A rough primer on improving the user experience by designing smarter forms without CAPTCHAs.

In this section, we learn a bit about the logistics of spam as an industry. Next, we’ll use this information to explore ways to protect your forms without the use of CAPTCHAs.

A little background…

CAPTCHAs are those stupid puzzles that we all love to hate. They’re all over the internet and are used prevent robots from wreaking havoc on automated services. More to the point, they’re ugly, irritating to use, and are almost entirely unnecessary. But alas, they’re still around, and every time I see one, I die a little on the inside.

I’ve been designing web applications for years, and I’ve never used a CAPTCHA on any of my forms. It’s not that robots don’t try to use my forms. It’s just that they can’t…or won’t. Either way, they’re not bothering me or any of my projects. Unfortunately, before I can really dive into my technique to handle spambots, I need to cover some basics about the spamming industry, how it works, how it’s funded, and why forms are targeted. That’s what this article is going to cover. If you’re not interested, feel free to skip ahead to the fun stuff.

What’s the spam industry?

It’s interesting to think of spam as an industry. For most people, it’s just a menace; to IT folks, it’s a DoS attack on the mail servers; to the FCC, it’s criminal activity. But, to the people who operate the spam networks, it’s a living. It’s a day job—just something that pays the bills.

Why are they doing this? Shouldn’t they go outside and make a friend?

Well, yes. They should. Everyone needs friends. But like I said, spammers get paid. They’re not making bank or anything, but they’re getting paid enough for it to be worth it. Every day, over 97 billion spam messages are distributed to all the lovely folks like you and me. As you might suspect, when you’re canvassing a group of that size, there are going to be a few suckers. I know. I know. It’s hard to believe. Who would want to buy V!agra from a stranger on the internet? I don’t know. But someone, somewhere is doing it. Again and again, people get suckered into scams. And for the spammers, this is pay day.

Granted, it’s highly inefficient. The conversion rates on this kind of marketing are pretty miserable: something in the range of 0.0000006%. It’s not a marketing tactic I’d recommend, but hey—to each his own. The key here is for spammers to run a massively cost-effective and efficient network. They have to keep their costs down just low enough for the suckers to pay for the operation—anything left over is profit.

I want to be a spammer. What can I do to maximize my efficiency and improve my profit margins?

That’s a great question. Running a spambot isn’t hard, but the biggest hassle is keeping your costs down. If you’re going to be a successful spammer (think Fortune 100), you’re going to need to “borrow” some server resources from other people. The less they know about it, the better. Ideally, you just run a little command center and it sends out instructions to all the servers you hijacked before you left the office yesterday. Sure, you have to cover the costs of the command center, but all the other servers are basically free. Sure, it’s technically stealing/hacking/pwnership, but let’s not get caught up in the details. The important thing is that by using someone else’s tech, you just increased your spamming ability and cut your costs! Woo!

How does that strategy relate to form bots?

Something like 95% (probably) of forms on the internet are used to grant a user access to a server’s resources. Whether it’s creating a new account for a service, leaving a comment on a blog post, sending an email, or any other number of other things, almost all forms lead to free resources for a spammer. If you’re a spammer, the two best options are contact forms, and comment forms for blogs. Nicely enough, we have a pretty good idea what the expected fields will be called, and can just jump from form to form on the internet injecting whatever data we want into these forms, and usually the spam will find its way to someone’s inbox or website. It’s much more efficient that sending out emails from our own machines. Cheaper by far.