The Internet can be a wonderful place, housing over a billion websites and growing. However, just like any good thing, there will always be someone who comes along and ruins it for everyone.

In this instance, I’m talking about web forms, or contact forms as they sometimes go by. You know them forms you see on a website where you can fill in your name, contact details and send a message to the website owner. Sometimes they are used to generate quotes for services or make bookings. Yes those web forms.

If you own a website with one of these on, you’ll likely have come across it being targeted by spammers who try to offer you advertising, SEO, Bitcoin or a number of other pieces of junk. Usually these messages will be formatted poorly, contain a number of grammar or spelling mistakes or be in a different language altogether. Sometimes these messages can be a lot more sinister, trying to scam you out of money or gain access to your website by pretending to be your bank or website service provider.

Having worked on a number of websites with contact forms on, I have experienced receiving all sorts of crap through them and have been monitoring the situation for a few months. The junk is usually sent by a bot, which is just a computer system designed to scan the Internet for web forms and fill them automatically without any human interaction.

Attempt 1 – Unsuccessful

This is where Google reCAPTCHA comes in. Google reCAPTCHA aims to block these bots submitting web forms by placing a “challenge” bot at the bottom of the form where you either tick a bot or select a number of images that match what the “challenge” is asking for.

I implemented reCAPTCHA and let it run for a while and at first, everything was good and it was successfully blocking a number of the bots. However, over time the spam started slipping through the net and was somehow getting through the “challenge”.

I suspect that this could be due to advances in technology the spammers are using and/or the newest tactic they are using, where they employ humans on the cheap to fill in these forms and solve the “challenges” which are designed not to block humans.

Google reCAPTCHA has a newer version, v3, but this version is a little more complicated to setup and places a visual graphic on every page of the site (similar to this blog), which I didn’t want to do, to avoid cluttering up the websites.

Attempt 2 – Successful

After doing a bit of research into a number of solutions as an alternative to using Google reCAPTCHA v3, I found one that seems to have worked in my case and am happy with.

This solution is not new, nor is it too complex to implement. It works by generating two numbers between 1 and 5, calculating the addition of both and submitting the correct answer as a hidden field in the form to the form processing script. The user will be asked to enter what they think is the correct answer, which will also be sent to the form processing script. The script then just does a simple comparison between the user’s answer and the correct answer and refuses to process the form any further if the answer is incorrect.

A simple, yet effective solution, which can also be customised to your liking e.g. multiplication instead of addition and a larger range of numbers if you want to make the “challenge” more difficult. Also, you don’t have to rely on any third party like the reCAPTCHA solution, since the number generation takes place on the frontend using JavaScript and you are likely hosting the form processing script on your server too.

Can it be defeated you ask? Yes, of course it can. The correct answer is only generated in the frontend and submitted as a form field, so you could easily build a bot to harvest that field, however the spammers have not thought of or tried this yet, so we shall see.

Since implementing this solution, I haven’t had any spam come through and all web form submissions have been legitimate communications.

I hope this has been interesting or useful to any web developer facing the same problem.

Thanks for reading!