Spam Prevention/Reduction - Contact Form?

Question

I want to add a simple Contact form to my web site so that customers can contact me easily.

<form>
    NAME
    <input type='text' name='name' />
    EMAIL
    <input type='text' name='email' />
    MESSAGE
    <textarea name='message' />
    <input type='submit' />
</form>

This form would simply email me the customers message.

But, I also want to reduce (not, I'm not saying eliminate but at least reduce), SPAM.

I've looked into using CAPTCHAs but, ultimately, I don't want to hinder the customer with having to fill out extra information.

Any ideas of a good simple spam prevention/reduction method I could use for my Contact form.

I think CAPTCHA is a good idea, its not that much extra information. Personally, I developed a contact form and I received, at least, 300 e-mails a day from spambots, I regret not integrating some CAPTCHA functionality. — Anthony Forloney, Feb 09 '10 at 16:12
Also see http://stackoverflow.com/questions/485106/how-do-i-protect-my-forum-against-spam for some more ideas. — Wim, Feb 09 '10 at 16:34
Excellent ideas/commentary in [this StackOverflow post](http://stackoverflow.com/questions/2387496/how-to-prevent-robots-from-automatically-filling-up-a-form) as well. — Beepye, Sep 16 '16 at 12:54

score 68 · Answer 1 · answered Feb 09 '10 at 16:12

68

A very simple trick I've been using with a surprisingly good success rate is this: Provide a text field that is hidden from human users with style="display: none", but with an enticing name like email. Most bots will fill in something in this field, but humans can't see it so they wont. At the server, just make sure the field is empty, else treat the submission as spam.

answered Feb 09 '10 at 16:12

Wim

11,091
41
58

1

Great idea. A combination of your idea and Graza might be just it. – BillK Feb 09 '10 at 16:16
6

This is a great idea! Alternatively, if bots are smart enough to ignore such tags, set `display:none` dynamically in javascript, and add a comment asking the user NOT to fill in the field in the case that javascript fails. – Graza Feb 09 '10 at 16:16
7

I love this idea. CAPTCHAs are a pain the neck. Spam prevention should be about detecting bots, not proving that the user is human. – Dónal Boyle Feb 09 '10 at 16:19
1

excellent idea ! But now you give it to us, bots will know :) – Alysko Feb 09 '10 at 16:39
6

I am building a bot, as we speak, to incorporate this design... *evil laugh* – Anthony Forloney Feb 09 '10 at 17:56
2

I wonder if any browsers' autofill feature could ever be dumb enough to fill in a hidden field? Great thought though, I might give it a shot. – counterbeing Dec 06 '13 at 01:06
2

@counterbeing the autocomplete="off" tag should fix that, this is a great idea, I'm going to see how well this works now – nickbwatson Sep 29 '14 at 20:27
OMFG you are a genius – Kyle Jan 01 '19 at 03:44

score 8 · Answer 2 · answered Jul 31 '14 at 20:50

If you want to do a completely front-end solution I have had success recently by leaving the form action attribute blank, and populating it via a $(document).ready function. Most spambots use a browser that has javascript disabled, or are looking for hidden fields to avoid detection.

Example:

Your html would be:

<form method="POST" action="" id="contact-form">

and anywhere in that page you can use this to populate it.

<script>
        $(document).ready(function(){
                 $("#contact-form").attr("action", "/yourMailScript.cgi");
        });
</script>

A bot browser with no javascript will not get a form action, and they will get a 404 upon submission. Anyone with a normal browser (unless they have JS disabled for paranoid reasons) will get the normal behavior.

I use a similar technique to replace the action value. By default, goes to a honeypot-type place. But I use a on-click/on-focus event to change the action value. It's difficult for a bot to simulate that, I think. See my answer below. — Rick Hellewell, Jul 13 '18 at 00:17

score 6 · Answer 3 · answered Feb 09 '10 at 16:11

6

The only (client-side) way other than a CAPTCHA type user confirmation would be to write the whole thing dynamically. A lot (but not all) of robots would probably ignore the dynamic content. Eg

document.write("<"+"form>"
  +" NAME "
  +" <"+"input type='text' name='name' /> "
  +"EMAIL "
  +"<"+"input type='text' name='email' /> "
  +"MESSAGE "
  +"<"+"textarea name='message' /> "
  +"<"+"input type='submit' /> "
+"<\/form> ");

answered Feb 09 '10 at 16:11

Graza

5,010
6
32
37

I do a very similar thing where i simply set the email address dynamically on page load. The email is not in a single string, ie: `"my"+"email@"+domain+".com"` – Rob Fonseca-Ensor Feb 09 '10 at 16:18
1

@Alysko: Really? I don't think so. Are you saying all bots completely understand and interpret Javascript? The only problem wit this is, not all clients understand Javascript either... – Tomas Feb 09 '10 at 17:43
*Some* bots would process it, but my guess is anyone who's writing a bot for speed would try to limit the amount of script processing, so a lot would skip it. **@Tomas** - agreed about the problem with not all clients understanding it though. This approach completely breaks graceful degradation or progressive enhancement. **@Rob** - I do similar things, but usually on separate lines, and with the `@` in hex, eg `m="my";m+="email\x40";m+="dom";m+="ain.c";m+="om";` - a paranoid solution, but I'd hope it tricks all bots. Again however - it breaks graceful degradation. Wim's solution looks awesome – Graza Feb 11 '10 at 09:48

score 4 · Answer 4 · answered Feb 09 '10 at 16:10

4

Use Google or Yahoo mail account. They have good anti-SPAM filters.

answered Feb 09 '10 at 16:10

Milan Babuškov

59,775
49
126
179

1

This is a good idea, gmail supports automatic forwarding of emails doesn't it? This could work well. Probably the easiest implementation too AND you risk loosing no potential customers due to captcha frustration. – sam Feb 09 '10 at 16:11
1

+1; or any other inbox spam filtering. No reason to burden the user with a CAPTCHA or the users browsers with html-tricks. This is an inbox-problem. – Tomas Feb 09 '10 at 17:28
1

But if a site is running under multiple bots, there is a chance to down the site. That is not the solution to prevent spam using yahoo or gmail. You have to solve it from your website end. – Subhojit Mukherjee Jun 17 '14 at 06:55

Rick Hellewell · Answer 5 · 2018-07-13T00:21:54.877

Hidden fields, silly questions (what is 3+4?), etc, are not very effective at blocking spam on forms, IMHO.

I researched this several years ago, and came up with a solution I call "FormSpammerTrap". It uses JavaScript code to 'watch' for focus/onclick on required fields. Automated processes, unless highly customized for a specific site (which takes more time than spambot owners want to take), can't 'focus/onclick' a required field. (And there are some other techniques I use.)

I have a free solution at my www.FormSpammerTrap.com site. And there's a form there that spambots can try to spam...and they haven't, for more than 3 years. You are welcome to try it out...it's all open source, so you can see how it works. (And, if you use the form, I don't harvest your email. I reply once, then delete your email.)

My technique is much more effective in blocking spambots, IMHO. They haven't been able to spambot the contact form on that site.

**Added 12 Jul 2018 ** The trick is to add an on-click/on-focus event that changes the action parameter to the actual processing page. Otherwise, the default value I use is a honeytrap-type site. I think it's hard for a spammer to simulate those events, although possible perhaps. The technique blocks a lot of bot-spammers.

And still, after a couple of years using the technique on that site, the form hasn't been spammed by bots. (I define a bot spammer that sends multiple submits via the attack, not just one submit.)

Works for me.

The number under "Form spammers caught today" increase of 1 unit every page refresh. I don't think it is a good approach to inspire trust. — Marco Panichi, Apr 22 '20 at 10:35
Well, perhaps the counter on that page might be more accurate. But I haven't figured out a way to count the ones I actually caught. BUT ... the process works. There have been no automated spam on the FormSpammerTrap.com site in the many years it has been active. And there are many people using the solution - which is free. Your comment is a bit nit-picky....comments about the FormSpammerTrap solution are more appropriate, IMHO. Why don't you try my solution yourself? It can be implemented in under five minutes. — Rick Hellewell, Apr 22 '20 at 17:27

score 1 · Answer 6 · answered Oct 10 '17 at 08:44

You can add simple question, each serious person who wants to contact you, can easily answer. For example a field where he should enter the first letter of the domain. Most bots don't understand the question and will enter nothing or something random.

You could also try to track the time how long the user needs to input data. If he tries to send the form earlier than 5 seconds before typing the first word just don't allow to send it. Bots usually just parse the site, fill out everything and then post it and go to the next website.

score 1 · Answer 7 · answered Jul 16 '18 at 09:57

#sec {
  visibility: hidden;
  padding: 0;
  margin: 0;
  height: 1;
}

<form method="POST" action="www.google.com">
  NAME
  <input type='text' name='name' />
  <br /> EMAIL
  <input type='text' name='email' />
  <br /> MESSAGE
  <textarea name='message' /></textarea>
  <br />
  <input type='text' name='security' id='sec' placeholder="Do not enter anything here" />
  <input type='submit' formaction="" />
</form>

**Here, only a user who clicks on the submit button actually could submit the form. using auto submit simply redirects the bot to google.com. **

*Also the input 'security' is an input field that is hidden to users, and visible to certain bots, known commonly as HoneyPot Captcha. On the server side, you can simply skip all the requests that has the 'security' field filled. Not every bot can be tricked this way, and this is where the attribute formaction comes into play *

score 0 · Answer 8 · answered Jun 09 '14 at 21:48

0

grep for URI methods, urlencoded characters, or the two HTML markup characters, seems to work.

answered Jun 09 '14 at 21:48

Peter Flynn

235
2
10

score 0 · Answer 9 · answered Dec 12 '17 at 02:39

0

Use an anti-spam API like Akismet or Cleantalk. You can use the traditional checks for less sophisticated bots before hitting the API. An anti-spam API is the only way to catch spam submitted by a human.

answered Dec 12 '17 at 02:39

nmit026

3,024
2
27
53

score 0 · Answer 10 · answered Jan 19 '21 at 00:09

I think that nowadays, most of the solutions posted are either inefficient or outdated.

reCAPTCHA is not a hassle for users any more

google documentation

reCAPTCHA v3 returns a score for each request without user friction. The score is based on interactions with your site and enables you to take an appropriate action for your site.

OP states that he needs an alternative to CAPTCHA, in order to avoid hassle for his users (up to v.2, reCAPTCHA requires user interaction). However, as of v.3, reCAPTCHA can detect bots "silently", without requiring user interaction.

Front-end-only solutions are inefficient

The honeypot (hidden input that only a bot could fill) and simple questions methods, as well as other front-end implementations, are still vulnerable to spam attacks. First of all, the spammer can bypass all front-end and post directly to the server. Therefore, a server-side check is required.

In addition, if someone wants to spam your site, specifically, he can easily read your source-code and build a script that is "clever" enough to not be caught by the front-end protection.

On the other side, reCAPTCHA v.3 tracks data and works behind the scenes, in Google's back-end, to determine if the user is actually human. Its logic is hidden, therefore, the attacker can not easily develop a "smarter" bot. In addition, the attacker can not just bypass the front-end; a token is created, is passed server-side and then to Google's back-end to be validated.

TL;DR

Nowadays, reCAPTCHA seems to be the best solution in all aspects. No user friction and the most secure.

Subhojit Mukherjee · Answer 11 · 2014-06-19T14:00:47.247

Use JS technology. Like if a user comes on your contact page then javascript will generate a string or anything like that you prefer and put the information on a hidden text field. But it is not the actual solution, smart bot can easily crack it.

Another way is, You can also use email verification after contact form submission. And store the data on your database. If customer verifies the url through email then the contact information will mailed to you from database.

And also use delay to prevent continuous robot attack. Like sleep() in PHP code. This will add few delay in your code. By this way you can reduce random attacks but this is not the prevention method.

score -1 · Answer 12 · answered Jun 09 '15 at 15:50

I found a nice idea on this page:

http://www.evengrounds.com/developers/alternatives-to-captcha

You can make your SUBMIT button display a confirmation page, on which you explain to user that he has to hit CONFIRM button to actually send a message. Spambots would usually only submit first form and skip the second step.

Spam Prevention/Reduction - Contact Form?

12 Answers12

Linked

Related