I work for a company that has an online store, and we constantly have to deal wi
ID: 651971 • Letter: I
Question
I work for a company that has an online store, and we constantly have to deal with a lot of spam product reviews, and bogus customer accounts. These are all created by automated systems and are more of a nuisance than anything.
What I am thinking of (in lieu of captcha, which can be broken) is adding a sort of form key solution to all relevant forms. I know for certain some of the spammers are using XRumer, and I know they seldom request a page before sending us the form data (Is this the definition of CSRF?) so I would think that tying a key to each requested form would at least stem the tide. I also know the spammers are lazy and don't check their work, or they would see that we have never posted a spam review, and they have never gained any revenue from our site.
Would this succeed in significantly reducing the volume of spam product reviews and customer account creations we are seeing?
Explanation / Answer
What you're suggesting sounds like the honeypot method. I've used this on forms that were getting a lot of spam and found it works quite nicely. It wasn't perfect but it did cut our spam down quite a bit with no impact on legitimate users -- they didn't have to decode a cumbersome CAPTCHA or stop to think what 2 + 1 is equal to.
Now when we compared the honeypot against forms with reCAPTCHA, reCAPTCHA was waaaaay more effective, pretty much blocking everything.
It's not clear from your question but requiring an account to post a review and requiring email verification of said account (i.e., person signs up, you send an email with activation link, they click activation link before they can do anything on the site) can also go a long way to cutting down spam.
To specifically address you question: yes, this tactic will reduce spam, but you're likely to still get a decent volume of spam if you rely on it alone.
I'd start with a honeypot on your forms and see how it goes. It's easy to implement and is low impact on users. If the results are acceptable then be happy and move on to something else. If not, look into something like reCAPTCHA. You mentioned that management isn't too psyched at the idea of a CAPTCHA, likely because they fear a reduced number of legit reviews. In this case doing an A/B test of non-CAPTCHA vs CAPTCHA form submissions will give you some insight into whether this is actually a concern.