Protect Online Forms and Forums with Two Free Tools

While most of us are all too acquainted with email spam, nonprofits that host online forums or forms know that spam can wreak havoc on Web sites as well. Unprotected forums and forms leave your organization open to spammers and other hackers — and your donors' sensitive information vulnerable to compromise.

There are a variety of tools you can use to combat spam online, but if your budget is small, your options may be limited. Below, we'll introduce you to two new, free tools — CAPTCHA and Form Armor — designed to protect online forums and forms.

CAPTCHA Can Spot Bots

One way spammers gather your personal information is via spambots, automated Web crawlers that collect email addresses from forums and Web sites to build spam mailing lists.

CAPTCHA (short for "completely automated public turing test to tell humans and computers apart") is a free program that uses images and distorted text — or audio, in the case of users who are visually impaired — to distinguish legitimate users from spambots.

CAPTCHA works by requiring users that want to post comments to a forum or submit information via an online form to type text displayed in an image that is unreadable by a spambot. If a user fails to enter the information correctly, he or she will be denied access to a site's form or forums.

A sample CAPTCHA image, courtesy of Wikipedia. In order to access a form protected by CAPTCHA, a user would have to correctly enter the letters pictured here.

One of CAPTCHA's chief advantages is that it provides a way for Web sites to prevent hackers and spambots from gaining access to a users’ identity via user information, said Amrinder Arora, who published an article about CAPTCHA in the International Journal of Computer Science and Network Security (PDF) in March, 2007. This system, in turn, can save an organization time and money.

“A small- to middle-usage Web site can dedicate a small amount of its staff to manage its CAPTCHA subsystem and stay ahead of hackers. It works much, much better than a manual moderation of messages and posts,” said Arora.

Another benefit to using CAPTCHA is that it is relatively easy to set up if you have some knowledge of HTML and PHP. (To learn how to configure and install it, read How to Add a Custom CAPTCHA by programmer Matthew Leverton.)

Moreover, CAPTCHA is included with many online message board and e-commerce programs, making it a convenient choice if you are already using one of these tools. Applications like phpBB, osCommerce, and freeware tools like FreeCap and Web Wiz, are just a few programs that come with CAPTCHA.

Your organization's IT staff, tech volunteer, or technology consultant will need to monitor your CAPTCHA system to ensure that it's keeping out spam, not users. You should also be sure to closely monitor your Web site's activity. This can be done using standard activity-monitoring tools such as vActiveMonitor or AWStats, said Arora. Finally, a good idea for your IT staff to make it a practice of visiting security Web sites, such as SANS, to stay ahead of security problems.

Despite the program's advantages, CAPTCHA graphics have been criticized for being a little too illegible. While the letters and numbers it displays were designed so that spambots couldn't read them, humans sometimes have trouble decoding them as well.

"I have seen images on some sites that take too long to decipher," said Will Rodina, an information systems manager for a battered women's shelter in Pittsburgh Pennsylvania. "Couple that with the use of non-normal fonts ('Is that a capital I or a lowercase L?') and you can honk someone off real quick."

Arm Your Forms with Form Armor

Idea Catchers' Form Armor, released in February of 2007, is a subscription-based Web service designed to prevent spam and other unwanted entries in online forms. Form Armor is free to 501(c)3 nonprofits.

Unlike CAPTCHA, Form Armor does not require a user to take any additional steps to access a form. While Form Armor does not disclose how its program works (for fear of assisting would-be spammers and hackers), it notes on its Web site that its tactics are adaptable and varied.

To set up an account, your Web designer simply needs to submit the Web address of the form page, and then Form Armor will issue a specific processing link for your account, according to Larissa Church, president of Idea Catchers Group. "Once your account is established, only one line of code needs to be changed in the HTML of your page,” she said. Church estimates that it should take five minutes to implement Form Armor on each form.

Unlike CAPTCHA pages, Form Armor-encoded pages can be read by screen readers, making them more accessible to those with limited vision. Church said Form Armor uses an audio alternative, as CAPTCHA does, to help those who cannot see the forms.

This form is protected by Form Armor

Form Armor is invisible to the user, except for this line of text and a small logo placed at the bottom of forms.

Because Form Armor is hosted, there's nothing to install or download. Form Armor works on all browsers and server platforms and can be activated within a day (Form Armor notes, however, that it can take up to 30 days to fully activate).

Nevertheless, given the convenience of online forms, Church says the time spent protecting them can be well worth the investment.

“I knew that many (most) nonprofits are short-staffed and even if we could save them just an hour a week in dealing with spam from Web forms, that would be time well spent,” said Church.