Okay, so how do you keep spam out of Google Forms?

[jducoeur]

Scraping off the serial numbers (since this is a project that's still kind of nascent, and I don't want to get distracted by the details) -- a bunch of us are trying to build a fairly simplistic database. It's near trivial from a schema point of view, needs to be easily accessible from the Web and easy to input data from mobile, and we don't want to spend a lot of time on implementation and maintenance. The solution that was proposed (and prototyped) is built on Google Forms, and that looks like it's probably good enough for our relatively simple needs.

I have just one concern. This thing is supposed to be long-lived, and we want a substantial number of people to be able to add to it, so we would rather not have explicit access controls required in order to submit new entries. That is, we'd like it to be publicly writeable. But I know from bitter experience that publicly writeable forms tend to eventually get savaged by the spammers.

So the question is, how is Google Forms in this regard? Does it have *any* sort of spam protection, even basics like captchas? There is of course the possibility of security through obscurity, but that tends to only work for a while; in the DB that is intended to live on for a number of years, it seems like the probability of being attacked by a spambot gets kind of severe.

Informed suggestions solicited. I'm hoping that there are already some best practices on this topic -- Google Forms is well-enough established that I would expect that we're not the first to worry aboout this...

Comments

[laurion]

You're not restricted to the page that Google gives you for filling out the form. You can take the code from that page, and bring it up into a page of your own design, where you could add a recaptcha. (And check the referrer, and use a hidden field that bots will complete, and any other anti-bot techniques your web guy has up his sleeve.)

[laurion]

That said, no, the native google forms have no protections built in beyond obscurity (each form gets a ridiculously complicated formkey), but as soon as you put a link to that form online, it can be harvested. Lots of people have asked for even the same sort of captcha that Google already has in several places, such as Blogger. There is the ability to require visitors to sign in first, but that requires everyone to have a Google account, and I wouldn't be surprised to see spambots with authenticated credentials/cookies anyhow.

[jducoeur]

Yeah, that summaries the problem nicely. I'm genuinely surprised that Google hasn't provided even a basic option for captchas or the like...

[unicornpearlz.livejournal.com]

Google forms...

So, what are Google Forms? For those of us who do not live in the IT world 24/7... are they something that we would use? Is this the proper name for something we do use regularly?

[jducoeur]

Probably not, but it's a useful tool to know about.

You know Google Docs, right? I use it all the time for writing text documents (pseudo-Word), and a fair amount for spreadsheets (pseudo-Excel). None of it sets the world on fire with its power, but for basic stuff it's quite nice: it's easy to collaborate, your stuff is all in the cloud (and so hard to lose), all changes get tracked reversibly, and so on.

The feature that's a bit less known is Forms. This is basically a thin layer over Google Spreadsheet: you define a simple question-answering survey, and the results get automatically dumped into a Google Spreadsheet. It's nowhere near as powerful as SurveyMonkey (much less a really *serious* survey-management system), but it's almost ridiculously easy to set up, and good enough for most simple surveys. I've used it once or twice.

It's pretty easy to try: from the Google Docs home, just press the Create button and choose "Form". The easiest way to learn it is to just create a throwaway experimental form and play with it.