Know your enemy: the different type of robots attacking your webforms
There are different types of robots, more or less evolved. The simplest will limit themselves to analyze the HTML code and post data to your forms endpoints. The more complex will simulate users navigating your website, moving the mouse, and executing JavaScript components. And the most powerful will even be able to receive your confirmation email and simulate a click on the link they contain.
Protection against the simplest and most numerous robots
The easiest and simplest protection to implement and protect you against the most simplistic robots consists of a honeypot, a trap consisting of a hidden text field.
Your human users will not see it, so the honeypot field will be empty when a real person submits the form. On the other hand, robots will consider it legitimate and will fill it with a value. To be efficient, you should name the honeypot field with a usually important but currently unused name, such as "first_name" or "email_confirmation".
Once reaching the server-side, you can check if the honeypot field is empty or contains a value. If it does, you can consider a robot submitted it and dismiss the data.
Captchas: efficient protection but can ruin your conversions
Another level of protection is captchas, which is an efficient way to protect your forms but extremely annoying for your users. It slows them down right when they are filling-up your forms, which is, let's face it, never an enjoyable task.
Most marketers are searching for ways to reduce the number of steps in a form to reduce the number of people leaving the page before submitting it, and captchas are adding a bothersome step to your forms.
Captchas are not only repulsing robots but also your legitimate users.
The sweet spot of form protection: email confirmation
A level of protection that works very well against the most advanced robots is to send a confirmation email to the address provided and wait for the person to click on its link before validating the registration.
This solution is very efficient, commonly accepted, and does not bother users as much as a captcha. It is an excellent solution to protect your forms against the vast majority of robots.
However, the most advanced robots can receive your confirmation emails and simulate a click on the link.
Fill the last hole: advanced email validation
To protect yourself against the most advanced category of robots and enhance your email confirmation system, you should implement a powerful email validation mechanism.
By checking that the provided email address is legitimate, hosted on a correctly configured SMTP server, does not correspond to a catch-all address, and is not a disposable address, you will protect your form against most, if not all, of the robots attacks.
Abstract provides a free and real-time API that you can use to implement such an advanced email validation mechanism in a few seconds. It's as easy as making a GET request and checking the response's JSON fields.
