Welcome to WebmasterWorld Guest from

Forum Moderators: phranque

Message Too Old, No Replies

Prevent Spam Attacks on Contact Forms

Contact form spam prevention

3:18 pm on Aug 5, 2008 (gmt 0)

New User

5+ Year Member

joined:Aug 4, 2008
posts: 3
votes: 0

I'm looking for a solution, hopefully fairly simple, to preventing contact form spam attacks. Contact forms are processed by PHP handler page. They don't get the email address, but they can still attack/submit the form.

I'll have to apply the solution to many sites, which is why I'm hoping to find something simple.

9:21 pm on Aug 5, 2008 (gmt 0)

Junior Member

10+ Year Member

joined:Jan 28, 2006
votes: 0

The easiest thing to do is change the names of the form variables. Spambots know what to do with the input fields 'email' or 'message', but they become disoriented and confused for the field 'ska54rjha89fja43'.

The second easiest thing to do is check for URLs. Normal people don't put dozens of web addresses into a form, spambots generally do.

2:27 pm on Aug 6, 2008 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member netmeg is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Mar 30, 2005
votes: 203

I've started creating an extra field on my form, and then hiding it from human view with CSS. The confirm page has a little PHP code at the top such that it exits if there's anything in that hidden field.

That's been surprisingly effective. I'm sure that someone will come up with a way around it eventually, but it's working now.

5:58 pm on Aug 6, 2008 (gmt 0)

Senior Member

WebmasterWorld Senior Member rocknbil is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Nov 28, 2004
votes: 0

1. Log your data directly from the script. This is the most useful tool in determining exactly what they are trying to do, and stopping it. Server logs don't tell the whole story.

2. Cleanse your data. Accept only character sets [A-Z0-9(and punctuation)]. From there, once you figure out what spammers are trying to do, it's pretty easy to stop them by filtering out their input.

3. Netmeg's hidden field is one approach. Use it. Also set a cookie, on form load, and read the cookie for a matching value on submit.

4. If the above doesn't slow them down or lead you to a way to close the door, some form of challenge/response field will help. You can use a CAPTCHA, but not only are these as hated as pop ups, they are hackable. Some members here use a simple question and answer response: "What is 4 + 7?" "What is the color of blood?"

Deeply discussed here [webmasterworld.com]