Dealing with Spam Form Submissions in Rails
I recently implemented a contact form for client’s WebApp. I thought burying the contact form in a Bootstrap Modal would of been enough to prevent spam. Apparently not.
My client reached out to me this morning being just completely bombarded with spam submissions.
This article is going to be a quick breakdown of how I analyzed the problem and pushed a fix live.
Assessing the Problem
First, I wanted to asses the damage. See how severe the problem was, where it was coming from. Just to understand it more. So, I logged into SendGrid (Our email server provider).
In less than 24 hours my client had received 129 spam contact form submissions. The crazy thing is that they were all just gibberish in the message and name fields. Fake email addresses in the “email” field. They seemed to be some kind of random sequence.
Since they all seemed related I assume we just got hit by a single spam bot. I’m not sure why this seems beneficial to the spammers but whatever.
Solving the Problem
My first thought was to use the “Re-Captcha” that Google created. The check box approach they take isn’t too much of a burden on users. However, I really actually wanted the solution to be completely transparent to users. (Not even having to check Re-Captcha the box)
With just a little searching I found a gem called invisible_captcha, this seemed like a good approach. It’s based in the “Honeypot” principle. Which is actually super interesting and incredibly simple.
What’s the “Honeypot” principle
Essentially you add an input field into the form that:
- Isn’t be visible by the real users
- Is left empty by the real users
- Will be filled in by spam bots
Basically it’s tricking a robot into asking a question you don’t want an answer too. If you get an answer you know you are dealing with a robot.
This invisible_captcha gem specifically actually gives the robots back a 200 response and the spam bot actually thinks that it’s submitted the form successfully. In reality you just ignore’d it’s submission.
Setting up a Honeypot in rails using invisible_captcha
It’s pretty quick and painless. I got this whole thing done and article written in an hour or so.
First, just install the gem. (Direction in the gem’s github)
Then add the partial to your forms. In my case it was just one.
From there you just setup your controller. For me it was one simple line.
That’s it! Robots fill out the form and the WebApp ignore’s the input. I think next time around I’ll just “roll my own” honeypot instead of using a gem now that I understand what it’s doing.
Overall it was pretty painless. It already killed the spam requests. I’ll update here if anything changes.
