Contact Form Captchas

swinnie · 12 Nov 2014 at 22:25

Hi All,

I have a customer that is complaining about receiving spam emails through their sales mailbox, from the contact form on their website. They have asked me to install some form of anti-spam mechanism.

What captchas can you guys recommend that don't look like a polished turd?

Many thanks in advance.

xbenjiiman · 12 Nov 2014 at 22:29

I'm a big fan of VisualCaptcha. None of that awful squinting your eyes trying to read the numbers and letters.

JimAroo · 13 Nov 2014 at 19:35

Generally i only even use Captcha as a last resort, I've found that 9 out of 10 times simply honeypotting a field is more than enough to stop the spam.

xbenjiiman said:
I'm a big fan of VisualCaptcha. None of that awful squinting your eyes trying to read the numbers and letters.

That looks very nice, should i need to add Captcha in the future probably give that a go.

hargi · 13 Nov 2014 at 21:09

What you mean by honey potting a field?

JimAroo · 14 Nov 2014 at 01:34

hargi said:
What you mean by honey potting a field?

What i do:

Duplicate say the email field typically i have one named email and the other contact_email.

You hide email with CSS via a class called styled_email, do not use inline as some bots can tell if a field is a honeypot.

When you process the form in PHP or whatever you check to see if the honey potted field is empty, if it is you know the request is from a normal user.

---

This works surprisingly well most times, and it doesn't affect the user experience.. they can't even tell the difference.

There are other tricks too like processing the form through AJAX, i find most bots have JavaScript disabled so this works well.

BaJ · 14 Nov 2014 at 09:36

I'm also not a fan of captchas.

What's the primary goal you'd like from a visitor to your website? Usually it's to get in touch with you, therefore creating a potential sales enquiry.

Captchas are known to be fiddly and awkward to complete for some users. You're therefore putting a hurdle in the way of people completing the goal of your site. People are willing to pay for sales leads, yet they're happy to throw a hurdle/captcha on a page without a second thought.

I'd personally rather sift through a couple of spam enquiries instead of losing out on a potential sale.

The honeypot solution is a good one mind.

bcjames · 15 Nov 2014 at 09:10

Honey pot and some validation is added to all my forms now. There are some good free php based forms on git that will do all of that.

Those visual captchas are interesting, but as the chaps above have said, it's still another hurdle.

swinnie · 16 Nov 2014 at 11:25

Firstly, thank you all for your response...

xbenjiiman said:
I'm a big fan of VisualCaptcha. None of that awful squinting your eyes trying to read the numbers and letters.

Now - that is actually a nice looking one, I shall certainly bare that in mind. I hate all captchas out there.

JimAroo said:
What i do:

Duplicate say the email field typically i have one named email and the other contact_email.

You hide email with CSS via a class called styled_email, do not use inline as some bots can tell if a field is a honeypot.

When you process the form in PHP or whatever you check to see if the honey potted field is empty, if it is you know the request is from a normal user.

---

This works surprisingly well most times, and it doesn't affect the user experience.. they can't even tell the difference.

There are other tricks too like processing the form through AJAX, i find most bots have JavaScript disabled so this works well.

Now, that sounds like an interesting solution - I shall give that a go and see if it does enough.

BaJ said:
I'm also not a fan of captchas.

What's the primary goal you'd like from a visitor to your website? Usually it's to get in touch with you, therefore creating a potential sales enquiry.

Captchas are known to be fiddly and awkward to complete for some users. You're therefore putting a hurdle in the way of people completing the goal of your site. People are willing to pay for sales leads, yet they're happy to throw a hurdle/captcha on a page without a second thought.

I'd personally rather sift through a couple of spam enquiries instead of losing out on a potential sale.

The honeypot solution is a good one mind.

BaJ, that is exactly my point and my resistance to use Captchas. The customer in question will be the first to moan if he "isn't getting emails" from his website. Or enquiries are down on the previous week/month. I would rather have to just select a few spam messages and delete them, than stop genuine enquiries coming through.

sniffy · 17 Nov 2014 at 20:33

A pretty simple but effective method is to base64 encode the current unix epoch into a hidden field then simply check when it gets posted back. If there's only a couple seconds difference then you can ignore it.