Personally I hate SPAM with a passion and I’m sure many of you will agree that you hate it also. Some time ago, I had a client ask me if there was a way for us to eliminate the SPAM that was generated from his web form. I went to the usual places to see if I could find the answer and was a little let down with the solution that was presented, CAPTCHA.
I’m personally not a fan of CAPTCHA and have always wondered about the affect they have on conversion rates of web forms. I decided to put together a case study to clear my head about the use of CAPTCHA and its affect on web form conversion rate.
The case study was done over 50 different websites that I either manage or have access to. These websites range from less than 1 year old to over 5 years old. All forms were a collection of common information such as name, address, city, email address and a comment area.
The study was done over the course of 6 months, half of the website started with CAPTCHA’s on and the other half started with no CAPTCHA’s. After 3 months the CAPTCHA was switched to the other CAPTCHA setting. I recorded the amount of successful, failed, and SPAM conversions for each of the 50 web forms.
A SPAM conversion was recorded when the submission had excessive links or was a solicitation for a service. A failed conversion was recorded when a user/bot entered an incorrect CAPTCHA or never correctly entered the correct CAPTCHA after multiple tries. A successful conversion was when the information given in the web form was the required information minus any spammy information.
On to the data!!!!
- 2,134 total conversions were entered while the CAPTCHA was off.
- 91 total SPAM conversions while the CAPTCHA was off.
- 0 total failed conversions while the CAPTCHA was off.
- 2,156 total conversions were entered while the CAPTCHA was on.
- 11 total SPAM conversions while the CAPTCHA was on.
- 159 total failed conversions while the CAPTCHA was on.
From the data you can see that with CAPTCHA on, there was an 88% reduction in SPAM but there were 159 failed conversions. Those failed conversions could be SPAM, but they could also be people who couldn’t figure out the CAPTCHA and finally just gave up. With CAPTCHA’s on, SPAM and failed conversions accounted for 7.3% of all the conversions for the 3 month period. With CAPTCHA’s off, SPAM conversions accounted for 4.1% of all the conversions for the 3 month period. That possibly means when CAPTCHA’s are on, the company could lose out on 3.2% of all their conversions!
Given the fact that many clients count on conversions to make money, not receiving 3.2% of those conversions could put a dent in sales. Personally, I would rather sort through a few SPAM conversions instead of losing out on possible income.
My suggestion to clients was to avoid the use of CAPTCHA, due to the possible loss of conversions. I’m in the process of trying out the old “Honeypot” CAPTCHA technique on Grand Rapids SEO. It involves using CSS to hide a form field that is supposed to be left blank. Every time the form is submitted you check the field and see if it’s blank, if not, mark it as spam but not delete it.
What have been your overall views on the use of CAPTCHA and its affect on web form conversion rates? I’m interested to see what techniques everyone here uses to prevent or reduce the amount of SPAM on web forms.
Great study, chenry! I've never heard of invisble CAPTCHA before, but it looks like a wise alternative. I use my HTC phone to read some blogs, but many times my phone doesn't pick up the CAPTCHA picture. One lost comment for the post.
Which HTC phone? I have the G1 and yeah captcha's usually don't show up =/
reCAPTCHA works on my HTC TP with IE and Opera
I can recommend for everyone who use captcha to turn it off. Just make a nice illustrations for footprints in comment fields which spammers are scraping everyday... It will solve 2 problems in one time!)
Captchas are an interesting security device since they only are meant to stop one kind of threat . . . robots. So when I implement one it’s only because I have a robots problem, like when spammy links are showing up in a forum or headless votes are being submitted in an online poll.
So whether I use one isn’t based on a conversion rate but rather an annoyance rate or a risk to security. If having spammy users in your system is going to ruin the experience of others or expose their personal information then that would be a bigger concern for me.
The problem is when people use CAPTCHA to avoid their own mild annoyance. Then, you're effectively pawning your problem off on your customers and making your overall experience and service that much worse.
Valid point on the security side, though. Sometimes, CAPTCHA is a necessary evil for large, e-commerce sites or sign-up forms. Still, I see way too many sites using it on contact and lead-gen forms, and those people are losing leads.
I think something to look at as well is, what kind of CAPTCHA is being used.
Is it like the craigslist one where it says an actual word, is it random letters/numbers, or is it something basic like what is 5+6 =
For the most part, it was a word type CAPTCHA. I'm working on a testing a few different CAPTCHAs now and will have the results soon.
great, let us know the results. this study is full of great insight, thanks for sharing this test.
The security vs usability balance is very important.
awesome awesome, I have a feeling that simple math ones may be show the results, good show sir, and please make a follow up post, really looking forward to hearing what you have to say.
I would be really interested in seeing the results of different Captcha's. It would seem like the numerical ones wouldn't effect conversions as much, unless you encounter someone who can't do math...
Ha, well I know a lot of people who go to grab a calculator when doing simple math.
Maybe I'm missing something but isn't this a case of fitting the data to match your expectations? Surely your graphs seem to suggest that you get MORE conversions when you have the captcha switched on?
With Captcha on the poster is receiving an extra 22 conversions, but that's out of an extra 101 visits. The two tests don't aline in terms of sample size - with Captcha on we have 4.5% more visitors, which skews the data a bit.
But on pure percentages (of different sample sizes...) 'Captcha off' does indeed generate about a 95% conversion rate, and 'captcha on' about 92% in these examples, so I can see where the claim that the Captcha hurts conversions is coming from.
I personally prefer the honeypot technique, and any other 'hidden' method of evaluating visitors. There's really very little point in having your user jump through any hoops they don't actually need to. I'm sure 'one-click ordering' won't have done Amazon's conversions any harm.
Good info, but one problem.
Your graphs are horrificly misleading. On the text you explain it correctly, but the two graphs you show completely off scalewise (misleading the reader greatly, because graphics are much easier digested than a huge paragraph with numbers in).
I too am curious what kind of CAPTCHA you tried. I saw one a site did recently that simply asked "Is fire hot or cold?"
We're also fighting against a SPAM problem right now, so if CAPTCHAs aren't working, I wonder what other solution people would propose.
Good stuff. I've encouraged many clients not to use CAPTCHA, especially on contact forms, but it's nice to see some data. Too many people want to put the job of fighting spam on their customers, and saving a bit of time and frustration at the risk of losing business is a lousy trade-off.
The truth is that there are also plenty of ways to fight spam behind the scenes, without using CAPTCHA. Some of them are a bit harder to implement, but it's worth the trouble.
I would personally use a server-side comment verification method, like Akismet (which is the default for Wordpress). It has, in the last half year, caught 37,000+ spam comments vs. 424 legitimate comments on my personal blog. On top of that, 0(zero) missed spam comments and 0(zero) false positives.
Why bother the user? It's easy to implement: there's a well documented API and there are libraries for just about any programming language (php, c#, java).
The problem with Akismet is it is showing conflicts with the latest version of WordPress. (but then nearly everything is lately)
I suggest you search for the WP-Ban Pluggin. Akismet will have fewer stops as a result because most of the spam comes from certain IPs, and although you enter the banned IPs by hand, it saves tons of trouble afterward.
With Akismet I had over 100 spams show up in 3 days. I had to moderate them. But of those spams, there were maybe 3 IPs sending them. I banned them and boom...no more spam to moderate (well...once per month maybe a new spammer IP shows up, but it's only one message and I ban the IP right away)
THANK YOU!
CAPTCHA is a plague on the internet.
I have 20/20 vision and I still have trouble making out
some of the blurry indistinct characters that most of these
CAPTCHA tests employ. Also there is the frustration of working
out whether the character is a "1" or an "i" or a lowercase "L".
Also "0" or "o".
Most of the time there is no audio help for these things.
Or even if there is it is EVEN MORE cryptic!
I've been using HoneyPot technique for years and it has worked great so far.
Other techniques like asking to imput the result of a simple math equation or a simple test like "What color is grass" are the next best thing.
If you think CAPTCHAs is causing your conversions to drop, make sure your telephone number is close by, so the prospect can call you, if need be...
Right now you're giving the conversion rates of people who tried to submit the form.
It would be nice to see the bouncerates of the form with & without Captcha. A lot of impulsive visitors are not motivated enough to start filling in a form that takes more time (Captchas require focus & time).
The lower you valued/promoted the advantage they get after filling in the form, the more people will bounce when they see the Captcha.
Awesome post! Honeypot works. I use it.
Here's another technique I use that works a treat!
Create a hidden field on your form, call it whatever you want, and put anything you want in it. I use this:
<input type="hidden" name="pancake" value="tasty!">
Then, instead of making your form submit button an actual submit button, make it just a regular button, and add this to it:
onclick="document.form1.pancake.value=yummy!; document.form1.submit()"
Now, I know that this means that only people with Javascript can submit your form, but the beauty is that 99% of spambots will not execute javascript, so, the benefit offsets the 1% of real people out there that can't use my form.
Now, on your form handler page, test the value of $pancake. Is it yummy!? If so, then you're dealing with a real person. Is it tasty!? If so, then it is probably a spambot and you can ignore the form submission. See!? Spambots think pancakes are tasty! Stupid spambots.
Mmmm, pancakes. Gotta go.
I have one request for sites such as this one and anyone else planning on using this method of JS: please don't do it. Anyone who takes the time will easily crack this. I assume you would use a static number/code. That is trivial to spoof by looking with something such as the Tamper Data extension for FF at the headers. If people are specifically targeting your site, it won't work. Also, come on. Are you really going to block access to a minority? Seriously, why not restrict your site to IE only, like some gift card sites i could name?
Since this would deter *only* bots submitting forms on generic websites, not targeting you specifically, it would be much better from a usablility point of view to leave JS out of it. one method I have seen which I personally like is just a simple 'answer this question' type of thing. It doesnt have to change. It would also be at *least* as effective as the method you put forth, without knowingly excluding people who, for personal reasons, choose not to enable Javascript. I personally do it for a myriad number of reasons: annoyance that half the JS from advertising companies (quite literally), malicious browser attacks, nearly 100% javascript/activex etc, and other reasons having to do with several sites I frequent. Rules 1&2 state I cannot say where.
Please, take the high road and maintain usability for everyone.
-s0c
I have used this javascript method successfully on a few sites, so I wanted to share it, but I agree that s0c makes a good point. I also really like the simple question solution.
Answer this addition question: 2+3=?
What is this a picture of? (small <img> of a house):
Etc...
It's a simple and clever solution that will stop most spam, and that will still be useable by people who have javascript turned off.
you cant have something flat in your html code you need dynamically generating javascript that reads the dom so that you know js is being parsed and the dom is present. just by doing this you slow them down because even if they do start parseing javascript and checking dom elements to spam you their speed is greatly slowed by having to run all that code to get the spam request through. we are constantly talking about the low hanging fruit spammers wont take the time to beat your code you just dont matter that much (unless you have some super awesome service but they would be breaking your captcha if it wasnt your js so why try)
and the math question was an easy one to break i did this
i started with (((((??? - 1) - 7) - 8) * 8) - 4) = -76
used a loop to put in every char between 0-9
i know becasue of the way its written this will alwase be 1 number
so evaluating the code i generated
if ((((((0 - 1) - 7) - 8) * 8) - 4) = -76) then line = 0
if ((((((1 - 1) - 7) - 8) * 8) - 4) = -76) then line = 1
if ((((((2 - 1) - 7) - 8) * 8) - 4) = -76) then line = 2
if ((((((3 - 1) - 7) - 8) * 8) - 4) = -76) then line = 3
if ((((((4 - 1) - 7) - 8) * 8) - 4) = -76) then line = 4
if ((((((5 - 1) - 7) - 8) * 8) - 4) = -76) then line = 5
if ((((((6 - 1) - 7) - 8) * 8) - 4) = -76) then line = 6
if ((((((7 - 1) - 7) - 8) * 8) - 4) = -76) then line = 7
if ((((((8 - 1) - 7) - 8) * 8) - 4) = -76) then line = 8
if ((((((9 - 1) - 7) - 8) * 8) - 4) = -76) then line = 9
returns me a variable line that holds the solved number because only the expression that is true will return my number
never try to send a human to do a computers job you just wont win
I wonder if the type of form has any impact on the number of failed conversions. Meaning if you have a general info form and are just asking for name, number, etc. are they more likely to fail, as opposed to if they have a detailed request for quote form? I would think that if they had a detailed RFQ, the number of conversions would likely remain the same and the fails might even decrease as it's information the visitor really wants to have submitted.
I give up on CAPTCHA's regularly when I'm submitting to directories - some of them are just impossible (possibly intentionally?). And I kind of like to think of myself as at east reasonably net-savvy.
I deliberately omitted using one on the contact form of my current ecommerce project because I don't want people to be put off in any way. We don't get all that much SPAM through it at all.
Thanks for the honeypot tip - I'm giving it a go.
I agree with you that some sites seem not to want your business when the captchas' look intensionally unreadable. I have gotten to the point where I will put in anything hoping the next combination will be easier to read. What has happened to user friendliness?
I'm another one that believes there needs to be a ballance between
security and usability.
Camille B.
My websites: www.americanpcshop.com www.adelineorganics.com www.acrosstheuniersemp3.com My Blogs: www.threedognightblogspot.blogspot.com www.eatingnaturesway.blogspot.com www.pctalkblog.blogspot.com
I'm sorry but your study has key faults. Time of existance of those web sites you used in your study for one.
Here's why:Older sites would have more spammer traffic than newer web sites. So this really isn't a fair study. How do we know that the majority of failures was not on the older sites that spammers have already located?
Because all of the sites in your study were not in existance the same amount of time, it's really not a fair test.
Another point is this:Type of web sites should also be considered, along with which plugins are used if they are blogging sites. For example, a WordPress website has pluggins that make promoting it easier, like SEO settings. And one type of web site might be targetted more than other types.
For example, how do we know some of the websites that had high failures were not blogs promoting Microsoft products or news (as we all know, hackers and spammers target Microsoft more than any other topic)?
And finally:Traffic. A website that gets one hit per day is certainly going to have fewer failures than a web site that gets 2,000 hits per day.
Really Finally:There is one final point that should be considered. The type of Captcha used. There are several different types. Some, frankly, make it very hard to read the image. Others make it very simple. People filling out the forms using the simple ones would have almost no failures unless they were spam.
The only way for a study like this to be accurate is to consider those points above. I give you credit for trying though.
Edit:I personally do not use it, but I design sites that do. I use WordPress, which has a nice IP Banning pluggin myself. I get maybe one spam per month as a result, and I put the ip in my ban list and never hear from them again.
I am curious about the display of this data here. While I agree with the overall points being made and it does need more research simply based on how much the "type" of CAPTUA can influence the results. More importlant to me is the scale at which these graphs are displayed.
Why was the scale changed from the CAPTUA off results to the CAPTUA on results? Are you suggesting that in the first, second, and third month there were a different number of submissions? Or was it because it wasn't really an A/B test, it was done on 50% of the sites one way and 50% of the sites another.. thus numbers would be inconclusive due to the audiance and nature of each site. I assume it was a true A/B test on all 50 sites so the viariant here is puzzeling me.
Also, why does the scale change from 100 submission increments in one graph to 20 submission increments in another. I assume this is related to the graphing program you are using. Ideally the scales should remain identical for proper compairsion. In fact, it would be better to show the bars in each graph in a single unified graph, side by side, month against month, this way the data is more clear.
Overall It would be more of an apples to apples compairison if the data was presented in the same light for each part of the test.
Suggest readers and the author of the post Google "Edward Tufte" and "Deceptive Graphs"
Great post! I love this outside of the box thinking. I HATE captcha images, but even worse, I hate the spam and email highjacking that comes if you don't use them. Most of the newer ones are way to hard to read anyway. You know if you need a refresh button on your captcha it's too complex for the average human. Good show!
Great post and completely agree!
Personally, I have always found CAPTCHAs irritating and though I rarely give up on them they are a nuisance. Also, in building sites with CAPTCHA I have noted that conversions tend to decrease more than expected, so I think you're right - some people are put off by this.
I have used to the Honeypot method before as well and it works much better.
Some of our clients were getting pounded with 100 to 1000 per day of form submissions with spam link requests. Fun.
One of the solutions we found for smaller sites was simply to run the data submitted through an array in a PHP file. If the data triggers any values in the array check such as:
<a href[URL <javascript
...and basically any other code for submitting links.
If the array is triggered the user goes to a different confirmation telling them the form failed and to contact by phone (and politely telling them why).Been using this trick on smaller web sites for several years now with good results. Best thing is you can update the array to just add on new checks.
Yes, its not perfect. Yes, it can be fooled with some hacking. Yes, we can still get spam of normal variety. However, it stopped automatic link submission bots dead in their tracks and that was most of the spam. Plus, there is no CAPTCHA on the page, which is great from a design / usability standpoint.
I liked the article alot, plus the comments. Need to try out the CSS "Honey" test with our development team as it sounds cool.
"A failed conversion was recorded when a user/bot entered an incorrect CAPTCHA or never correctly entered the correct CAPTCHA after multiple tries."
I'm trying to understand the distinction between the two. What's the difference between entering an incorrect captcha and never entering a correct captcha?
What I'm quite surprised at, is that no-one seems to be presenting more automated forms of captcha, for example, to determine if a message is being actually typed rather than automatically posted.
For example, a human user will have varying times between keystrokes, wheras a machine will tend to input the entire message at once.
Just one of my thoughts....
www.webtropy.com
didnt realise it had a specific name, but I use the honeypot technique, and just call the hidden field url.
If it is filled in, I discard the email, seems to get rid of most spam
We also have a spam problem with some of our forms. We had discussed the CAPTCHA and ultimately decided upon a solution that did involve the CAPTCHA, but only after the fact when we felt the form was spam. In our case, we tested the form upon submission, and only if it failed to pass one of the following rules did it then bring up a CAPTCHA page before final submission.
1) The same data in multiple required fields
2) A website link in the comments field
3) A website link ending in .ru, .cn or .in in the URL field
4) A phone number that does not contain at least 7 numbers
5) An IP address instead of a URL in the URL field
6) An IP address that is located outside the US and Canada (if you service the entire globe, this wouldn't be good. We also were already using geolocation on other parts of the site so we had the database available to make this test, it would be a harder test to add.)
I then log EVERY form entry that gets caught this way, whether they submit it or not and review the log weekly to make sure we are not catching too many valid users. To date, the only ones we've caught with a false reading are those that had an IP outside the US, perhaps they had staff in India getting information for them or something, and in those cases, it's wasn't bad to at least have them verify themselves with a CAPTCHA. I think I'll add the honeypot option and have one more test that they have to pass.
i think without using a strong captcha, either email inbox or database are going to be spammed...
If we implement this technique, bad-bots will change their algorithms of parsing/reading/and submitting form.
As a web application engineer I can not accept the method you are adopting
flagging a submitted post as a spam post is just a spam!!!
It is a concept fault ...at least for me
Great article! It quantifies something I have intuitively understood ever since CAPTCHA began becoming more and more prevalent on the Web. The difficulty in reading the text should be offset by the usefulness of their audio recitation feature, but apparently it doesn't make it easier.
Personally, I seriously dislike CAPTCHAS. There's nothing more annoying than having to enter in a bunch of hard-to-read letters correctly just to post on a blog, read a forum or register at a website. Anonymous surfing should be as painless as possible, so CAPTCHAS need to be replaced with something better in the near future.
Recently, I gave a little spiel about the problems associated with CAPTCHAs, assuming that the audio portion wouldn't help the conversion issue much. Guess what? I proved myself right today!
I had the misfortune of encountering a CAPTCHA within the last hour, and so I decided that I'd try the audio feature, just to test my theory that the audio might work better than trying to read the text. Umm... NO.
N-O. There's nothing even remotely intelligible in English in those CAPTCHA audio streams. Nothing. It seriously sounded like a drunken robot party (can robots even get drunk? hmm...)!
So that's a huge reason for the conversion rate drops using CAPTCHA. It's really no surprise to me, or to anyone who has encountered these strange constructs designed to prevent scripts and spam from crawling a website.
Interesting, haven't added Captcha to any client sites, so it's good to know this if I ever need to!
Thanks to the author for such a comprehensive analysis of the Captcha problem. Here in Keypic we have been asking ourselves the same question until we invented our own anti-spam technology that does not request using Captchas anymore. For those interested we're happy to provide you with our free of charge protection, both from Spam and from Captchas. Visit www.keypic.com to learn more and check how it works. Users are finally free from passing any tests. Welcome to the new No-Spam- No-Captcha World.
Timely post. I was just discussing with Search Engine Land why they needed to kill their comments CAPTCHA. In this case the conversion is getting users to comment and interact with blog posts, and CAPTCHAs are a huge conversion barrier. Your post includes great, relevant stats supporting #killcaptchas. Thanks, Casey!
I would be really interested in seeing the results of different Captcha's. It would seem like the numerical ones wouldn't effect conversions as much, unless you encounter someone who can't do math!
Great post. I know longer feel alone in the world. I had the same issues implementing CAPTCHA on several client websites, it came down to ensure you receive 100% of your actual leads or risk loosing a lead that could be work big bucks.
The clients have unhappy use a non-CAPTCHA form and deal with the spam but your data now gives me some ammunition the next time this topic comes--which is at least once a year.
Spam is too much of a prevalent thing now-a-days for CAPTCHA not to be used on most websites, you can try and prevent it in your .htaccess file but that doesn't work as well as plain old CAPTCHA. It's a great study that you've done, and it must've taken some doing.
interesting study. would help to know what captcha you used. hard to believe that the failed rate was so substantial with a standard captcha field.... some are very difficult, but most (like facebook's and the recaptcha ones) are pretty simple and easy to solve....
I have to say, that's a pretty spurious conclusion you've drawn their.
You've concluded that the failed attempts result in a user leaving the site, rather than trying the CAPTCHA again.
Your research amounts to the precautionary principle, but you've tried to justify it with some data; I applaud the sentiment, but your study isn't detailed enough to draw any useful conclusions. All you've demonstrated is that CAPTCHAs sometimes lead to failed submissions and a reduction in SPAM.
Both conclusions are obvious; without CAPTCHA, there's no such thing as a 'failure to submit due to incorrect CAPTCHA' and CAPTCHAs are designed to reduce spam.
What would be interesting is a study (with some rigour) that measures how many people *give up* attempts to submit a form that has a CAPTCHA. My guess is that the answer is 'very few'
I would just like to add to your comment, while it is very insightful I have personally given up on a CAPTCHA because I couldn't get the damn thing to work. The issue with testing *give up* attempts is that is very subjective to the type of website for example I work with a very popular plastic card manufacturing company it receives 100-150 request for quotes per day, the form is simple to fill out and does not use CAPTCHA. This same website with our "b-test" form only received 15 requests per day due to its length and complexity. Users want something in my opinion that is simple when requesting a quote because they are going to fill out a form on several websites thus anything that is daunting or problematic such as a CAPTCHA could quickly lose leads.
Thus for lets say an industrial manufacturing that obtains 10 leads a month but 50 spam requests I am guessing the CAPTCHA could work fine as the type of consumer is very different.
Here is a very interesting study on CAPTCHA by Stanford researchers: https://theory.stanford.edu/~jcm/papers/captcha-study-oakland10.pdf. It showed that CAPTCHAs displaying warped and distorted text took, on average, 10 seconds for users to complete and that some took nearly 15 seconds. Furthermore, the people who were solving the CAPTCHA could only agree on what it said 70% of the time, meaning that up to 30% of the CAPTCHAs could be failed/incorrectly answered by people. The study also showed that people failed 200,000 CAPTCHAs delivered on eBay during a one week period. The audio CAPTCHAs were even worse… taking up to 30 seconds for people to complete and even then they only had 30% accuracy. The users that were attempting the audio CAPTCHAs for the study simply gave up approximately 50% of the time! Research by Akamai shows that online shoppers will wait no longer than 2 – 3 seconds for a web page to load before abandoning the site completely (https://www.akamai.com/html/about/press/releases/2009/press_091409.html) and that if they have a negative or frustrating experience on the site, they are unlikely to return. Now, I’m just speculating, but I believe that if online shoppers abandon after waiting just 2 – 3 seconds for a web page to load, they’re also likely to be irritated and abandon if they have to spend 10 – 30 seconds being forced to solve a CAPTCHA that feels like a bad eye exam. In my own personal experience, I find the CAPTCHA used by Google to be extremely difficult and I have given up on opening a new gmail account because I became so angry with the impossible CAPTCHA (I tried both the text and the audio versions). On a separate note, I’d be curious to see if picture-based CAPTCHAs like this one test any easier on consumers or if they have less of a negative impact on conversions: https://demo.confidenttechnologies.com/captcha/
thank you for your post - I personally hate some captcha images - i have 20/20 vision but some of them are just stupidly ridiculous!! aargh so frustrating - i can imagine them getting the smackdown from jacob neilson.
youre right tho - its just hoisting your problem on to the user - better to not have it all or handle it behind the scenes. i almost find email spam filters a little similar, its almost harder work to review my spam folder to check for legitimate email when it would be easier to just delete the spam as it comes through my inbox.
its the way though - the spammers and criminals out there are actually winning cause they give us so much grief due to the security methods we wrestle with ... either way they get us!
Wouldn't the “Honeypot” CAPTCHA technique be showing different content to both search engine and humans alike ?
Possible implication on cloarking content ?
I came up with a different technique that you might find interesting, involving a delay timer meaning the user doesn't have to enter anything, of course it doesn't prevent specific targeting where a bot actually loads the page and submits it (rather than through the command line) - but I've found that to be fairly rare. Here's the link to my solution:
https://thinkrefresh.com/posts/15-a-simple-spam-solution
I have had same problem with one of my client. Sales went down to drastic level for 3 days of Captcha ON. Captcha might work as great chinese wall to SPAM, but it also brings the barrier to users. I would rather have some spam instead of loosing sales. People just hate to play alot with words that dissolved with shape and size with captcha. We need to come out with easy possible solution. Honetpot trick is amazing.
Honeypot technique sounds very interesting wouldn't it be a bad factor for SEo as you will b hiding your content .. ?
I agree that CAPTCHA forms can have a affect on conversion rates, but for some sites that are bombarded with spam it might be worthwhile.
If you are only getting a few spam comments a month, it might not be worth messing with your conversions. I agree that the honeypot is one of the best solution to stop automated spam also there is Kitten capture.
The benefit of the "honeypot" method is that it is not visible to human visitors and does not require any more effort for them to submit a form such as reading words or doing some basic sums.
Please try our solution to CAPTCHAS. It's called https://NoMoreCaptchas.com and it is completely passive.
Hi
this may be off topic, had a question for sites having age gates.
How do search engines crawl such sites, since there is an age gate to go through?
Also from an SEO point, are such sites non-SEO friendly?
thanks
Viv
This is the same problem as the reg wall.
I feel like sites are trying more to have publicly accessible versions of pages like how Linkedin and Facebook has public profiles. But in reality, website owners put in barriers like registration forms and age verification partially to keep robots from indexing their content and using their system. (Because no one is going to add Googlebot as their friend.)
Edit: I suck at spelling . . . let me fix that for you.
that was a really usefull post! thank you.
the result would have been even better if you had some data about the failed conversions. i mean like saving the submissions in a database with a timestamp and send it out after a timeout.
for a captcha alternative i can say i have the following setup at one of my customers:
- a honeypot-field called url (the form does not really need an url, but spammers love it) which is hidden by css
- a type="hidden" field which is empty and filled with a certain value via javascript
that combination performs pretty good!
In your attempt to prevent spam while making it easy for all humans, ou exclude a group that according to the W3C composes ~ 5% of everyone online. https://www.w3schools.com/browsers/browsers_stats.asp
actually the rule is:
- "not css" xor "not js" will get flaged
- "not css" and "not js" will be deleted
I'm sorry then for misinterpreting your plan. I wholeheartedly support that.
In practice, how much of the spam gets prevented? I would think that this would be a trivial roadblock, since anyone who spent a few minutes looking at how it was set up could spoof the CSS/JS forms
interesting facts..
CAPTCHA is very annoying when using the letters "O", "D" or "0", with "I" and "1", and with "B" and "8". Spammers now seem to be taking the time to enter the right info into CAPTCHA when they register and spam the crap out of websites, so it really only effects lazy spammers.
The longer you have no captcha the more spam you have. It increases over time. I had to put it on my sites. No choice. I was getting overwhelmed.
I definitely prefer some of the newer easier to do capthas like, what's 2+3 or the ones that are like word games. Much better than the hard to read ones that make me head hurt.
CAPTCHAs are tough to interpret. This is a technically good aspect, however, the murky text and asking the visitors to understand and type in the same text may damage your conversion rate drastically. Its a fact that every now and then people get a CAPTCHA wrong while working with websites daily.
A user who is trying to purchase, or fill a form, or simply comment, is bound to get frustrated if you put this technological barrier between the user and the goal. Is it only because you don't want to sort through some items of spam. How selfish!!
Great article.
I don't use the blank field trick. But, I have developed a few tricks to limit the amount of SPAM.
First the form->action is completely bogus. I don't have an input->submit - instead I use a button and jQuery to grab the click event. After, the javascript does the initial input filtering, the the form info is sent to the server using a XMLHttpRequest.
Nothing too complicated and it can probably be cracked - but it works for me.
really nice job!
i like this one, because it's php only :
form.php - input value="<?=$_SERVER['REQUEST_TIME']; ?>"
send.php - mark as spam if input value is not in range of $_SERVER['REQUEST_TIME']-10 to -3600
Great Post!
I'm also curious about the type of captcha you used on the sites within the study. i've seen personally spambots being able to read 99% of google captcha, therefore my theory is: if I can have access to such tools, then any semi-serious spammer can.
I like the solution with simple question about the image or fire (hot/cold), but would that be enough if my site is particularly targeted?
If your site is particularly targeted, then the simple questions won't work. It's relatively easy to write a bot that can fill in these.
I like the new Captcha experiments that Google is doing now.
They're experimenting with youtube video's + write fitting tags with this video.
more information in this Google paper:
This right here is a great study you performed, chenry. I'd much rather sort through some SPAM, which doesn't appear to be too overwhelming, than lose a bunch of business. Thanks for sharing your results with us.
Interesting. I never really put too much thought into the affect that captchas had on conversions. Looks like some food for thought.I agree with Scales on the graphs though. At first glance I was a little confused with the data.Anyway, thanks for the post and it has some valuable material.
This is great data. I've always hated those CAPTCHA forms. That is quite an ambitious study you did. Thanks for sharing that.
I guess the thing is, if somebody REALLY wants to complete the form, then they will do what it takes to comlete the CAPTCHA data even if that means taking two or three tries to get the words right (happens to me 50% of the time I try to fill out a CAPTCHA form field). That might mean that those who finish submitting the form with CAPTCHA might be higher quality conversions than those who don't???
Great post. I also ran some tests with captcha a couple of years ago. Captcha definitely reduced the number of leads. The problem was to get management to agree that we remove it.
Check out the new antispam plugin for wordpress https://antispambee.com - of course without captcha.
At postjobfree.com we don't use CAPTCHA at all. There are many other ways to prevent spam:
- Blocking IP addresses and IP ranges.
- Counting spam-rating based on spam keywords in user input.
- Use "Report Spam" feedback from users.
- Different honepots (JavaScript test, time test).
It's not a good idea to make your users to suffer from CAPTCHA. Besides, spam can be caused not only by users, but by humans too. And CAPTCHA don't stop human spammers at all.
I don't necessarily believe these were "lost" conversions. It was probably spam. I can't understand how CAPTCHA turns people off. Type in the letters and continue. If anything, I would rather have a form that uses this technique, that way I know they aren't a spam-related site and are taking steps to eliminate spam.
Interesting study, I just think they're are many other factors to consider before saying that the CAPTCHA was the single, solitary reason for lost conversions.
While this is just one set of data, I've seen and heard many reports of CAPTCHA turning off people in usability testing. It's easy to forget that most of us are tech-savvy, but the average consumer doesn't even know what a CAPTCHA is, and the newer, hardcore CAPTCHA are getting more and more difficult, especially for the elderly or people who may have even slight vision impairment.
"I can't understand how CAPTCHA turns people off."
That very much depends on your audience of course.
A blog aimed at web-savy users is fine, but if your target audience is 60+ then it might not be...When thinking usability, always keep your audience in mind..
"Type in the letters and continue."
As mentioned in other replies, that does very much depend on the captch technology used. I consider myself web savy but still had to 'abandon' forms simply because I could NOT replicate the displayed digits or letters. I am sure lots of people here would have experienced that...
Sadly, due to the inordinate amounts of time I spend in front of a monitor, my eyes get really sore and if a tricky captcha on a form comes along I'm screwed. I might give it a couple of goes but I've better things to do with my time and eyesight.
Sadly, I'm only half the age of a 60-year old!
as i developer who has worked on writing captcha breakers i tend to frown on them as it is often easy to break a captcha if you really want to so this only stops most spammers looking for easy places to spam. what i would suggest is use a combination of javascript and checking for dom elements to prove the user is truely accessing the page from a browser. that way your not slowing up your users with a time wasting captch but you are still stopping the 90% of spammers by making it a little harder to spam by checking javascript is being rendered and certian dom elements exist
if anyone would like any help or ideas on how to implement a system like this please feel free to send me a message
try to crack reCAPTCHA. it's been attempted. It hasn't suceeded. Also, why would it be so hard to spoof the JS communications to the server?
Prove that you can't spoof the JS responses -PM me
first about recaptcha i promise that it has been cracked not with 100% efficentcy but to a point to where you are getting at least 50% and thats as good as cracked in the captcha breaking world even 30% is good with 10000 requests. capchas arent this magic things that stop spammers, i choose to break them to show their weakness (and learn how to build better ones) and there are many issues with recatcha and the first is you dont even have to process the second word entering the first is enough and they dont switch the order of what is the real captcha and the "extra" word is. seqmentation is the hardest part of breaking a captcha. once you have the letters segmented you can get 98% recongition on any single char. all im saying if someone is going to spam you they will and some clever javascript will give you the same results without taking time from your users
No offense, but aren't you basically confessing to being one of the spammers yourself?
"i choose to break them to show their weakness"Please. I'm a developer myself...never once have I had the need to "break" CAPTCHA. The only reason to do so would either be that you wish to cause malice...unless you actually develop CAPTCHA yourself and are eliminating weaknesses, which by your words it's safe to assume you are not.
IP Banning is the best method of spam prevention in my opinion. There are certain Internet Access companies that randomize your IP each time you log on, but they deal within a range of IPs which are also bannable...and randomized IPs are mostly old Dial-up access providers, which are fading away.