If you own a website you know this: Spam is a true nightmare. Long gone are the days when only big sites were targeted with spam related to its services or products in an attempt to draw their customers. Nowadays, spambots will indiscriminately target any site regardless of its size, reach, or content. There are abundant countermeasures and security techniques to stop spam but they all present a question for site owners: “How much of my UX am I willing to sacrifice to stop spam?”
As anti-spam techniques advance and evolve, so do spam methods, which has been so far a never-ending race between the two. You can easily make your site bulletproof by combining different methods but this will tear to shreds your user experience, making the navigation and interaction through your site hard, distracting or time-consuming, thus affecting your key metrics and conversion rate. This means that your approach should be carefully designed based on your optimal tradeoff between UX and anti-spam measures, and that’s why it’s often best to have a team of experts set-up and maintain your defenses. This list shows some of the spam solutions that BairesDev offers to its clients.
One of the staple options, Cross-Site Request Forgery is a common security issue in any site that exposes you to threats other than just spam. Protecting from it allows you to stay safe and stop a big percentage of automated spam. The main way to do so is to store a unique ID in the PHP session for a user. The ID is then placed as a hidden form field when that user is presented with a submission form. Then, your server checks that the ID in the session’s copy matches the one in the form. This ensures that the form has actually loaded in order to retrieve the correct hidden field value.
This interestingly named technique consists of luring a bot into a sort of “code trap” which will reveal it as a spambot. You do this by including a separate field in your HTML form that simulates a real field and hide it with CSS. This way, a human won’t be able to see the field or fill it, but a script will most likely fill it out, as they’re programmed to fill every field possible, which will give it away.
There are some collateral aspects with this technique, however. Some advanced bots can detect lines such as “display: none” and recognize the trap. Other complications involve actual users filling out the hidden field, which can happen if someone has an outdated browser or a browser with CSS turned off; although extremely rare, these users would probably fill out the field leading you to the mistake of labeling them as bots.
IP Address Filter
A very efficient method that poses no risk for your users is the collection of IP addresses to generate a filter. If you receive many submissions from the same IP address, you can discard it as a spambot. The shortcoming of this method is that it will only block spambots after they’ve submitted a few times, which makes it a great resource against strong spikes of activity but not against casual or continuous spam. Once again, it all comes down to the type of activity you receive.
A Spam-Proof Site
Anti-spam techniques come in many shapes and forms; these are just some of the ones our engineers recommend the most. Each technique has its weak points and disadvantages, which is why having an expert team studying your case and applying a combination of solutions is the ideal scenario. There’s no silver bullet against spam. At BairesDev we treat spam like any other cybersecurity issue, and we encourage you to do the same.