Skip navigation
Navigation skipped

Son of a bot!

  • Jan 18, 2020

When I launched It's Show Easy I set it up to send me an email whenever a user account gets created. The first time I received one of these emails, I was excited. I called my wife to tell her the great news. I even composed and sent an email to the new user to welcome them to the It's Show Easy movement. Of course, my email mentioned the fact that the new user had not confirmed their account and suggested that they do so in the most friendly manner. You see, when someone signs up for an account, It's Show Easy sends them an email message that contains a link. Clicking that link confirms their account and until the link is clicked, the account cannot be used. The purpose is to weed out bots. If a bot stuffs the form and creates a user record, the email address is likely not a real email address, and so the account will never be confirmed or usable. I never did receive any sort of response from my new user. No "thanks for the email." No confirmation of their It's Show Easy account. Interestingly though, my email did not bounce. The next time I received a "new user sign up" email from It's Show Easy, I was less excited. I didn't inform my wife of the event, but I still composed and sent a personal welcome email message. Alas, the result was the same. This sequence repeated several times before I was resigned to the fact that I was being victimized by the strange world of Internet bots.

When I started this blog post, there were over 550 user records in the It's Show Easy database that have never been confirmed. These records date back to the end of May of last year (2019) which is when I last cleaned the bogus user records from the system. This means, since May, I have average over 70 bogus sign ups per month. My non-bogus sign ups have been much more sparse (frown). The user account confirmation process described above keeps any real damage from being done. Still, the bogus sign-ups are annoying and they do clutter the database.

Shifting gears just a little bit (I promise I will tie it all together soon), a customer recently informed me that the email messages she receives from It's Show Easy have been landing in her spam folder. Because I have taken precautions against email services flagging email from It's Show Easy as spam, I believe the decision to mark It's Show Easy emails as spam was made by her email client. Upon further investigation I found out that she has been receiving huge numbers of "spam" contact requests via her It's Show Easy generated websites. This likely led to her email client deciding that anything from itsshoweasy.com must be spam. Evidently my honeypot captchas were not thwarting the bots.

I have to wonder, what is the purpose of all of this? I can kind of see spamming contact forms. You can stuff them with information and links that my sucker very uninformed people into following the provided information to your, probably untrustworthy products. It seems like a poor way to get business, but maybe it works in some sectors. But why are there bots out there stuffing my sign up form? What is the end game? So, I poked around a little bit. Apparently it has more to do with generating fraudulent data to boost the sale of information. Here is one article I read that I thought was sufficiently insightful: Why Do Form Bots Fill Out Forms. Regardless, the time has come to do something about the form stuffing bots.

I don't know about you but I have never liked captchas that require user interaction. It seems like I always have doubts about whether or not I am able to read those distorted text images and I tend to over-analyze the "click on the pictures that show a..." type challenges. I never was much of a test taker. The i-am-not-a-robot-checkbox variation is a dramatic improvement, but those even tend to annoy me from time to time. Still, that was my plan until I discovered Google Recaptcha v3. Google's latest recaptcha does not require any user interaction. Rather, you (the programmer) supply the information submitted by the form filler to Google and Google calculates a score that should reflect the trust-ability of the form filler. This seems to be the recaptcha technology for which I have been waiting.

So, I implemented Google Recaptcha v3 on the contact request forms that It's Show Easy includes on generated, show websites and I implemented it on the It's Show Easy sign up form. Has it worked? That remains to be seen. It turns out that you need to let the Google algorithm see live data for a while before the approach can really be effective. So, for now I am waiting and watching, but I am optimistic and I am excited to stymie all those annoying, illegitimate form stuffers. If it does work, I will install it on all public forms that are part of It's Show Easy, part of websites generated by It's Show Easy, and part of the It's Show Easy website itself. If it doesn't work, then I guess its back to the drawing board.

Blog photo by: unsplash-logoAndrew Neel