If you own a website you know this: Spam is a true nightmare. Long gone are the days when only big sites were targeted with spam related to its services or products in an attempt to draw their customers. Nowadays, spambots will indiscriminately target any site regardless of its size, reach, or content. There are abundant countermeasures and security techniques to stop spam but they all present a question for site owners: “How much of my UX am I willing to sacrifice to fight spam?”
As anti-spam measures advance and evolve, so do spam methods, resulting in a never-ending race between the two. You can easily make your site bulletproof by combining different methods, but this will tear your user experience to shreds, making the navigation and interaction through your site hard, distracting, or time-consuming. This affects your key metrics and conversion rate.
That means that your anti-spam solutions should be carefully designed based on your optimal tradeoff between UX and spam eradication. It’s often best to have a team of experts setup and maintain your defenses. This list shows some of the spam management solutions we offer our clients.
CSFR Protection
One of the staple options, Cross-Site Request Forgery is a common security issue in any site that exposes you to threats other than just spam. Protecting from it allows you to stay safe and stop a big percentage of automated spam. The main way to do so is to store a unique ID in the PHP session for a user. The ID is then placed as a hidden form field when that user is presented with a submission form. Then, your server checks that the ID in the session’s copy matches the one in the form. This ensures that the form has actually loaded in order to retrieve the correct hidden field value.
The Honeypot
This interestingly named spam prevention technique consists of luring a bot into a sort of “code trap” which will reveal it as a spambot. You do this by including a separate field in your HTML form that simulates a real field and hide it with CSS. This way, a human won’t be able to see the field or fill it, but a script will most likely fill it out, as they’re programmed to fill every field possible, which will give it away.
There are some collateral aspects with this technique, however. Some advanced bots can detect lines such as “display: none” and recognize the trap. Other complications involve actual users filling out the hidden field, which can happen if someone has an outdated browser or a browser with CSS turned off; although extremely rare, these users would probably fill out the field leading you to the mistake of labeling them as bots.
Session Tokens
Through the use of cookies, you can set session tokens each time a customer visits your website. As most bots don’t set cookies, or just arrive directly at the forms, the token would be a sort of “entry ticket” that only humans can retrieve and use to fill out your forms. There is, as always, a setback, and it’s that users that enter directly to the form link or have it bookmarked won’t generate a token and won’t be able to submit the form. This is another reason to monitor your audience and choose the method according to their behavior and the type of forms you present.
IP Address Filter
A very efficient of spam mitigation that poses no risk for your users is the collection of IP addresses to generate a filter. If you receive many submissions from the same IP address, you can discard it as a spambot. The shortcoming of this method is that it will only block spambots after they’ve submitted a few times, which makes it a great resource against strong spikes of activity but not against casual or continuous spam. Once again, it all comes down to the type of activity you receive.
A Spam-Proof Site
Anti-spam solutions and techniques come in many shapes and forms; these are just some of the ones our engineers recommend the most. Each technique has its weak points and disadvantages, which is why having an expert team studying your case and applying a combination of solutions is the ideal scenario. There’s no silver bullet against spam. We treat spam like any other cybersecurity issue, and we encourage you to do the same. This is the best we to be fully armed in the spam fight.