Before Hook Forms, I hosted and managed a bunch of random websites for clients, and most used contact forms. They looked good and worked well, so naturally spammers found them and immediately crapped on the situation.

To fight spam, you really have two options (maybe some combination):
  1. Try to prove that the form is being submitted by a human
  2. Set traps that spam bots are too dumb to avoid

We will list and analyze the most proven techniques out there so far from both categories, then add some ideas of our own.

'Smart' Captchas

If you search "third party captcha," you'll find dozens of options with varying levels of integration requirements. In our opinion, the best (best is a strong word) third-party captchas are the ones least likely to annoy clients. They usually require people to solve a simple puzzle, move a slider, choose an image, answer a question, etc. But, even they are not ideal.

Our first goal needs to be to keep things clean, usable, and as frictionless as possible for users. Third-party captchas tend to look cheap, especially if you want to use them in an otherwise sleek design. On a performance (read: most important) level, newer and better spam bots often beat scrambled text captchas by unscrambling words themselves.

Honeypot Fields

A honeypot is a field you insert into a form, then hide from the user. In theory, spam bots will visit the site, won't realize there is a hidden field and they'll fill it in. The processor looks at that and says, "Oh hey, they filled in this hidden field, so this is probably spam." The post is then handled accordingly.

Sticking with the theme, honeypots worked great for a while. But again, smarter spam bots are ruining everything. They can render CSS and execute Javascript, meaning the form they see is often the exact same as what a human sees. That means bots skip hidden fields, and the spammed form passes through.

Not cool.

Content Analysis

Several systems and tools actually read email and give it a spam score. They use that score to block the message, then make rules to block future email from the spammy sender.

One problem with these solutions is, they aren't designed for forms. Akismet is probably the most well-known vender for form content analysis, but its also the most expensive.

We found clients would rather weed through spam email than spend extra money on an Akismet license. In addition, analyzing the content of an email to give it a spam score has proved to be difficult and not at all something we would suggest to the average website owner due to the complexity.


Our Wish-list of Features

A better spam-filtering system would combine the most performant techniques, and add new ones. The best parts of each would work together like an anti-spam Megatron, determining accurately who or what submitted the form. This ultimate system would do all of the following:

  • Content analysis to detect spammy words, excessive links
  • Flag content for words in a 'spam database'
  • Flag content with unexpected language, character sets or encoding
  • Target and exclude posts based on IP range and geographic area
  • Determine whether the form has been cached for a re-play bot
  • Determine whether the poster has added or tampered with fields

Pausing to take a breath.

  • Log IP address to detect bots on rotating proxies
  • Simple, human-friendly questions (in place of ugly captchas)
  • Totally random honeypots
  • Check for duplicate / similar content across multiple fields
  • Score content based on usage of upper and lowercase
  • Score content based on the percentage of fields with duplicate content
  • Score content based on the percentage of non-required fields completed

* The system would also integrate with any CMS, or even a static-hosted website. Let's not inject another full-on app just to handle form processing.

We didn't want to sit around wishing, so we've already built this system and you can start using it now.

Hook Forms

These forms handle every feature described above. All forms are posted over SSL, and guaranteed secure.

Using Hook Forms

There are no crazy APIs to deal with and no libraries to install. In three steps, you'll be up and running:

  1. Sign up at the top of the home page at hookforms.com.
  2. Create a new Hook Form
  3. Paste the HTML/Javascript into your page.

It does not matter how or where your site is hosted.

If you choose to try Hook Forms for free, the app will walk you through things, but please email support@hookforms.com with even the smallest of questions.

Thank you in advance for your feedback and for helping us make this thing great.