In prior articles, I have covered the multiple advantages to using web forms instead of posting a naked email address. I also covered how to encode such a naked email address when Apple forces us to publish one as a requirement for selling digital content in Europe (link ahead). In this new article, I’ll explore four different ways to eliminate or reduce the effectiveness of spambots to send us spam, including the pros and cons of each. These four include honeypot, image captcha, math quiz and Google’s reCAPTCHA, together with the additional GDPR (RGPD) requirements if reCAPTCHA is used. (I have covered GDPR previously too – link ahead.)
What’s a spambot?
Wikipedia defines spambot as:
«A computer program designed to assist in the sending of spam.»
Source: here. I agree with that definition.
What is GDPR (RGPD)?
GDPR stands for General Data Protection Regulation. In many other languages, the abbreviation is RGPD. In 2018, I published this article:
Do you have a website? Avoid a US$23 million fine before May 25, 2018.
That 2018 article should put you up to speed if your website doesn’t yet comply. In addition to the steps covered there, I generally include a disclosure at the end of web forms, for example:
«By using this form, you are tacitly agreeing to our privacy policy.» with a link to that policy.
Later in this article, I’ll cover the additional GDPR requirements if you choose to implement Google reCAPTCHA to combat web form spambots (among other options).
The two main form tools I use in web development
As covered in prior articles, my TecnoTur offerings include web hosting, development, podcast combined hosting with branded RSS and even accented domain names.
For simple forms, I usually use the free plugin called Contact Form 7. For more complex forms, I have been using Gravity Forms, a paid plugin. Either way, there are many antispam options available, either directly from the developer or from third parties. Ahead, I’ll cover four of them.
Honeypot
Wikipedia defines a honeypot (in computing) as:
«a computer security mechanism set to detect, deflect, or, in some manner, counteract attempts at unauthorized use of information systems. Generally, a honeypot consists of data (for example, in a network site) that appears to be a legitimate part of the site which contains information or resources of value to attackers. It is actually isolated, monitored, and capable of blocking or analyzing the attackers. This is similar to police sting operations, colloquially known as “baiting” a suspect.»
Source: here.
In the case of a honeybot embedded in a web form, it consists of an additional field which is visible only to spambots, not by human internauts. As a result, if the spambot fills the additional information in the additional field, the form entry is ignored. Honeypots fortunately are not substantially demanding to a server.
Image captcha
Above is an example of an image captcha in English.
Below is an example of an image captcha in Castilian (castellano).
Most humans are capable of choosing the proper image and many spambots are not. Image captcha are fortunately not substantially demanding to a server.
Math quiz field
Above is a math quiz field in one of my forms. Most humans are capable of simple addition. Many spambots are not. Using a math quiz field is fortunately not substantially demanding to a server.
Listeners to my CapicúaFM show will know why I picked palindromic numbers for the math quiz.
Google reCAPTCHA
Above is an example of a Google reCAPTCHA from one of my forms in English.
Below is an example of one of a Google reCAPTCHA images from one of my forms in Castilian (castellano).
reCAPTCHA Inc. is a CAPTCHA system owned by Google. Although the reCAPTCHA is much more effective than the other examples covered so far, it is slightly more demanding on the server, since it adds more cookies and also shares IP information with Google. For that reason, I only use it on those few websites where the other methods have not been effective enough, and I add the additional GDPR requirements, as covered in the next section. Fortunately, Google does not charge any fee for using its reCAPTCHA.
Additional GDPR (RGPD) requirements if you use reCAPTCHA
Since in order to work, Google’s reCAPTCHA adds additional cookies, sharing of web form user’s IP addresses and Google fonts may be loaded to the page, more disclosure is required to maintain GDPR (RGPD) compliance.
By using this form, you are tacitly accepting TecnoTur’s Privacy Policy as well as Google’s reCAPTCHA, both its privacy and terms.
Above you’ll see how I augmented the disclosure at the bottom of web forms in English. Below, you’ll see an example in Castilian (castellano):
Al utilizar este formulario, aceptas tácitamente la Política de Privacidad de TecnoTur y las del reCAPTCHA de Google, tanto la de privacidad como de condiciones de uso.
I am not an attorney and this is not legal advice. Make your own decisions and/or consult with your attorney.
Spambots versus human spammers
The methods covered so far in this article are to combat spambots, not human spammers. If you believe you are receiving spam from human spammers through your web form, you might consider adding the following text above your web form, which I observed on attorney Gordon P. Firemark’s website. (Although we have exchanged a few emails over the years and I have quoted him in prior articles, so far we have had no business relationship.)
«No Solicitations Please
We have provided the contact form below as a courtesy to our clients and prospective clients. If you are a marketer and wish to contact us with offers for products or services, please do not use this form. We do not do business with people or companies who operate this way.»
Gordon P. Firemark has that text above his form, which also uses reCAPTCHA as of publication date of this article.
Conclusions
Even spambots get more adept with time, which is why (with some websites) I have had to go all the way to reCAPTCHA, which seems to be the most effective method. However, I only use reCAPTCHA on those websites that merit it. If you are receiving too much spam via spambots, I hope you (or your web developer) can implement some of these methods for you. If you (or your web developer) needs help to do that, you can consider moving your web hosting to TecnoTur or contracting a consulting session.
Two related articles
In 2022, I published this article when Apple forced us to publish a naked email address in order to continuing selling digital products in Europe:
Apple shocks authors/content producers with new website requirements to continue selling in Europe (illustrated above) since Apple forced us to publish a naked email address on our website (and a naked phone number too). I covered how to encode the naked email address to avoid it being harvested by spambots.
Later in 2023, I published:
DKIM & SPF now achieve even better email deliverability when fully implemented, thanks to an unexpected catalyst: Anyone who uses a personal or professional domain should be familiar with both DKIM and SPF for email deliverability and more.
Lee este artículo en castellano
(Re-)Subscribe for upcoming articles, reviews, radio shows, books and seminars/webinars
Stand by for upcoming articles, reviews, books and courses by subscribing to my bulletins.
In English:
- Email bulletins, bulletins.AllanTepper.com
- In Telegram, t.me/TecnoTurBulletins
- Twitter (bilingual), AllanLTepper
En castellano:
- Boletines por correo electrónico, boletines.AllanTepper.com
- En Telegram, t.me/boletinesdeAllan
- Twitter (bilingüe), AllanLTepper
Most of my current books are at books.AllanTepper.com, and also visit AllanTepper.com and radio.AllanTepper.com.
FTC disclosure
None of the companies mentioned has paid for this article. Allan Tépper is the director of TecnoTur LLC. Some of the manufacturers listed above have contracted Tépper and/or TecnoTur LLC to carry out consulting and/or translations/localizations/transcreations. So far, none of the manufacturers listed above is/are sponsors of the TecnoTur, BeyondPodcasting, CapicúaFM or TuSaludSecreta programs, although they are welcome to do so, and some are, may be (or may have been) sponsors of ProVideo Coalition magazine. Some links to third parties listed in this article and/or on this web page may indirectly benefit TecnoTur LLC via affiliate programs. Allan Tépper’s opinions are his own. Allan Tépper is not liable for misuse or misunderstanding of information he shares.