3 strategies to control spam in web forms
By G. Lara
The moment a new web form is published on the internet, bots come to attack it to use it to send spam. This is a fact and it is inevitable. Bots (robot shortening) are automatic programs that travel the internet "jumping" from one link to another. There are good bots and not so good bots. It is estimated that in 2018 bots were responsible for 40% of internet traffic 1
The "attack" of a bot to a web form consists of sending the form repeatedly. The content sent by the bot depends on what the form is for and the bot type, but it is generally spam. Spam is an unsolicited email or message sent for advertising or commercial purposes. That is why it is important that we know how to control spam in web forms.
Bot attacks and targets that we need to control
A bot can attack a web form with different intentions:
- Advertising: If you have a web form to receive product reviews, a competitor's bot can add a false spam-like review recommending a product from their own company to try and convince your customers that their product is better.
- Search engine optimization: If you have a form to receive comments on your blog posts, a bot can be dedicated to adding comments full of links to improve the positioning of another page by using yours to receive traffic.
- Spam sending: bots may try to send spam (unsolicited email) through your contact form. To do this, they use various techniques trying to find a vulnerability in the script that sends you the message with the data sent through the web form.
- reCAPTCHA Education: some bots use web forms protected by reCAPTCHA v3 to fool the artificial intelligence that makes it work. To do this, they send not very frequent messages through the web form with data that cannot be read, but that look like texts and real email addresses. They do this, with the sole purpose that the intelligence of reCAPTCHA gives their IP a high score and so they will be able to pass through the filter in other forms on the internet.
It is our job to take a certain control over these actions, this is why we will need to implement a strategy to mitigate the negative effects a bots actions may have on our website or our client's online business.
The 3 strategies you can use to control spam in web forms
Receiving the visit of these bots is not pleasant at all, they are very persistant and sometimes they can fill your website or your inbox with unwanted messages. They can take quite a lof of time and effort to keep them under control.
Luckily, there are a number of strategies that can help us control this problem. These are the three main strategies to control spam in your website forms.
1. Make the submitter of the web form identify as human.
To do this, normally the reCAPTCHA v2 of Google is used. You have probably used it a few times, it is the statement "I am not a robot" and when answering, sometimes you have to prove that you are human to be able to send the form. This is cumbersome, time consuming, and not as robust as one may think. I still remember seeing a video of a robotic hand clicking on the "I'm not a robot" box. , in case you haven't seen it, here is the video.
It is a good solution, in terms of neutralizing spam traffic from bots, but not so good in terms of usability and user experience on your website, so it is not a perfect solution to control spam in web forms.
2. Using artificial intelligence to monitor behavior on a user's website.
This is achieved with the use of Google's reCAPTCHA v3. It is intended to catch bots that send spam through web forms and at the same time minimize the inconvenience to the human user of the website.
Instead of displaying a question challenge, reCAPTCHA v3 returns a score so you can choose the most appropriate action for your website in order to do damage control.
To do this, it no longer asks directly whether or not you are a robot, now it watches you. It measures your movements on the website and gives you a score. This score represents the probability that you are a robot or not. The owner of each website decides what to do with this traffic and as from what score we take action. For example, in the event that the algorithm advises us that the review written on a product on your website has probably been written by a spam bot, we may decide to send the review to be moderated by a website administrator before its publication.
When the user (human or bot) executes an action in your form you can ask reCAPTCHA v3, it will return a score between 0.0 and 1.0.
A score of 1.0 is a high probability of a good interaction and a score of 0.0 is surely a bot. Now we have to decide what to do. This depends on the action that we are evaluating, there are different scales depending on the action:
- contact form
- form for submitting a product review
- authentication form to a private zone
reCAPTCHA v3 will never interrupt your users, so you can run it when needed and this will not affect the conversion on your website.
reCAPTCHA v3 works better the more context you give it on interactions with your web page. EThis context is achieved by observing both legitimate and abusive behavior on the website. For this reason, it is advisable to include the reCAPTCHA v3 verification in forms or actions, as well as loading it on the rest of the pages of your website so that it can carry out it's analysis.
The positive point of this strategy is that it does not interrupt the user, but the negative side is that it loads the page with more scripts and it is not as effective as it may seem. It does give you greater control on mitigation as you can use different actions for different threat scores. But being an artificial intelligence means that it can learn and the creators of spam bots have already found a way to deceive or re-educate this artificial intelligence. So this is another fairly effective technique to control spam in forms, the user isn't interrupted and you have fine control over what action to take.
3. Make the submitter of the form identify as a bot.
This strategy is the opposite of point 1 and is very effective.
A code is added to the form that can only "seen" by the bot and not by a human. Once the submission of the form data has been received, you can differentiate if the information comes from a human user or a bot by analyzing the data received. Once the bot is identified, you can choose to delete the message or send it to moderation by a website administrator.
Also, it is interesting to create a log file of the bots that are caught in order to analyze the type of messages that the bot is trying to send, which form is beign attacked, etc. so we can take more measures if necessary.
This strategy has the advantage that it is invisible to the visitor to your website, the human user is not disturbed. This is a great advantage for your website to be successful with your clients as it improves the usability and user experience of the website. It can be a very effective technique to control spam in web forms.
Conclusions on controlling spam in web forms
Which strategy to use? This depends on the context of the form that we want to protect and control. But you always have to have a strategy to control spam in web forms.
There are non-negotiable priorities that we take into account when we are going to protect a form on a website:
- do not lose information, if in doubt the message is stored for later review by a human.
- disturb the website user as little as possible, interrupt the human user as little as possible.
- it is preferable to receive some spam than to lose communication with a customer.
The best strategy is to combine any of the strategies we discussed above, especially strategies 2 and 3 that do not interrupt the human during the action of sending of data through the form on your website.
Like everything on the internet, bots evolve and so do we to keep them at bay. In order to prevent them from bothering our clients on the internet.
"The Dark rises and the Light to meet it".
Receive our promotions
Categories: Web page design.
Tags: programming, cybersecurity