Wow, so many brilliant ideas here. Luckily, I don't get much spam for some reason.

Check if the referrer is your domain. If not, then it's a bot randomly filling out your form from a database. Also, captcha still seems to work for me. Another option would be a basic image recognition ("is this a cat or a dog?") or solving a simple mathematics equation ("3 plus four =...?"). It's not userfriendly heaven, but I guess we are more and more being forced into this corner.

I'm one of those humans who sends a blank referrer, so this isn't the most ideal solution. But it's also one I notice implemented more and more frequently. Not everyone will know how to deal with this, if it's their security package altering the referrer.

this is a fine point, but the referrer is relatively easy to spoof anyway. I do have a referrer validation in my forms, but mostly as a vestige of olden days.

Sorry to be so 'green', but why do spam bots fill in forms and email junk to everyone?

Is it just mallicious or are there other reasons?

Spam bots email junk to everyone because it's cheaper to email everyone than to try to select people who would be interested in their product. Filling out web forms is often so cheap that a tiny response rate (yes, there are idiots who respond to web form spam) makes it profitable for the spammer. Also, sometimes web form submissions get posted on a website (ye olde guestbookes) giving the spammer search engine benefits as well as possible later responses.

So, make your web forms a little more expensive (multi-step forms, time delays and so on) but not so expensive that they annoy legitimate users (CAPTCHAs, JavaScripts).

Is it just mallicious or are there other reasons?

As slef states above. But I also get quite a bit of pure 'junk'. No attempt to advertise or even attract web traffic - so I can only conclude from that that they also do it just because they can?!

hermosa, looking at your code, most bots wont be running your Javascript thus completely bypassing it.

If you having lots of spam trouble I personally would remove most the form from the HTML and create and process your form using only Javascript like Lord Majestic suggests.

You can submit the form using things like Text.submit()

People use things like NoScript.net for security, speed or energy efficiency. Making your whole form require Javascript is stupid and should not be done. However, if you do do it, at least display some "this form doesn't work without javascript" message so all users know you're only open to slow, insecure, energy-wasting browsers ;-)

A technician at my web hosting service spent a lot of time with me and helped me set this up. It seems to working. By posting the following code to your .htacess file you can ban certain domains and IP addresses from going anywhere near your site and sending you spam through your forms.

Here is the code:

# Denies the following IP Address(es)
deny from ###.###.###.#
deny from specificdomain.com

I just used the # sign in place of actual numbers.

I identified a whole bunch of IP addresses from my Log Manager. It was easy to do as I had left my original page with the form on my site and had it only link to itself. No other page on the site linked to it. Anything that shows up posting to that page is spam. To double check though, I matched the time the spam e-mail was sent with the log entry and got the IP address. I got the rest of the IP addresses from:

[stopforumspam.com...]

All the usual offenders are listed there. Let's keep our fingers crossed and hope that this works. Anyone else have success with this? Do you think it will work long term? I am finally get my designer to re-design my site templates and one of the things he will be doing is implementing some of the other suggestions here since I know nothing about .php.

No, banning domains and IPs isn't a long-term solution: spammers move and use botnets and things like that. That said, banning some of the worst offenders is a good idea. Warning then temporarily banning anyone who actually tries to spam your site is a good move, but trickier. Both reduce the amount of anti-spam work you do.

By using a massive list of known bad IP's / domains you might be reasonably successful, although this may depend on how much traffic you get through your site.

However, I would have thought that blocking certain IP's was just the first step, because of the shear number of IP's spammers use. To manually block IP's when they are found to be spamming could be a very time consuming and possibly fruitless excercise.

You could automate the blocking of IP's... When your robot checks fail on your form (may be twice to be safe?) then automatically add the IP to your .htaccess?

(EDIT: I didn't see slef's reply)

I got the rest of the IP addresses from: .....

Just as a for instance... I've just had an example of form spam come through one of my sites. It got through my robot checks (CSS hidden field check and check to make sure the form was completed in more than a few secs). It got stopped by my offensive language filter. But the IP address was a new one - and it did not appear on the list posted above.

If you're using Javascript to out-smart the spambots, this is a way to prevent human visitors who have Javascript disabled to post:

<body onload="document.frm.go.disabled=false;">

<form name="frm" action="" method="POST">
<input type="submit" name="go" value="Enter" disabled>
</form>

</body>

I like Pender's suggestion about automating the addition of a file to .htaccess I will have my designer look in to it. I work with templates he designs and I maintain and update the whole site.

Another similar approach uses external css to HIDE an unneeded form input. Anytime that box is filled in, it's a spambot so you just throw the submission out

Not so hot for someone using JAWS (or similar) I would imagine. Presumably they would see their form unceremoniously rejected, too.

Not so hot for someone using JAWS (or similar) I would imagine. Presumably they would see their form unceremoniously rejected, too.

I have heard that JAWS understands CSS these days - is that true? But even so, the 'hidden' field should have an appropriate label, "(Do not complete this field)" for the benefit of any real user that should happen to see the field (if CSS is disabled or whatever).

@penders: absolutely right... use css to hide the field (and label), but make the label something obvious like "If you're a human being, do not enter anything in this field."

the bots still haven't caught on to this one...

"tedster: Another similar approach uses external css to HIDE an unneeded form input. Anytime that box is filled in, it's a spambot so you just throw the submission out."

penders: Yes, I have used this approach too - very effective. However, I have recently encountered a problem which meant that a legitimate message got flagged as spam! ... I think some kind of auto-complete feature of the users browser (Google Toolbar or other plugin perhaps?) was auto filling the field and it was being sent with everything else - without the user knowing!?

I don't normally quote myself, but this has happened to me again! The hidden (by CSS) form field has been submitted with the users email address this time! The email address has also been entered correctly in the appropriate email address field - so this is duplicate info! I very much doubt that even if the user was able to 'see' the field, they would enter their email address twice, particularly when one of them states, "Do not enter anything here!"?!

This is a relatively low traffic site, so the percentage of legitimate form submissions that are failing because of this hidden CSS field are surprisingly high! A tad worrying.

The users UA includes "FunWebProducts". Ring any bells?

Does anyone know of any browser plugins / extensions / toolbars which could auto-complete form fields in this way? Normal auto-complete only offers suggestions when you start typing in that field.

With regard to the Jaws queries - why not download the free trial version and have a listen to what your website sounds like - its good practise anyway to improve usability of any website.

Penders, could the hidden field be prepopulated with a value that if changed indicate a bot?

Penders, could the hidden field be prepopulated with a value that if changed indicate a bot?

Yeah, I was wondering that... but do robots change values in already populated fields (or only when the field is empty)? If I was a robot I don't think I would both... I would assume the value already there was valid. (?)