How to Stop Spam Coming Through Your Contact Form

Rich,

I am getting loads of spam through my contact form. Any ideas how to stop them and not exclude any real inquiries?

–Frustrated in Framingham

Dear Frustrated,

Sigh, the curse of the spambots. Welcome to the battlefield.

Unfortunately, as forms "age", they tend to be more susceptible to bots–little pieces of script–that in this case are used by spammers to fill up your inbox.

I used to get over 100/day of these time-wasters. We’ve recently been using two different forms that–so far–have been nearly perfect in protecting us from these emails.

One is a script you may be able to add to the very form you’re using now. It adds a piece of code that checks if the submit button has been pushed.

See, these spambots don’t actually use the form on your Web site, they go straight to the script that makes the form run, bypassing the submit button. By checking if this button is clicked, you can block about 99% of these emails. Users don’t notice any difference and aren’t required to type in a captcha, those sometimes indecipherable alpha-numeric combinations on irritating backgrounds. The script does require PHP on your server, and you may need to change the suffix of your Web page to .php to make it work.

Another option that we’ve used is called Wufoo. You can see us using their form at jobs page. This is a hosted solution that costs $9/mo…a worthwhile investment if you’re spending too much time deleting spam from your inbox. Wufoo has some nice additional options as well, including some small e-commerce solutions. However, we’ve found that the secure version of Wufoo doesn’t play well in IE6 (what does) so it might not be ideal for that purpose. Also, the autoresponder that’s sent to the person who completes your form has a Wufoo.com address…some people might find that a deal breaker, but it’s required to help email delivery.

Readers…what do you use to stem incoming spam from your Web site contact forms?

Rich Brooks
Talking Spam

20 Responses to “How to Stop Spam Coming Through Your Contact Form”

  1. Josh Hurley

    Good post. One note — if you have a contact form written in ASP.NET then you're already protected from almost all of these bots.

  2. Josh Hurley

    Good post. One note — if you have a contact form written in ASP.NET then you're already protected from almost all of these bots.

  3. Aubrey Alexander

    A lot of times the spam bots attack pretty systematically. If you use form elements like "email" or "message", it understands what payloads to put into the response. Don't make it easy for them by using common names. Smarter bots also look at element types and use that to define the payload. It inserts spam into all text areas, and email addresses into all input forms. One trick I use is to add extra text areas and email fields with common names, but I use CSS to make them invisible to the user. User gets the same experience and the bot just isn't smart enough to find the right style sheet to see the element wasn't even there. For every counter attack, there is a counter counter attack but most of these bot guys are lazy and you only have to go a few levels deep to get rid of 99.9% of web spam.

  4. Aubrey Alexander

    A lot of times the spam bots attack pretty systematically. If you use form elements like "email" or "message", it understands what payloads to put into the response. Don't make it easy for them by using common names. Smarter bots also look at element types and use that to define the payload. It inserts spam into all text areas, and email addresses into all input forms. One trick I use is to add extra text areas and email fields with common names, but I use CSS to make them invisible to the user. User gets the same experience and the bot just isn't smart enough to find the right style sheet to see the element wasn't even there. For every counter attack, there is a counter counter attack but most of these bot guys are lazy and you only have to go a few levels deep to get rid of 99.9% of web spam.

  5. Mike

    Hey rich,

    Where do we find the script you mentioned that employs the Submit button tactic ?

  6. Mike

    Hey rich,

    Where do we find the script you mentioned that employs the Submit button tactic ?

  7. Roger Wilkanson

    I know two ways.

    Some guys I know (James Brausch, Willie Crawford) basically has no contact forms. You can use a helpdesk style system to log tickets for things.

    I personally use ASP.NET, my contact form posts back to itself. There is a list of contact options, but no email address, and I have "event validation" turned on. event validation is basically a hidden field with encrypted text in it containing some parameters that must match the info sent back to the server.

  8. Roger Wilkanson

    I know two ways.

    Some guys I know (James Brausch, Willie Crawford) basically has no contact forms. You can use a helpdesk style system to log tickets for things.

    I personally use ASP.NET, my contact form posts back to itself. There is a list of contact options, but no email address, and I have "event validation" turned on. event validation is basically a hidden field with encrypted text in it containing some parameters that must match the info sent back to the server.

  9. hssiegel

    I never even thought about spam that could be coming through my contact form. I haven't noticed a problem so far.

    Wouldn't a double opt in system filter it out anyway?

    And the previous post mentions Brausch and Crawford as having support forms, aren't those forms also?

  10. hssiegel

    I never even thought about spam that could be coming through my contact form. I haven't noticed a problem so far.

    Wouldn't a double opt in system filter it out anyway?

    And the previous post mentions Brausch and Crawford as having support forms, aren't those forms also?

  11. s reeves

    what is the first option, were can i find this script

  12. s reeves

    what is the first option, were can i find this script