Recently, I've been receiving more reports from customers about spam 'bots targeting their XMod forms. Let me put that another way... They're not targeting their forms specifically because they're made with XMod. Rather, the forms suffer like all forms - if access to them isn't restricted to registered members, submissions can be automated via a 'bot.

For publicly accessible forms, the only thing you can really do is implement CAPTCHA support. Whenever you submit a form and have to look at an image and type in the series of numbers and letters you see - that's CAPTCHA. The image is designed to not be read by machines (some are better than others). Theoretically, then, only a human could view the letter/number combination.

There are accessibility issues with using CAPTCHA - screen readers used by people who have poor or no eyesight are machines and they can't read the images either, effectively shutting off your form from that audience. There are ways around that by providing an audio version of the letter/number combo in addition to the image.  In other words, implementing a good CAPTCHA solution isn't simple.

We plan on adding CAPTCHA support to an upcoming release of XMod. But what can you do in the meantime? I've been thinking about this and believe I've come up with a poor man's version of CAPTCHA. I haven't implemented it myself, but I'd like to offer it up and see what your thoughts are.

The idea is provide a code - some combination of letters, numbers, and maybe punctuation in your form that is visible to the user. As an example, let's use: Htg65n_refW29xp. Screen readers could read read this (and bots too). The trick, though is to tell the user: "Enter the 3rd letter followed by the 2nd number, followed by the 4th character after the underscore..." Have them enter that code into a text box and use XMod's Compare validator to compare it with the correct value. So, you would be looking for the value: g5W in our example. You may want to make it a few more characters long, but you get the idea.

This tactic isn't perfect - after all, it is for "poor men". However, what it tries to do is force the spammer to take time to adjust to the form and presumably it isn't cost-beneficial to rescript for your form. If they do, then simply change the code AND change the name and position of the field you're having them enter the code into. This would require them to re-script the 'bot again. For you it's an easy change, for the 'bot maker, you hope it's more hassle than its worth.

What are your thoughts on this idea? Could it help slow a bot down? Do you have other suggestions?