Preventing spam on Ajax forms without using Captcha

Preventing spam on Ajax forms without using Captcha
By Gareth
4th June 2015 at 13:09

Today we demonstrate a few useful tips to avoid spam bots using your forms to submit data to customers. If you're lucky enough to be making a bespoke site and not using Wordpress then this guide is for you.

Ajax forms for a long time have been somewhat immune to bots that go out there and send spam. We won't be covering building an Ajax form here, but we will go over the more detailed tips to stop spam if you know your AJAX.

Firstly let's talk about the form build itself. A common method was to build a form with the usual HTML form tags and use jQuery to prevent the post as seen below. As pretty much every browser out there is JavaScript compatible, we doubt you will need to worry about a form post any more.

Let's discuss some methods you can use but are often not that effective anymore. Like anything, the more preventative measures you use the better. Just ensure they are completely transparent to the website visitor and do not hinder their experience in any way.

Timeout Checks

Timeout checks are probably the best classic solution to spam prevention. This involves setting the timestamp on the load of the original form and subsequently on the Posted data and measuring the time taken to fill out the data. Of course no human being can fill out a form as quick as a computer so it's safe to assume that a super speedy submission is going to be spam. Unfortunately, some bots are clever enough to delay posting of submission data to counteract this measure.

Avoid form tags

A very simple method is avoid using form tags in your HTML all together. Many bots will look for the wrapping tags to even start the process, by simply removing them completely and submitting your Ajax posts via button clicks and return key entries.

Use JavaScript to alter the form for the correct input

Structuring your form in certain ways means you'll no doubt be set up for an attack. If you're getting trouble from bots, you can hide or rename certain elements on the fly. Then simply ensure your posting scripts take these into account.

Using non standard field names

You can fool some bots into thinking that your field names are different. Be careful not to name your fields standard names. Use non standard naming conventions. So instead of using say "firstname" or "fldFirstname" use something like fldFN. The email field is a great one to use this on. I'd suggest faking the email field and code it to expect a different result You can then carry out validation on those fields and deal with them accordingly in your post processing script.

IP Monitoring and Geotracking

All of these methods are great ways to limit the general hit rate your forms receive. However, if you're getting a targeted attack and want to stop them coming in then a fantastic way is to use IP monitoring. By capturing the IP of the originator of the submission, you can cross reference it against your own database of nuisance bots. Over time, build up a database of IP ranges that are coming to your forms. You can even set up traps to gain IPs that fail the checks.

There are a number of database that also track spammy IP addresses that other sites have found to be sending spam. Use an API to tap into those and automatically strip any forms that are submitted from these.

Geotracking is another great way to check those IP addresses. It allows you to see the country, region and even town that the IP range is associate with. Then using your own internal algorithm you can decide which countries to let through and which will be automatically blocked. It really does depend on the nature of the business that the from is being developed for. Some sites that are very local business orientated can have only forms submitted from their own country. However, do keep in mind that sometimes people will be travelling so it is not a good idea to completely obliterate these submissions.

If your forms are being submitted by a human element, GeoTracking can do a great job of bringing these kind of submission to a close.

The bottom line

Spam isn’t going to go away. However, there’s a lot better methods to deal with it better. The odd one is going to slip through the net. With this array of methods you see a dramatic reduction and sometimes complete eradication. Let us know if these methods work for you in the comments below.

5 Comment(s)

  • Herbez at 08:28 on 08/06/2015

    I use the non standard naming fields and I include a couple of trick fields too. It seems to be effective 99% of the time. - Reply

  • John Ray at 09:33 on 13/06/2015

    Thanks for these tips. I'm getting a lot of problems on my forms and will take a look at some of these methods. - Reply

  • Matt at 00:52 on 19/06/2015

    You could also have the normal "fname" field, but assign a class that adds the "display:none" attribute, and have the others have the odd names, making the bot think it was successful when it's not. You can use the "normal" fields to block IPs that fill them out. - Reply

  • kjj at 15:08 on 26/11/2021

    j - Reply

  • asdads at 18:10 on 22/02/2022

    asd adsadsassdv df bdgfb fgndfgh nghf mndgfmn dgh - Reply


The page threw up an unspecified error - please try again