ECMS Horizons

To CAPTCHA or not to CAPTCHA, why ECMS Forms are Imune to Spammers

We're asked by users often why our contact and other forms on ECMS Horizons don't include a CAPTCHA field to thwart would be spammers, so we wanted to explain some of our techniques for reducing spam without punishing your site visitors with difficult and time wasting tests.

If you're not familiar with what CAPTCHA is, it's short for "Completely Automated Public Turing test to tell Computers and Humans Apart"... in short it's a test, if you pass, you're human.  For a longer explanation of the technique and rationalle behind these, you can read more at the Wikipedia:

Why are CAPTCHA fields necessary anyway?

If you've ever tried to fill out a form and at the end were given some weird seemingly scribbled and garbled string of characters and numbers, attempted to fill it out only to be returned to the form with a message informing you that you must be blind, you're not alone, aparently we're all blind.  At eCommunities, we don't believe that your visitors should be punished for the acts of others, so we do everything we can to hide our validation and spam filters.

The reason that forms are a prime target for spammers is this; most forms will send a confirmation to the submitter so that they know the email was sent and received, the confirmation will most often include the original body of the submission.  So if a spammer can use some random victims email address in the "email" field, and fill their spammy ad in the "message / request" field, when the form is submitted, the confirmation would be sent to the victim, along with the spam, links and all.  Best of all for the spammer is that it would come from a reputable domain like yours so it will very likely get through.

Where this becomes worse is when the spammer discovers that they can do this with your form, and then writes a "bot" or automated script that simply skips the filling out of the form and just sends the details right to the form script for confirmation, without protections in place, this means they could essentially send out tens of thousands of messages, if not millions if you're not paying attention, which would all come from your domain causing you no end of problems with "Real Time Blacklists" or RBL's that most mail servers use to filter spam.  Once on a list, legitimate mail from your domain would get filtered along with the garbage simply because you've been identified as the spammer.

How is ECMS Horizons different?

There are three ways to defeat this type of form abuse, CAPTCHA, purposefully slow forms, and unpredicatable security codes.  Horizons uses the last one because it's the only one that doesn't punish the average user for using your form, we don't want your visitors turning away from contacting you because your forms are a pain to use.

The way an unpredictable code works is that every time a form is loaded, a secret value is stored in the users session, and that code is regenerated every time the page is loaded.  Taking that one step further, those secret codes can only be used once.  That means that we've removed any ability for the spammer to skip filling in the form because anything beyond the first attempt will fail without a matching security code.

In essence this also is a pseudo-implementation of the second technique, purposefully slow forms, because a spammer would need to wait for each page load before they could send another message.  It doesn't affect the average use though because humans have no problem with a form that loads in 1 second.  It's an effective defence because the 1 second page load, plus possibly another second for page submission (2 seconds total) per email is extremely uneconomical when considering they're trying to send thousands or more messages.  To give you an example, even a relatively short list of 100,000 victim addresses would take in the realm of 200,000 seconds in this scenario, that equates to more than 2 days, more than enough time to catch the problem and fix it.

So not only do we build in the protections in a way that doesn't affect your visitors, but we also make it entirely undesireable for spammers to waste their time trying.  You may get the occational submission while a spammer tests your form out, but you'll never get a second.

Kevin Farley
Chief Software Architect

© 2004 by eCommunities, All rights reserved. Site & Service Policies

Powered by ECMS Horizons