Is CAPTCHA Best for Form Spam?

Posted: August 1st, 2016
Filed under: Web and Application Security
Tags: ,

CAPTCHA tests are not hard to find on the web. But neither are complaints about them.

Do you have CAPTCHA on your site to block form spam? Other options to filter out bot form submissions exist. Let’s explore whether those options would work for your company, or if you should stick to the CAPTCHA standard.




CAPTCHA protects sites displaying or collecting data with tests that humans can pass but bots cannot. CAPTCHA stands for Completely Automated Public Turing Test To Tell Computers and Humans Apart.

These tests are commonly found when performing online activities such as:

  • Submitting a form
  • Posting a comment
  • Completing registration

There are also drawbacks to using CAPTCHA:

  • It can degrade the user experience if input incorrectly
  • It can present accessibility issues for people when it comes to deciphering the codes
  • It creates a security arms race: CAPTCHA technologies progress to make it hard for bots, bots respond. Actual users get stuck in between.


Have you noticed CAPTCHA can be hard? What if this challenge means you are blocking bots but also losing human users in the process? While CAPTCHA are becoming harder for bots  to break, they are also getting harder for humans to decode. If alternatives exist, that means sometimes CAPTCHA is not necessarily the right solution.

Most bots scraping site forms are not tailored to a specific site, unless:

  • You’re running the website of a large corporation
  • Your business is one commonly at risk for a security attack

Therefore, CAPTCHA maybe better, but only in certain use cases.

A Different CAPTCHA Solution

People have pretty strong feelings about CAPTCHA. Those feelings came to light when some Port80 Software team members were discussing form SPAM issues. One senior team member compared CAPTCHA to DEFCON-5. So our challenge was set to find something less off-putting.

One senior team member compared CAPTCHA to DEFCON-5. So our challenge was set to find something less off-putting.

One strategy to prevent form SPAM that seems to work well is called the honeypot technique. It is a different methodology than CAPTCHA that capitalizes on the default behavior of bots. A honeypot lures bots into exposing themselves and leaves the humans alone.


In this case, you add an empty form field in the code, but one that a user doesn’t see. If it is not visible to the human eye, a human user would not fill it out. But a bot would, because they see what’s in the code, not what’s visible on the page.

Once you detect that the form field has an input, you can probably guess this was not the work of an actual human being. Validation on the client side flags it and the form submission will fail. If JavaScript is disabled, server side validation will pick it up. And even though it’s a bot, you could display an error message on the page saying that they didn’t pass your spam validation.


  • This method is virtually seamless for the user and does not degrade user experience. Users don’t have to guess images or figure out what an upside down backwards piece of text is saying. A good move might be to make it a starting place. Try this first and see how well it reduces your SPAM and improves user experience.
  • It doesn’t require the use of another API or integrating another service on to your page, thus saving on bandwidth and load times.


  • This doesn’t offer as much security as a ReCaptcha API, but it should still work for a majority of companies who aren’t the specific target of security attacks. If you’re a bank, hospital, or other likely target, you’ll likely still want the rigor of a full Turing test, like CAPTCHA.
  • If a hacker is targeting your site specifically, they will most likely tailor a bot to your site that will allow them to mimic human like behavior and bypass the form check. (Nothing is 100%)

Google and the Future of CAPTCHA

The honeypot technique is just one alternative when it comes to form SPAM. There are some changes web users can expect to see in the future from Google in this area as well. One you may already be seeing is the reCAPTCHA that detects human-like mouse movements to verify a real user is submitting a form.

The other is an invisible reCaptcha option:

We know some developers who have been invited to try invisible CAPTCHA before it is officially implemented by Google. We’ll keep you posted on what they find out during their tests.

No Comments »

Leave a Reply