We are dropping support for reCAPTCHA

form-data We are dropping support for reCAPTCHA

tl;dr;

We're dropping support in Google reCAPTCHA because on one hand it can be bypassed, while on the other hand it adds user friction and/or it's hard to tune correctly.

In order to avoid an error message in your forms, please remove the widget from your forms before September 4th, 2022.

Instead we offer 5 effective methods to filter spam.

Read on if you want to know the details.

What is Google reCAPTCHA?

Google reCAPTCHA is the most widely used CAPTCHA in the world. It is a service that aims to be able to tell human from bots.

It was introduced in 2007, and since then gained huge popularity. It is used by the some of the largest websites in the world such as Facebook and CNN.

When Google originally introduced it, it was a free tool that helped them train some AI models in image recognition and tagging. Ironically, this worked pretty well, and now bots can use commodity AI models to solve CAPTCHA challenges.

What's the problem with reCAPTCHA V2?

reCAPTCHA V2 asks the user to check a box. If the user is suspicious in being a bot, it is being asked to solve a puzzle like marking all motorcycles in a grid of photos.

The problem with this approach is that it creates a high friction for users. Even Google themselves are saying so in their documentation, and advising against using it. Instead, they recommend using V3.

The truth is that many users stumble on the challenge, not being able to complete it, and simply drop. Users who use more privacy-aware browsers such as Brave, are likely to get tougher puzzles to solve, making it even more likely that they will drop. Others just don't like it and drop as well. These are all potential customers that you lose.

At the same time, bots are able to bypass the challenge, either by using AI which became pretty good at image recognition, or by using CAPTCHA farms - human workers in a low-cost countries that solve CAPTCHA challenges that are then used by bots.

So CAPTCHA is becoming more and more easy for bots to bypass, while being hard for human to solve.

What's the problem with reCAPTCHA V3?

reCAPTCHA V3 is non-intrusive. It does show a small badge on the side of the screen, mainly for legal and branding reasons. But it does not interfere with any of the users' actions.

The way that reCAPTCHA V3 works, is by learning the behavior of users on the site. It starts with some defaults and some assumptions, and continue improving from there.

The catch is that it has to be tuned by the website administrator. reCAPTCHA V3 produces a score between 0 and 1. 0 means you're likely a bot, and 1 means you're likely a human. But what about all the grey area in between? This is where the website admin has to decide between allowing the request, blocking it, or presenting reCAPTCHA V2 challenge. And Google doesn't make it easy to tune. Sure, in reCAPTCHA dashboard you can see the breakdown of scores per each action on the website. But that doesn't help you understand whether these were good human interactions or bot interactions. So tuning is basically a guessing game.

Another problem, is that before reCAPTCHA V3 has enough human traffic to learn from, it uses simple heuristics. These are very easy to bypass with just a little effort.

What do we suggest instead?

If both reCAPTCHA V2 and V3 have their issues, how do we fight spam?

We offer 5 layers of spam detections:

Empty submissions - these are obviously very easy to detect and stop. They are sometimes made by bots in order to learn the ground, or even by non-harmful bots that naively crawl your site.
Referrer validation - you can specify the domains in which your form is hosted, and Form-Data will block submissions coming from other domains. This is mostly useful against some types of fraud rather than necessarily against spam.
Honeypot fields - this is a very effective technique that easily eliminates most of the unsophisticated bots. It's a hidden field in the form that bots will just fill-in while human ignore it. You can enable it in the form-settings.
Country filters - this is a new filter that we've recently added. You can block a list of countries, or allow a list of countries. It is mostly useful for local businesses who do business in a specific country. You can see the origin country in each submission that you get. Note that some people or companies who use VPN might appear as if they come from a different country. Therefore, blocking specific countries is better than allowing specific countries.
CleanTalk - CleanTalk protects over 660,000 websites. It works by maintaining a database of IP and email addresses that are used by bots. We have found it extremely useful and accurate. Every week, it blocks between 40%-75% of the submissions that we get.

Combining these 5 methods have proved to be effective in eliminating most of the spam that our customers get. Spam is and endless and hard fight, and bots become more and more sophisticated. From time to time we do get customers inquiries about spam, and we try to help out by tuning the forms settings or our system.

What does it mean that we drop support?

Dropping support means that the reCAPTCHA script that we offer in the form settings will stop working:

In the first phase, effective immediately, we will not validate the captcha with Google. This means that users will still see the checkbox widget in the form, but it will have no effect in classifying spam.
In the second phase, which will become effective on Sunday, September 4th 2022, the checkbox widget will stop working. If you will not remove it from your form, your users will see an error like this

In order to avoid that, please remove the script from your site. The script has 2 parts:

This part may be in the html's head, or in the body:

<script src="https://www.google.com/recaptcha/api.js"
        async defer></script>

The second part is a div inside your form, with the site-key in it:

<form action="..." method="POST">
  <!--put this div inside your form-->
  **<div class="g-recaptcha"
    data-sitekey="6Lelxxxxxxxxxxxxxxxxxxxxxxxxxx\_xxxxxXJrR">
  </div>**
  ...
  <input type="submit" value="Submit">
</form>

We don't charge for spam submissions

We want our customers to use our service without fearing unexpected expense due to some spam bots activity.

Therefore, we do not count spam submissions towards the quota of your plan. We only count submissions that were sent into the Inbox.

Even though spam submissions are not triggering email notifications, you can still view them in your Form's Inbox, under the Spam folder.

Do you suffer from spam form-submissions?

If you're not a customer of Form-Data - we invite you to try our service. You can start for free.

If you are a customer and still suffer from spam, please let us know.