As I wrote in comments:
"You could use some form of input button and a checkbox all set in conditional statements. Those can't physically be clicked/checked."
Side note correction: I made a slight grammar mistake. That should have read as:
"You could use some form of input button and a checkbox all set in conditional statements. Those can't virtually be clicked/checked, and must be physically done by a real person."
Even Google recommends using a checkbox.
Under "Subscription":
"By manually checking a box on a web form, or within a piece of software."
and
"Setting a checkbox on a web form or within a piece of software to subscribe all users by default (requiring users to explicitly opt-out of mailings)."
Additionally, you could use a reCAPTCHA:
Here's another article on Google and checkboxes; even though it's "spam-related", the same logic applies:
Pulled from that article:
"Google introduced a better solution this week: the "No CAPTCHA reCAPTCHA," which we'll refer to as "checkboxes and kittens."
and
"That's it. A checkbox. "I'm not a robot." Though Google doesn't go into detail on the magic behind the box, the blog post announcing the change said that a "risk analysis engine" measures how a user interacts with a page, and with the CAPTCHA, to tell if anything more than a simple checkbox is necessary. If you're detected as a human, you check a box and hit submit."
All this set inside conditional statements to check if a submit button was clicked and the checkbox is set, using name attributes for each.
I.e.:
<form action="handler.php" method="post">
<input type="checkbox" value="XX" name="checkbox_x">
<input type="submit" name="submit_button">
</form>
<?php
if(isset($_POST['submit_button'])){
if(isset($_POST['checkbox_x'])){
// Do your thing
// Additionally, you could place GET array(s) if they're being used
// and also check to see if any are set and not empty.
}
}
?>
Sidenote: You could also check if a checkbox is equal to something in addition to the above using the && (AND) logical operator.
Example: && $_POST['checkbox_x'] == 'XX'.
You could also have look at this Q&A on Stack:
where a honeypost was suggested and a few other suggestions.
The following was pulled from your deleted answer.
Reference:
"One thing you could do is, set your .htaccess to block the BingPreview user agent from accessing your signup and password reset paths (Your paths may differ from this example)::
RewriteEngine On
RewriteCond %{REQUEST_URI} /signup/confirm/ [OR]
RewriteCond %{REQUEST_URI} /resetting/reset/
RewriteCond %{HTTP_USER_AGENT} BingPreview
RewriteRule . - [F,L]
"This will stop the BingPreview crawler, but I feel like it is an incomplete solution. You can block as many annoying user agents here as you want, but do you really want to spend all your time hunting down which email providers are providing similar link previews in their emails?"
