twitter facebook dribbble email

A better alternative for the Captcha spam filter

Careful! This post is looking a little old and could be inaccurate in many, many ways

Spam email is the evitable consequence of owning an email address, but as a necessary requirement to using the Internet these days your email is distributed far and wide. Although we can do little to control how another website uses our email address once we have provided it we can control how we utilise our email on our own websites.

Many websites utilise their email address in one of three ways:

  • As simple text
  • As a mailto link
  • Within a contact form

All the above allow spammers to send you email either by collecting your email address to add to a database or spam you directly using your own contact form. There are different solutions to the first two examples above such as displaying your email in a non standard format e.g. john[at]smith[.com] or using JavaScript to display the email, both of which most automated bots cannot interpret.

Using a contact form however keeps your email hidden away, but provides a quick way for a bot to send you spam en-mass. However there are ways to protect yourself here also:


Most web users are familiar with this technique. This method validates the user input against text embedded in an image to ensure human entry. This method has come under growing criticism as an inaccessible method for form submission. Just as a bot cannot read the text within the image neither can a high percentage of the visually impaired. For this reason more newly implemented captcha’s also have an added audio element.

Security Question

As people came to see Captcha’s as an imperfect solution many chose to exploit a bots other weakness; intelligence. Rather than using the Captcha that displays something a bot cannot see the security question method displays a simple question such as 2 plus 2 or is fire hot or cold within a label and requests the user to input the answer in the associated input field. As a bot has no intelligence it cannot answer the question with the correct answer, this is unless the bot has been pre-programmed to associate a particular question with a particular answer.

Both these methods however presume the user is a willing personal spam filter for our websites by asking them to enter extra information that has no relevance to what they are wishing to accomplish but only serves our need to reduce the amount of spam in our inbox.

There has to be a better way?

The hidden security field

What this method does is create an extra form field like that of the security field above but rather than ask the user to input a valid entry it assumes any and all entry as invalid. We can take this assumption that a human will leave the field blank as the security field is hidden using CSS. If a user is to view the website as designed this extra field should never be visible to them, yet to a bot it is yet another form field to enter ambiguous data. This method exploits a bots inability to understand CSS.

Upon submission the form will be validated to ensure the security field is blank and if not will return an error. Although this isn’t beneficial to a bot it is to our users. If by any chance they have entered something into the security they will be informed of the error and can then correct it. Also so that those that do see the security field are not confused by the extra input box we add an associated label asking them to leave the field blank. Although in this case it puts the emphasis back on the user, it requires no input and should account for only a small number of the websites users.

Is this the end of my spam problem?

Probably not. This method is not perfect, like the other methods it is no solution for human generated spam, but it does provide a non-invasive method of spam filtering that limits the impact on the user experience.

What methods do you use to control spam, or do you leave your spam filtering to your email provider? Add your comment below