Subscribe via RSSHow to Stop Spam Coming Through Your Contact Form
Rich,
I am getting loads of spam through my contact form. Any ideas how to stop them and not exclude any real inquiries?
--Frustrated in Framingham
Dear Frustrated,
Sigh, the curse of the spambots. Welcome to the battlefield.
Unfortunately, as forms "age", they tend to be more susceptible to bots--little pieces of script--that in this case are used by spammers to fill up your inbox.
I used to get over 100/day of these time-wasters. We've recently been using two different forms that--so far--have been nearly perfect in protecting us from these emails.
One is a script you may be able to add to the very form you're using now. It adds a piece of code that checks if the submit button has been pushed.
See, these spambots don't actually use the form on your Web site, they go straight to the script that makes the form run, bypassing the submit button. By checking if this button is clicked, you can block about 99% of these emails. Users don't notice any difference and aren't required to type in a captcha, those sometimes indecipherable alpha-numeric combinations on irritating backgrounds. The script does require PHP on your server, and you may need to change the suffix of your Web page to .php to make it work.
Another option that we've used is called Wufoo. You can see us using their form at jobs page. This is a hosted solution that costs $9/mo...a worthwhile investment if you're spending too much time deleting spam from your inbox. Wufoo has some nice additional options as well, including some small e-commerce solutions. However, we've found that the secure version of Wufoo doesn't play well in IE6 (what does) so it might not be ideal for that purpose. Also, the autoresponder that's sent to the person who completes your form has a Wufoo.com address...some people might find that a deal breaker, but it's required to help email delivery.
Readers...what do you use to stem incoming spam from your Web site contact forms?
Add to del.icio.us
Digg this
Good post. One note -- if you have a contact form written in ASP.NET then you're already protected from almost all of these bots.
Posted by: Josh Hurley | February 15, 2008 at 10:03 AM
I don't try to block spam. I'm afraid I might lose leads in the process. It's definitely a nuisance, but I try to just look at it as part of doing business online.
Posted by: Shane Kane -TitleSuccess.com | February 15, 2008 at 11:52 AM
A lot of times the spam bots attack pretty systematically. If you use form elements like "email" or "message", it understands what payloads to put into the response. Don't make it easy for them by using common names. Smarter bots also look at element types and use that to define the payload. It inserts spam into all text areas, and email addresses into all input forms. One trick I use is to add extra text areas and email fields with common names, but I use CSS to make them invisible to the user. User gets the same experience and the bot just isn't smart enough to find the right style sheet to see the element wasn't even there. For every counter attack, there is a counter counter attack but most of these bot guys are lazy and you only have to go a few levels deep to get rid of 99.9% of web spam.
Posted by: Aubrey Alexander | February 15, 2008 at 12:33 PM
Hey rich,
Where do we find the script you mentioned that employs the Submit button tactic ?
Posted by: Mike | February 15, 2008 at 08:32 PM
I know two ways.
Some guys I know (James Brausch, Willie Crawford) basically has no contact forms. You can use a helpdesk style system to log tickets for things.
I personally use ASP.NET, my contact form posts back to itself. There is a list of contact options, but no email address, and I have "event validation" turned on. event validation is basically a hidden field with encrypted text in it containing some parameters that must match the info sent back to the server.
Posted by: Roger Wilkanson | February 16, 2008 at 04:36 AM
I never even thought about spam that could be coming through my contact form. I haven't noticed a problem so far.
Wouldn't a double opt in system filter it out anyway?
And the previous post mentions Brausch and Crawford as having support forms, aren't those forms also?
Posted by: hssiegel | February 16, 2008 at 11:11 PM
Many thanks! It worked perfectly on my blog
Posted by: web form | January 02, 2009 at 12:48 PM