Dealing with bot spam
When I was a kid, our church had a little box for suggestions and prayer requests.
My father was a pulpit minister for a while, so I learned that such a box will sometimes contain other interesting things, too. Like gum wrappers. Or the occasional dirty limerick from an especially daring kid. (It wasn’t me, I swear, Dad!)
Your website's contact and donation forms probably have a similar problem. If they don’t now, they probably will eventually.
You can't just close them up, but it's a headache to deal with spam submissions.
And sometimes it's more than a minor annoyance. When you've got hundreds of spam contacts showing up in your CRM every day, or card-testing scammers submitting stolen credit card numbers, it can have a serious impact on your operations.
So what to do?
First, recognize that this is an ongoing campaign against malicious activity.
There is no one-button fix. Every step you take to make it harder for the bad actors can also make it harder for your legitimate users. That's a cost all by itself, besides whatever time and effort you put into this.
So you'll want to have some kind of baseline measurement first, to evaluate the impact of whatever actions you do take.
But here are some things you can do to tighten up your fortress against the invaders.
Contribution "card testing" scammers, and other spam via CiviCRM forms:
Credit card thieves can (and do) purchase lists of stolen credit card details on the dark web, and then automate the testing of those details on some online payment form somewhere.
If they pick your contribution page, you could be in for some trouble with your payment processor (imagine: Stripe suspends your account until you find a way to block the scammers.)
Or, if you're really getting hammered, the volume of traffic can make your site unusable.
To protect against this kind of abuse, you can install and configure the CiviCRM "Form Protection" extension and Google's reCAPTCHA tool. This will provide a rather high barrier against bot-driven form submissions. (See this civicrm.org blog post for more details on this topic.)
"Contact Us" form spam:
For any number of wild and varied reasons, bad actors will implement automated scripts that submit bogus data through general-purpose forms like your "Contact Us" or "Subscribe to Our Mailings" forms.
If these forms are built in CiviCRM, the Form Protection extension (see above) can help.
But if they're built in your CMS (Drupal Webforms, WordPress Gravity Forms, etc.), or if you want something besides Google reCAPTCHA, you've got more options, in the form of outside (usually paid) services that scan all form submisisons and reject the ones that fail the "smells like spam" test.
The two most popular services are Akismet and CleanTalk, and both of them:
Have plugins/modules for both Drupal and WordPress
Work without CAPTCHAs, puzzles, or other "stupid human tricks" hoops for the user to jump through.
Are pretty darned inexpensive.
Have a good reputation for blocking bots without blocking humans.
Here's the thing:
A little bot-driven spam now and then is likely an acceptable "cost of doing business" if you want to keep your "contact us" and donation forms open to the public.
But if (and when) it gets bad enough that it's hurting your organization, you do have options.
All the best,
A.