DEV Community

Ingo Steinke, web developer
Ingo Steinke, web developer Subscriber

Posted on

How to stop form spam without using ReCaptcha?

This is more of a rant or a question, not a best practice post, at least not yet: how to stop form spam without using ReCaptcha?

Why not use ReCaptcha?

At least it works quite well, and it can be combined with other antispam techniques and databases like Akismet.

Page speed / web performance

Third-party services deteriorate page speed performance. Many online services offered by Google/Alphabet companies, like advertisements or web form security, are programmed in a way that is discouraged by their own analytics tool, PageSpeed Insights.

Privacy / GDPR

European legislation, and conservative users, prefer not to exchange user data with American companies unless there is no other alternative or if the user explicitly wishes to do so (or they get tricked to "agree" because they want to get rid of annoying cookie banners).

What to use instead?

I have been using self-made captcha/honeypot form fields, plus a check for unexpected methods or accept headers, which detect spam correctly in most cases. Additionally, we can check for repeated submissions from the same IP address within the same second(s) or minute.

So why worry?

Based on my current detection rate, I could discard messages rated as spam and not send any notifications. But then we still risk false negatives, i.e., discarding one crucial message treated as spam although it is legitimate.

If we forward all messages, even those suspected to be spam, via email, we risk our webserver and email address being mistaken for spam senders and getting blocked. If we store the discarded messages in a database or a text file, we risk security exploits.

From a frontend perspective, the form spammers wouldn't even know if I received their message as long as I didn't answer or click on a link.

My frontend sends a response code of "403 Forbidden" when I'm sure that it's spam, "503 Service unavailable" if in doubt, and "200 OK" otherwise.

Why don't they learn?

As I could see in the past months, even though my spam recognition and rejection perfectly answered all spam attempts with a "403 Forbidden" response, the clients don't stop trying.

I don't know if they're bots or pitiful human click workers, but they keep sending various messages, including repetitive patterns and identical message bodies, subjects, and sender names.

Top comments (11)

Collapse
 
darkwiiplayer profile image
𒎏Wii 🏳️‍⚧️

The internet really just needs to revive the concept of proof of work. A couple years ago, "it wastes electricity" was reasonable criticism, but in the age of block chain and machine learning, there's just no good argument against it anymore.

Collapse
 
ingosteinke profile image
Ingo Steinke, web developer

How can waste of energy be no valuable point in 2024 when there is fuel shortage and an imminent climate crisis? But let people talk about AI, animations, and the latest best JS framework that every developer must use now. As I kid, I thought, developers and engineers were intelligent people. But what did I know?

Collapse
 
darkwiiplayer profile image
𒎏Wii 🏳️‍⚧️

It's not so much that it's not relevant, but in the age of block chain and AI, the impact of using proof of work just seems trivially small in comparison. It seems like complaining about the environmental impact of wind turbines by casting shade on surrounding plants while we're still burning coal on a large scale. A question to maybe address when the elephant in the room has been taken care of.

Thread Thread
 
ingosteinke profile image
Ingo Steinke, web developer • Edited

I see, much like the EU legislation to ban plastic straws or hipster consumers trying to buy only fair trade eco produce and separate their household waste while we need changes on a much larger scale. I won't focus my marketing on green tech and website efficiency anymore, as nobody seems to care, neither for nature, nor for money. But I will keep optimizing when I can.

Thread Thread
 
darkwiiplayer profile image
𒎏Wii 🏳️‍⚧️

There's quite a few ways to optimise proof-of-work concepts as well; my little pet idea is to have the proof of work linked to an online identity, so that it is portable between websites but makes bans/blocks harder to evade as well as making spam more difficult.

Collapse
 
wadecodez profile image
Wade Zimmerman

First time I heard of this. Found something called mCaptcha. Got passed it with a simple puppeteer script. Less secure than reCaptcha, but privacy is probably not an issue. Also, most successful spammers nowadays use click farms anyways. 🤷‍♂️

const frameHandler = await page.waitForSelector('iframe[title="mCaptcha"');
const frame = await frameHandler.contentFrame();
const checkbox = await frame.waitForSelector("#widget__verification-checkbox");
await delay(5000);
await checkbox.click();
await delay(10000);
const button = await page.waitForSelector('button[type="submit"]');
button.click();
page.waitForNavigation();
await delay(10000);
Enter fullscreen mode Exit fullscreen mode
Collapse
 
lexlohr profile image
Alex Lohr

Most spammers use Web crawler scripts to make their requests, so the easiest way to prevent those is to use JS to add another field with a checksum of the remaining fields data that you can verify in the server. I haven't yet seen a spammer work their way around that.

Collapse
 
ingosteinke profile image
Ingo Steinke, web developer

No, they don't work around my spam trap, but I don't get why they don't give up eventually when they keep getting 403 Forbidden? Either they are too dumb to check return status, or too desperate or lazy to do so. Some spammers retry variations of the same text, even reusing the same sender name verbatim every other day.

Collapse
 
ashishsimplecoder profile image
Ashish Prajapati

How can I do it. I wanna try it

Collapse
 
ingosteinke profile image
Ingo Steinke, web developer

You can add a hidden form field that regular users can't see. Spam bots usually fill out every field, especially when there's one called "homepage" or "url", even when it's obviously hidden by HTML attributes. But you can use CSS to make it a bit harder. Then check (either in JS before sending, or on the server side) if the field has content, then it must be a spam attempt.

Thread Thread
 
ashishsimplecoder profile image
Ashish Prajapati

I get it now. This is great way of detecting spam.