Friday, January 2, 2009

Eliminating form spam with a quick Captcha

An annoying thing about most forms that make their way onto the web is that they get discovered by automated spam robots that submit their garbage information, and in doing so, invalidate your numbers, and give you extra cleanup effort in order to ensure that only clean data enters your databases.

Luckily there's a quick and easy way to fix that - you have probably seen it if you've ever commented on a blog or signed up for an account on any free service. It's called a CAPTCHA - an acronym for "Completely Automated Public Turing test to tell Computers and Humans Apart.", and in it's most common form, it uses a randomly generated image of a word or letter sequence that you have to type in in order to allow your form to be submitted.

On many less critical sites, it is also done with a simple human-readable request, and verification of that against the known correct answer. Many blog sites like Marketing Profs Daily Fix( and Six Pixels of Separation ( use this technique successfully.

There's a simple and easy way to do this with Eloqua, and while it won't prevent form spam from someone who exerts significant effort on your specific web form, it's quick and easy and will prevent almost all form spam from bots that discover your form by trawling the web.

First, create a text field on your form, called Captcha Field, where you will ask a user to submit a word, or the answer to a question.

Then, from the top menu, add server side validation to the form by choosing "Edit Server Validation". We will be verifying that the submitted answer to the Captcha question matches the correct answer, and this should only be the case if it is a human, not a spam bot, submitting the form.

We'll use server side validation (after the form is submitted) as most spam bots will bypass any of the javascript client side validation that one can use (before the form is submitted).

Add a new validation rule on the Captcha field, and make that validation rule of the "Field Value in Data Set" type. This will verify that the value submitted is part of a set of acceptable values, although in our case, the "set" of values is likely to only contain one value. However, if you think that the human-readable question might have more than one possible way of phrasing the answer, you might want to add both (ie, if you ask "what is 2 + 2", you might want to add "four" and "4" as possible answers.

The validation parameters have an option for setting the value to a correct value if it is not correct, but we will not enable that as that would correct the spam bot's answers and allow them through, defeating the purpose.

Create a new Data Set called Captcha Values, and in that set, add in your accepted answers. In our case, if we have the instruction on the form say "type in the word 'notaspammer'", we would add "notaspammer" to our correct value list. You can use words, answers to simple questions or very simple (2 + 2) math questions. Remember that you're only able to stump automated form trawlers, not dedicated efforts with this technique, so keep it simple.

Add the field to your form layout, and instead of the normal field name, type in your Captch question. Next, configure a message that alerts them that the field was not correctly filled out in the case of an error, and you will have a basic Captcha for your form.

I look forward to your comments on this technique, what has worked, what hasn't, and what percentage of spam bots you have found this to resolve.


Chad H said...

This is a great tip!

Ben said...

Here's a doc that outlines how to configure this option in Eloqua, as well as the alternative option which usese a hidden field:

Download Instructions

Steven Woods said...

Thanks Ben, that's a great doc that goes into a lot more detail than I did. Definitely a big help in setting this up.

France said...

In E10 there are not Server validation rules, do you know how I can avoid spam in my forms without using Captcha?