talking with potential customers, we talk an awful lot to people who have serious problems with form spam. We’re talking hundreds of submissions a day all from unique IPs on websites that get very little traffic. By the time they come to us they’ve tried everything – hidden form fields, IP validation, adding JavaScript, even adding CAPTCHAs to every form on their site.

The end result: Some pretty annoyed users from the CAPTCHA and still a ton of bot spam.

The longer we talk, the more adamant that most are that “the CAPTCHA should’ve worked”. It takes a while, but after a while we’re able to explain that not only will CAPTCHA not work, it’s pretty much never worked.

Back in 2008, James Edwards at Sitepoint wrote an excellent article called “Beyond CAPTCHA: No Bots Allowed!” outlining the problems with CAPTCHA at the time. I’m not going to rehash it, but it’s been over five years since that blog post and pretty much nothing has changed in favor of CAPTCHA. In fact, I’d argue that things have only gotten worse as bot technology has gotten better. Gone are the good old days of PHP and Perl running a list of commands one after the other with no UI, now we’re to the point in technology where we can fully automate real web browsers with plugins set to solve the CAPTCHA themselves or take screenshots of the CAPTCHA for third parties to solve.

Seriously. Most people don’t know this, but there are a whole host of services that do outsourced CAPTCHA solving. Starts at $0.70 per 1,000 images with each one done in under 15 seconds. It’s basically “Phone a Friend” for bot spammers. At this point the only people who have trouble reading CAPTCHAs are your actual users – not the bots.

So what is a website owner to do? The answer is simple: turn to more evolved systems to deal with more evolved bots.

One system to help cut down on form spam is Akismet from the team over at Auttomatic, the makers of WordPress. Akismet works by taking the data submitted to your website, validating it against their externally hosted API, and returning back to you whether they believe the submission is coming from a real person or a bot. For years it’s been the standard for WordPress form spam reduction and an absolute no-brainer for those of you fighting WordPress form spam.

There’s also what we do here at Distil Networks. It doesn’t matter whether the bot comes to your website to spam your forms or steal your data, we’ll block it and make sure it doesn’t come back to your website or anyone else on our network. There’s no additional code to install or maintain and, most importantly, no more development time devoted to keeping your forms spam free. You can get back to building and growing your business.

CAPTCHAs were born 13 years ago and since then there have been nonstop efforts and research done into circumvention and a lot of it has proven very successful.

It’s time we all take the next step.

Take Control of Your Website

Up to 60% of your website traffic could be bots! These non-human visitors are automated attacks responsible for fraud, data theft, and slowing down your website performance.

Sign Up For Your Free Trial Today