To get away from captcha solutions, it's all about how the email itself is handled. Most hosting companies offer some sort of spam filtering on their email accounts. Have the form submit the email to an account you've set up with the spam filtering on.

Then forward all the email in that account to GMail, which has some pretty awesome spam filtering.

Then, pop the GMail account to your desktop email client. If you use TBird, even better, because it has a very good Bayesian filter of its own.

It may sound complicated, but it isn't. It's a 10 minute setup. And it's 99.9% effective.

YEAR - Spam Attempts
2009 - 719 (to date)
2008 - 52037
2007 - 15912
2006 - 5515 (partial year)

As you can see there was a massive escalation in '08 and it peaked at 7K spams/month then tapered off at the end of the year to 4K spams/month.

That's over 74K pieces of junk auto-rejected due to spammers doing the stupid things spammers do and not being able to process javascript.

Other forms on my site are also rejecting garbage but it's not quite the volume of this one form which seems to be very attractive to the spammers.

On one of my sites, I run a vBulletin board. As someone here mentioned, the little captcha to register is easily broken. I was having at least 100 bogus registrations everyday...and after a while it was just like "enough!" So, I disabled the automatic registration, and had the registration link forwarded to an standard HTML page. There, a person can simply copy the "required information" into their email, fill out the information I ask for (username, location, etc...) and email it to me (using the method outlined below to send an email). I'll then manually register them...which is a LOT simpler than sorting through unending piles of spam registrations.

Two interesting things happened since I did this. First, I'm getting more registrations...mainly because I'm no longer deleting valid registrations along with the spam ones. And secondly, the robots hitting the forum just "vanished." I went from averaging anywhere from 3000-5000 "visitors" on the forum at any one time to having 15-20 (I have a very small forum.) This dramatic drop in the spam bots greatly enhanced the performance of my VPS, prevented my VB session table from filling up, among many other happy things.

I don't use a "contact us" form on any of my sites. Instead, people can send me email via a standard "looking" mailto link or by typing in the graphical email address shown on the page. Now, the key thing here is to make the address in the mailto link encoded in javascript...deeply encoded. While javascript might be able to be broken, I've yet to have any address encoded in it broken...yet (I've been doing this for five years, too!). As for the graphical email address, I make it simple to read...unlike those squiggly lines that can be impossible to read. Thus, it could be broken, although I take a few sneaky steps to throw things off a bit for the bots if they try (and so far, they haven't succeeded, perhaps because they don't know where to look).

But here's what works about this system. I NEVER use the primary email address for the site in either the mailto or graphic email address. Instead, I use disposable email addresses (example might be contact123@domain.com) and have that email forwarded to my primary address. Typically, what happens is that I keep the email address live for about a year. I then take it down and put up a new one and replace the graphical image with a new one, too.

While this system sounds simple, it works amazingly well.

Not sure if this will work for your problem, but it certainly solved mine.

Also, one last thing. In your email setup (at least if you use cPanel), make sure all "unaddressed email" to your domain automatically disappears. I forgot to do this for one of my domains in Cpanel. When I finally remembered to do it (two years later!), I had more than 10,000 messages clogging up the online email in cPanel (addressed to "webmaster@domain.com" "admin@domain.com", etc...). By not using those common addresses for your email addresses and having all email disappear for addresses that haven't been specifically created for your account, you can dramatically cut down on the spam you receive.

Making my contact form page secure got rid of all the form spam. I think I'll try that again soon.

I also employ a "maximum attempts" approach where if someone gets the question wrong 5 times they have to wait 15 minutes to try again.

None of this stops semi assisted bots where someone is watching their bot work but it gets most every other bot.

The best custom fields ask you to fill in a missing letter or two in a well known word, like "which character is missing from WEBMA TER" for example.

[edited by: JS_Harris at 1:15 am (utc) on Jan. 9, 2009]

--Many mobile devices use a mobile service-

I respectfully read every comment you make on the matter, every time it is mentioned, but what about the providers that allow VOIP, Collocation and D.UP from the same allocated IP Range. or I am on Sprint WiFi Range(using my Palm as a connection) Broadcasting CUNY IP(Proxy HTTP 1.1) with proper headers, and Mobile UA "Posting" to a list of known Guestbooks, eating cookies and ignoring the fact that the cow is DEAD?

The reason I mention this is that 2 weeks ago, I witnessed a proxy GET from an IP with following by 17 IPs serving the same cookie in the headers(A.K.A Authenticated).That was CUTE. ;-)

Long Live the dead COW!

Blend27

Seems to be working very well so far. And I'm on Windows. Heh!

Do you have the scripted solutions in #3822249 above posted out here somewhere ?

Usure what languages you use etc. but some of the things can be more inspiring in code.

Still my biggest battle is with sweatshops, and those are humans using regular browsers on dynamic IPs, so I unfortunately end up with blocking way too much just not to have a flood of pure filth.

Contact forms etc: I have a lot of success with dropping things that try to post images or links, but I surely have some false positives in there too, so optimizing that would be interesting to try.

Seems a goldmine of info in this thread; spectrum from non-coders, to some deep n heavyweight looking info.

RewriteCond %{HTTP_REFERER} !^http://(www\.)?example.com/.*$ [NC,OR]
Rewritecond %{HTTP_METHOD} !^post [NC]
RewriteRule formpage\.html - [NC,F]

it is a database of known spammers

Many spammers use botnets and rapid flux so they're never where you thought they were the 2nd time around.

Using Askimet is kind of like trying to shoot a duck after it already flew south for the winter.

that's true, any many are idiots sitting in front of keyboards filling in captures for fun and profit.

I think our failure to address even simple every day issues, like spam, tends to eat away at our confidence or belief - or commitment to the idea(s) that we, as a species, can do better in other realms, such as global warming, pandemic flu, genocide, famine, and on and on.

Save the cheerleader. Save the world.

Kill form or email spam and we might just begin to believe we can tackle larger issues.

Anyone care to volunteer to be a hero?

I've had pretty near 100% spam stoppage using a combination of a hidden field and specifying the required referring page

I've always found a combination of things works best, however a well done CAPTCHA is still nearly foolproof all by itself.

See post #7 on page one of this thread, apparently it's pretty easily hacked - or is it that vBulletin's captchka is just off-the-shelf weak? (see below . . . )

@ jimh009:

On one of my sites, I run a vBulletin board. ... the little captcha to register is easily broken.

However, the "custom user registration field" seems to have the same effect, a few of them hit it for a week or so after the first inception of it, then gave up, which brings me to the point (see below . . .)

@ grelmar: wow that's a lot of passing around to get to one email. :-)

I still say, get at the root, to heck with road blocks and hoops. Filter your data, call it a day, it really is the easiest path that presents no additional tasks for our already short-tempered/attention spanned visitors.

very legitimate ones behind corporate firewalls with no choice in the matter

I'm sorry, office nazis will just have to loosen up the corporate policies.

Not broadcasting referrers from page to page on a site is silly at best.

However, you can still track them with sessions.

Ban IP addresses of spammers.

This is . . . an approach . . . one I've used in the past to a deep extent. But it's a really bad idea.

Why?

Most of the spammers are using compromised computers on otherwise legitimate IP's. So Joe Schmoe gets a trojan on RoadRunner bandwidth (or Sprint, Verizon, whatever) and it gets used by a spammer from time to time. We know the story, they should clean up the computer - but their sale is as good as anyone else's . . .

Food for thought.

Otherwise banning single IP addresses is not that good idea,
and better than banning a WHOLE country, just some of the users using the same ISP will be banned too, which is not a big deal. People gotta hate spammers and blame them :)

[edited by: phranque at 9:37 am (utc) on Jan. 11, 2009]
[edit reason] ip specifics [/edit]

We manage 100+ business websites for a broad range of clients. We use a combination of 3 of the above and have reduced form spam by 99% for the last 3 years. Plus we,
- Do not reveal that a form entry has been banned,
- Send all banned submissions to a dedicated mailbox, and review every few months. I think we've seen 2 or 3 false positives in as many years.

Ban IP addresses of spammers.

...Most of the spammers are using compromised computers on otherwise legitimate IP's. So Joe Schmoe gets a trojan...and it gets used by a spammer from time to time. We know the story, they should clean up the computer - but their sale is as good as anyone else's.

I have forms on my site that are targeted to businesses and I would legitimately ask for the company URL to their web site. How do I stop the spammer with a filter, but let the legit guy through?

I've seen some solutions that look for mouse movement - I like that idea, but haven't pursued it much yet

We use this in combination with a POST requirement, the preview also mangles BBCode and HTML - making it human-readable but unsuitable for spamming...

...you will learn to get effective security.

I would . . . you would . . . but the average Joe Schmoe? He'd blame it on your web site (had it happen!,) give the computer away, buy a new one, switch ISP's, kill the problem with money . . . anything but fix it. :-)

wow that's a lot of passing around to get to one email. :-)

True, and I won't begin to claim it's an ideal setup. But it has some advantages:

1: The mentioned zero programming skill required.
2: Set it and forget it solution. Once in place, you don't have to tinker with it.
3: Invisible to the user. they have no idea of how things are getting passed around to get screened. The form can be wide open, easy, accessible.
4: Once set, invisible for the admin. You just get notes dropped into your inbox.

My preferred solution is a combo of Akismet (or equivalent) and captcha/recaptcha. On site with traffic below that of a "big name blog", so long as you go to the one time effort of making a custom captcha library, you're pretty much in the clear as far as maintenance goes. Captcha cracking is arduous, and usually relies on brute force methods. So if you replace the stock library (and there are surprisingly few variations of the stock libraries) with one of your own, chances are no one is going to bother coming up with an independent set of rules for your site.

Unless you're a whopping big target, like a big name blog, in which case you're in for a long hard ride. The bigger, more popular you are, the more effort and time you're going to have to put in, because the bigger you are, the dirtbags will be more willing to put in the time and effort.