homepage Welcome to WebmasterWorld Guest from
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member
Visit PubCon.com
Home / Forums Index / WebmasterWorld / Webmaster General
Forum Library, Charter, Moderators: phranque

Webmaster General Forum

Spam via Contact Form
Constant SPAM via contact form

 3:44 pm on Jul 18, 2013 (gmt 0)

Hi there,

Recently I have noticed I am receiving quite a lot of SPAM through a "Contact Us" form on our website.

Each box has to have content in otherwise you cannot submit the form which leads me to believe that it may be Human input as opposed to a BOT.

I basically need to stop the form being submitted. I have no problem deciphering which forms are spam and which are legit, that is not the issue. It's how many are being submitted.

I hope somebody can help me out as this is extremely frustrating.

[edited by: phranque at 10:00 pm (utc) on Jul 18, 2013]
[edit reason] no personal urls please [/edit]



 10:10 pm on Jul 18, 2013 (gmt 0)

welcome to WebmasterWorld, KTFandC!

have you considered implementing some form of CAPTCHA?
depending on your situation it could be as simple as having a form field that asks "what is 3 plus 2?" or "what color is the sky?"
the techniques can get increasingly sophisticated from there as required.
however there are many that hate CAPTCHA and it can have accessibility issues.

CAPTCHA Rant - New To Web Development forum:
http://www.webmasterworld.com/new_web_development/3463891.htm [webmasterworld.com]

you might also consider alternatives to CAPTCHA.
this might give you some ideas.
Spam filtering: now with 100% less CAPTCHA - Webmaster General forum:
http://www.webmasterworld.com/webmaster/4199035.htm [webmasterworld.com]


 3:15 am on Jul 19, 2013 (gmt 0)

If it's the same IP ...but I doubt it, you could also ban their IP


 7:02 am on Jul 19, 2013 (gmt 0)

I use a simple question for a Captcha and it is very effective without creating many accessibility issues.


 8:18 am on Jul 19, 2013 (gmt 0)

Thank you for your help guys.

I tried adding another field to the form with the question "What is 5 + 2?" but when I tested it on a single page the form was submitted regardless of the answer filled in.

Is this because I also need to edit the .CSS as well as individual page HTML ?


 8:38 am on Jul 19, 2013 (gmt 0)

You need to add validation to the form field.


 9:13 am on Jul 19, 2013 (gmt 0)

I think I am having a complete mind-block or am just making a blinding error. I usually work with Joomla or WordPress so I am a bit rusty on the Static HTML site I am tweaking.

Basically the Contact Form is as follows:

<div class="quick-contact">
<div class="quick-section">
<div class="quick-section-head-txt"><img src="images/quick-contact.jpg" alt="Quick Contact" title="Quick Contact" /></div>
<div class="small-error">all fields required</div>
<div class="contact-form">
<form action="thankyou.aspx" method="post" name="form1" id="form1">
<div class="contact-form-box"> <span>Name:</span>
<input id="name" class="input" type="text" name="name" />
<div class="contact-form-box"> <span>Email:</span>
<input id="email" class="input" type="text" name="email" />
<div class="contact-form-box"> <span>Phone:</span>
<input id="phone" class="input" type="text" name="phone" />
<div class="contact-form-box">
<textarea id="feedback" class="message" cols="" rows="" name="feedback"></textarea>
<input type="button" class="button" onclick="javascript:return callThanks();" value=""/>

I added the following underneath "Phone"

<div class="contact-form-box"> <span>5 + 2 = ?:</span>
<input id="question" class="input" type="text" name="question" />

This shows up correctly on the form, however the box can remain blank and you can still submit. All other boxes require content otherwise a pop-up tells you to fill the form in.

How do I set it so that the form will only submit IF the content in the question box is a specific number?

Thank you for your help, appreciated.


 12:02 pm on Jul 19, 2013 (gmt 0)

As the bots typically fill all fields I did once consider having a field with the label "do not enter anything in this field" but considering typical user behaviour I thought that wasn't a good idea.

I have two forms on one of my sites. One dates back to my early days with "free" hosting that didn't support PHP and uses a third party service, the other uses a PHP script on my server. The third party service doesn't let through any spam but my own script gets one or two a week. The spamers' scripts generally drop the same text into multiple fields so I have filters to catch the most regular combinations. Its not enough to warrent inconveniencing customers with a captcha.


 12:11 pm on Jul 19, 2013 (gmt 0)

onclick="javascript:return callThanks();"

This shows up correctly on the form, however the box can remain blank and you can still submit. All other boxes require content otherwise a pop-up tells you to fill the form in.

static html is about as smart as a box of rocks.
it is likely that this form field verification and pop-up is triggered by the onclick javascript event and the code is in the callThanks method.


 12:52 pm on Jul 19, 2013 (gmt 0)

bots will likely just ignore the javascript anyway, so if that's all the validation you do then it's not going to keep much out. much better to validate server-side with php

if you really are stuck with javascript, then you could try writing the buttons onto the page using javascript. then if a bot ignores javascript it wont be able to submit.


 1:32 pm on Aug 10, 2013 (gmt 0)

Add a hidden input box and automatically ban anyone adding text into it. Humans will never see it but bots will occasionally step into it. Give it a nice juicy name too, such as 'web url', or give it the name of one of your real input boxes and give the real one a false name and adjust the script to only accept the false named box content. That way you get the bots which target specific contact form types too.


 11:29 pm on Aug 10, 2013 (gmt 0)

With my forms I have two protection methods:

The first is an ".htaccess" file that ensures that nobody can access the form unless they access it directly from a page in the same domain (i.e., the browser has to present a specific referer). Sure it may keep the odd real user out whose browser is set to not send a referer, but I have decided that I can live with that.

The second is a URL trap and a note in large letters to the effect that users should not post any URLs, since messages containing URLs will not be delivered.

Result: No spam coming in. :)
And the log files tell me that no real users are being turned away...


 1:35 pm on Aug 17, 2013 (gmt 0)

@OP - is the original stuff link spam or is it attempted SQL injection? The poison null looks deceptively innocent..

I've been running one of the firewall extensions for joomla. That seems to stop a lot of the sql injection attempts on the forms. THey now have a 'basic' setting that reduces false positives but still stops a lot of the garbage.


 2:47 pm on Aug 23, 2013 (gmt 0)

I use a combination of methods that are doing a great job:

  • My form doesn't include email addresses, just the fields, the script will send the data to the corresponding email
  • Javascript validation of the email address and other fields. Otherwise the submit button won't work. Javascript validations are not bullet proof so there are more things to do from here.
  • The script receiving the form data validates a referrer. It won't accept any submissions if the user is not coming from another valid website page.
  • The script also validates the form data because you just can't trust javascript validation.
  • The submitted data is checked against a set of hot words like you know what, including url, link, etc.
  • Perhaps the most important part of my approach is: the script will always show you the "thank you" page even if you submitted spam. There are no errors reported, it will just let users or bots think the data was sent while it simply was ignored. So, any valid submission will turn into a valid email but that's just between me and the webserver.

I'm also using a cookie tracking to find out what pages the user has been visiting before sending the data. Perhaps in the future I will look into more validation using this but so far what I described keeps my inbox very, very clean.

There is something else when you run dynamic pages or sever side includes, you could get a time stamp directly from your server and verify this against another time stamp when the data is sent. Any normal form data will take about X seconds before being sent, otherwise is just copy paste or a bot. But that's going to far, perhaps.


 1:44 pm on Aug 25, 2013 (gmt 0)

Add a hidden input box and automatically ban anyone adding text into it.

Tried that, the bots were clever enough to see that it was hidden and ignored it.


 2:53 pm on Aug 25, 2013 (gmt 0)

Add a hidden input box and automatically ban anyone adding text into it.
Tried that, the bots were clever enough to see that it was hidden and ignored it.

How did you do that? <input type="hidden"> or enclose the box in a <div style="display: none;"> The latter works better.



 11:21 am on Aug 27, 2013 (gmt 0)

Still receiving high volumes of spam. The thing that is frustrating is these "entity's" are not even entering the site. For instance a form was submitted on August 26th at 00:17, 03:37 & 07:05. When I checked website stats/analysis there were 0 visitors to the site between 00:00 to 11:00 so I can't even see where they are coming from.


 11:27 am on Aug 27, 2013 (gmt 0)

you can try checking the referrer. if it isnt a page from your site, or its blank, then block access. that way only visitors to your site will be able to use it. no one will be able to visit the URL directly

i posted my script for a contact form a few years ago, with a load of spam stopping things in it, and im still using it okay. no spam

you can check it out on this thread. maybe you can fiddle with it and use it as a basis for your own form -- [webmasterworld.com ]

Global Options:
 top home search open messages active posts  

Home / Forums Index / WebmasterWorld / Webmaster General
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved