For website owners, spam is an all too familiar and unwelcome nuisance. Whereas in the past only major websites were targeted by spammers promoting their wares, today no website is safe from the onslaught of spam. This raises the question of how much of the user experience should be sacrificed in order to combat spam. There are a variety of security measures and remedies available to tackle this issue, but each one carries a cost.
For as long as there have been countermeasures against spam, there have been even more advanced methods of spamming. Securing your website may require the combination of multiple strategies, however, this could potentially affect the user experience. This can cause difficulty, distraction, or a long time spent on the site by visitors, and ultimately lead to a decrease in key metrics and conversion rate. It is therefore essential to find the optimal balance between the user experience and anti-spam measures. As such, it is often preferable to have a team of professionals managing your defence system. Works provides a selection of anti-spam services to their customers, some of which are outlined below.
Safeguarding the CSFR
Cross-Site Request Forgery (CSRF) is a serious security concern for any website that is exposed to threats other than spam. Taking precautions against CSRF is beneficial to ensure your safety, as well as blocking a large proportion of automated spam. The primary method of protection is to keep a user’s unique identifier in the PHP session. When a user is presented with a submission form, this ID is entered into a hidden field. The server will then check that the ID in the session matches the one in the form before processing it. The correct value for the hidden field can then be retrieved when the form is fully loaded.
This technique is an interesting way to identify spam bots. It involves setting a “code trap” that can be detected by automated software. To do this, you have to include a fake HTML field which can be hidden from users using Cascading Style Sheets (CSS). This way, people won’t be aware of the field, but a script designed to automatically fill in all fields it encounters will still be able to complete it.
Despite its effectiveness, there are certain unintended consequences that accompany this process. For instance, more sophisticated bots may recognise lines such as “display: none” and decide to bypass them. Additionally, there is a possibility of real people filling out the hidden box, mainly when the visitor is using an outdated browser or one that does not support CSS. This is an exceptionally rare occurrence, however it can happen and would result in the visitor being mistakenly classified as a bot.
Tokens Used During a Session
When a consumer visits your website, a cookie may be employed to store a session token. Due to the fact that most bots either do not support cookies or simply bypass them, the token serves as a kind of “entrance ticket” that can only be accessed and used by humans when completing your forms. One potential downside to this is that visitors who visit the form URL by typing it directly into their browser, or clicking on a bookmark, may not be able to submit it, as they will not have a token. It is essential to remain mindful of your target audience, so that you can adjust your approach to ensure it is tailored to the manner in which they interact with your content and the forms you provide.
ISP Blocking System
Collecting Internet Protocol (IP) addresses to create a filter is an effective strategy that does not put your users at risk. If there are numerous submissions from the same IP address, it is likely that they have originated from a spambot and so can be safely disregarded. Although this approach is effective in preventing sudden spikes in activity, it is not as successful in combating persistent spam as it only blocks spambots after they have submitted multiple times. Ultimately, its effectiveness is dependent on the type of engagement your website receives.
Anti-Spam Web Page
At Works, we take spam very seriously and believe that the best way to protect against it is by using a combination of methods. While there are various techniques available for preventing spam, our technical team have identified several that have proven to be particularly effective. However, even with a variety of approaches, it is not possible to completely eradicate spam. We therefore strongly recommend that you take the necessary steps to protect yourself from this issue.