28
May

Preventing spam without captcha

Posted by: Tyler Bailey

Spam emails are extremely annoying. Unfortunately, spambots are getting smarter and smarter every day. People have developed some pretty clever methods to prevent spam, but the most popular are also an inconvenience to your users. I’m speaking, of course, about Captcha.

According to the Captcha website, Captcha is

“a program that protects websites against bots by generating and grading tests that humans can pass but current computer programs cannot.”

Typically, the test will consist of distorted text embedded in an image.

But what if the user can’t read the distorted text produced by Captcha? It becomes a nuisance to hit the refresh button multiple times to get a legible Captcha so you can submit the form. Being in the user-experience business, we went looking for a better solution. We looked into several different technologies, but almost all of them were too bloated in size for us to find them appealing, so we had to come up with another way.

First, some explanation about spam bots: they will typically fill out every input field in a form whether or not it is visible to the user. This useful piece of information has led to the creation of the honeypot method. The honeypot method consists of putting a blank input field in your form and hiding it from the user. The bot will come across this input field and fill it in. If the form field is filled in, the sender should be marked as a bot and the form should not send. Unfortunately, setting an input field with display: none; isn’t enough to combat spam anymore. It is certainly a step forward, but as I mentioned above, spam bots are getting smarter every day and many of them have figured this little trick out and can work around it.

To prevent spam on our new forms, we used a few different “honeypot” methods combined into one form to determine if the user is a bot or not. We first implemented the standard blank honeypot text input field and set it to display: none;. When the form is submitted, we then perform a server-side check using PHP to see if the input was filled out. If so, we trigger an error and prevent the form from sending. After testing this method, we waited a couple of days to gauge its effectiveness. Unfortunately, we were still receiving some spam emails each day using this out-of-the-box honeypot functionality.

We then began investigating more solutions to combat spam. This is where we really learned just how smart these spam bots are becoming. When we had first implemented the honeypot input field, we had named the input “anti-spam”. This was a bad idea. Bots are able to read through the input attributes and determine what type of input is focused and, apparently, are able to determine if the input field is supposed to be filled out based upon the name. So we learned a valiable lesson: name your honeypot fields something completely irrelevant to combating spam.

After changing the honeypot input name to something like “promo_code” we waited another day or two to see if we had better results. A day or two went by without spam, but on the second or third day we received another spam email. This was an improvement from the previous rate, but still unacceptable.

That’s when we realized some bots can bypass input fields set to display: none;. So diving headlong deeper into the spam battle, we implemented a method found in MailChimp’s subscription form that sets the honeypot input field to position: absolute; left: -5000px;. This allowed the input field to be “visible” but positioned off screen so the normal user couldn’t see it. We weren’t going to stop there, though. We’d had enough of those emails trying to sell us shoes and prescription drugs.

To be sure no bots could send our contact form, we implemented second and third honeypot inputs. The second honeypot field was an HTML5 email input. I do believe this field was the key in preventing our spam emails. Bots, no matter how smart, will ALWAYS fill out an email input. Just be sure to name your honeypot email input field something different than your actual email input field and name it something totally unrelated to spam prevention. We used the name “email_2” for our honeypot email input. This email input was “hidden” the same way the other input field was, by setting it in a <div> with position: absolute; left: -5000px; set. If either one of these input fields were populated, the form would trigger an error and not send.

The third and final method we used to combat spam is something a little more in-depth and tricky than your average honeypot input. When a spam bot finds a form on a page it will typically fill it out within 5-10 seconds and submit. This is much faster than what a human can do, so we figured it would be wise to do a check against how long it took to fill out the form. To do this, we put in a hidden input field and set the value to populate upon page load with the time the page was loaded. When the form is submitted, we perform a server-side check if the time between loading the page and submitting the page is larger than the minimum time it takes to fill out the form. We set this minimum time to 10 seconds to be sure we weren’t going to prevent any real users from sending our form. If the form is submitted in under 10 seconds, it will trigger and error and not send.

It’s been just over a week since we’ve implemented these spam prevention techniques and we haven’t seen a single spam email come through since. As spam bots continue to evolve, however, we may have to revisit this solution down the line. But that’s part of the spam arms race that’s not going away any time soon.

06
May

New research in repetition is a KICK

Posted by: Mike Verstrat

NPR’s Alix Spiegel recently reviewed the research of Elizabeth Margulis, Director of the Music Cognition Lab at the University of Arkansas. Margulis took the rather free-form and non-repetitive music of Luciano Berio, a 20th century composer, and chopped it up. Her cuts were intentional, copying a component, and adding it in another location to create repetition where before there wasn’t any.

The whole point of this effort was to simply see if people liked the music more or less with repetition baked in. An extensive, random sampling of people evaluated the before and after pieces.

The results were clear:

“(The Subjects) reported enjoying the excerpts that had repetition more,” Margulis says. “They reported finding them more interesting, and — most surprising to me — they reported them as more likely to have been crafted by a human artist, rather than randomly generated by a computer.”

Spiegel’s interview with Margulis further highlights the role of repetition in music as a whole, and why this became such a passionate topic of study:

“A full 90 percent of the music we listen to is music we’ve heard before. We return again and again to our favorite songs, listening over and over to the same musical riffs, which themselves repeat over and over inside the music, and she (Margulis) became obsessed with understanding why repetition is so compelling.”

One key ingredient that draws people to repetition is labeled the mere exposure effect which basically describes how people feel better about something the more they encounter it. Margulis sums it up this way:

“Let’s say you’ve heard a little tune before, but you don’t even know that you’ve heard it, and then you hear it again. The second time you hear it you know what to expect to a certain extent, even if you don’t know you know,” Margulis says. “You are just better able to handle that sequence of sounds. And what it seems like [your mind is saying] is just, ‘Oh I like this! This is a good tune!’ But that’s a misattribution.”

Margulis also explains that the innate desire for repetition crosses boundaries of time and culture:

“Musical repetitiveness isn’t really an idiosyncratic feature of music that’s arisen over the past few hundred years in the West,” she says. “It seems to be a cultural universal. Not only does every known human culture make music, but also, every known human culture makes music [in which] repetition is a defining element.”

Margulis’ study is helping fill in the picture with some clarifying implications about why we crave repetition in sound. Some commentators on her work go so far as to suggest that our craving for auditory repetition might stem from life in the womb with the constant sound and rhythm of a heartbeat surrounding us.

So what (if anything) do these findings on musical repetition mean for the world of visual communications — more specifically for those of us concerned with designing digital experiences?

I would argue it means a lot.

After all, the phenomena of repetition exists in the visual world as well as the audible. In addition to her insights on audible repetition, I think Margulis’ work might also be uncovering some underlying forces that assist visual designers and information architects with the choices they make in communicating.

The point is, just as a heart beats to a rhythm, just as the hook of a great song sways our emotions — repetition in a digital experience makes us feel we’re right where we want to be.

If we think about what we do as communicators in the digital / interactive space, we’re usually set about the task of organizing information. There’s a goal out there, an idea, a concept — we try to make it clear by emphasizing the essential and removing the extraneous through the manipulation of word and image. We strive to make the complicated simple. That’s what we do in a nutshell. But of course, doing this with success is easier said than done. As Brion points out in a recent post, “… simplicity is hard to achieve, requiring a great deal of creativity; and that complexity is easy to achieve …”

One strategy for organizing the visual arrangement of information (as far as interactive experiences go) is utilizing principles of repetition, especially in key visuals and navigation elements. We often call this consistency instead of repetition but the classifications are similar. When designing navigation, we even choose terminology to describe those elements using words that are synchronous with other similar interactive experiences (i.e. Home, About Us, Contact Us, etc.).

Think about sites you’ve visited recently. Can you recall instances where you’ve had to look all around the screen to try and track down a specific link, button, or function? How did that make you feel? Why did you look for it in the places you searched?

Arguably, you expected it to be a certain way because repetition of that way had occurred for you in the past. As Jakob Nielsen points out, an axiom to remember when developing an online experience is that “users spend most of their time on other websites”. It’s critical when designing a digital experience to be aware of the audience, and have a solid understanding of what elements they’ll expect to be repeated or consistent.

Intuitively, this all makes perfect sense. Many of our life experiences are based on repeating audible or visual patterns in time and space. The sun “rising.” Seasons. Birthdays. The wheels of your car turning. Your yearly physical (get one). The traffic light. Alarm clocks. Tides. Rows of crops. City blocks. There are things you just simply believe will be there because they’ve been there before. Repetition somehow has the power to arrest our attention, and sooth it at the same time.

kick

Of course when it comes to preferring things repeated, there’s a limit.

Most would agree that there’s a break-point (seemingly unaddressed by Margulis’ research) where you start hearing things like, “I’m so sick of this song!” and “This ad is so overplayed!”

To be sure, there is a progression of user interface design conventions (and design conventions in general) over time. Just take a look at how things looked a short 20 years ago to realize that patterns and paradigms in UI do in fact shift, just like they do with styles and preferences in any cultural context. Additionally, experienced designers often know when it’s right to break a rule here or there in order to intentionally fragment repetition for the sake of accentuation or variety.

Still, I think the power of consistency is so strong, that comfort in knowing what to expect often trumps any need to change for change’s sake.

Take Warren Buffett’s Berkshire Hathaway corporate site for example. One could argue that it’s passed a stylistic expiration date about 18 years ago. Yet many (dare I say older investor-types) see it as navigable, simple and largely device-agnostic when it comes to usability. I’d venture to guess it would cause quite a stir (for better or worse) if we one day fire up the url (does anyone actually visit their site besides me?) and we find parallax scrolling and promotional videos duking it out for our attention.

To be sure, BH’s subsidiary groups run the gamut of site design conventions, and I’m not advocating for or against their corporate site’s cemented-in approach. I’m instead pointing out where repetitive, year-after-year consistency in an online presence seems to build more forceful inertia than change — even in a Fortune 5 company.

I think the big idea that can be taken away from Margulis’ research — as it relates to things visual — is that balancing the unifying/comforting nature of repetition with the eventual desire for variety, should first begin with an understanding of the strong need people have for wanting to know what’s coming next. If you violate that need, you’ll be asking your audience to weather the storm of uncertainty until they are able to continue navigating through your information — that is, if they choose to stay with you at all versus bailing out and going somewhere else.

So weigh those risks before breaking consistency, and proceed as appropriate.

You’ve probably heard of the long-standing design acronym, “KISS — Keep It Simple, Stupid!” Maybe as a starting point to achieve simplicity, it makes sense to “KICK — Keep It Consistent, Kid!”

05
May

If you run a Facebook page for yourself or your business and you take the time to monitor the analytics, you’ve probably noticed a trend: the reach of your posts has been heading downward. Your efforts on Facebook are getting back less bang for your buck.

Maybe you’ve recently received a notice from Facebook, which offered to sell you ads to increase your reach. So rather than reach people who chose to Like your page and opted in to see your content in their News Feeds, Facebook is offering you the chance to pay for what you got for free before.

Any way you look at it, this is a classic “moving the goal posts” move by Facebook. Admittedly, they have very real audience size considerations: millions of businesses have Pages in their system, trying to reach over a billion users. Not all of those businesses can get 100% reach across all of their followers’ News Feeds without crowding out more personal connections. That’s a real problem.

But there is also this reality: Facebook is an ad-driven company that makes its money selling ads based on information users feed into the system. Facebook is not in business to help you if helping you costs them. It makes business sense for them to charge other businesses for access to a wider user base, especially after years of better access created a dependency. It’s their pipes you’re using, right?

Facebook isn’t the only platform that is changing the rules of the game. All third party tools are now or will be doing this. Like Facebook, they are not in business for you.

This is only a real problem if you’ve developed too much of a dependency on these services.

A parallel in the real world might be this: your industry has a trade show every year that everybody goes to. Vendors and customers flock to it. It’s a huge competition for eyeballs and if you handle your presence there right, your sales do really well as a result.

If you were to consider that your only chance to reach your customers or maintain sales, however, you would be missing out on opportunities the rest of the year. And if the trade show ever changes the bar for entry, your business would suffer.

It’s the same with Facebook, Twitter, Google+ or any of the other social media platforms. If you’re relying too much on them, you make yourself vulnerable to business decision they make, rather than dependent on decisions you make.

To carry the illustration forward, you can go to multiple trade shows or use multiple third party platforms. But you can’t forego the tradition sales and marketing techniques, and stop hitting the pavement.  That’s where the meat is. That’s where the longevity and stability of your business lies.

In the web sphere, this means putting the focus on your own website and on your own publishing. Use those other tools, but don’t rely on them. Make your website great and use the full array of tools available to you to increase the reach of your business through platforms you own.

Facebook’s audience size problem can feel like it cuts both ways. At over a billion users, it’s easy to think they’ve got the whole internet covered. And to be sure, that’s a conversation you want to be a part of. It’s just not the only conversation. It can be intimidating to be faced with getting lost in the wider ocean of the internet with a focus on your own, owned platforms,

But as long as you go after your customers like you always used to, you’ll be okay.

02
May

A pre-emptive eulogy for Twitter

Posted by: Matt Saler

The Atlantic has a lengthy piece describing what it calls the twilight of Twitter:

Twitter is the platform that led us into the mobile Internet age. It broke our habit of visiting individual news homepages first thing in the morning, and established behaviors built around real-time news consumption and production. It normalized mobile publishing power. It changed our expectations about how we congregate around shared events. Twitter has done for social publishing what AOL did for email. But nobody has AOL accounts anymore.

As someone who is generally a fairly heavy Twitter user, I went into the piece intending to scoff at the premise. But there’s a valid point in there: the service and the feel of it has changed. There are still great sub-networks where the effects discussed in this piece aren’t as evident, but if you’ve spent much time investing into the culture of Twitter, you’ll have noticed these things.

At its best, Twitter can be one of the most fun places to frequent on the web. At its worst, it can be awful in ways it didn’t used to be. I’m conflicted about calling it a twilight when it could just be a phase, but it’s clear The Atlantic is accurately describing something, even if I’m not sure about the conclusions.

01
May

Followup on native advertising

Posted by: Matt Saler

Nieman Journalism Lab points to a recent study into the possible brand-damaging effects of native advertising on journalism sites. The study compared a younger audience’s perceptions of a test news site with those of an older audience. The researchers found that native ads did not damage the site’s credibility as a new source.

But lest you think that is a solid point in native advertising’s favor, there’s this: the younger crowd recognized the ads and had an overall critical, hard-to-impress stance toward the site, while the older participants didn’t notice the ads despite being more positive in their feedback. Critical users who can recognize native ads (and presumably know to avoid them) and uncritical users who miss the ads entirely don’t add up to an emphatic win for the medium.

Obviously, the question requires more research, which the team that conducted the study plans to do next. As I’ve already suggested, the credibility of news sites is at risk — if only because of increased cynicism.

Back to Top