How to Stop Spam on your Contact Form on the Website

How to Reduce Spam on your Contact Form on the Website

It does not matter what language or technology you are using. The concepts to Stop Spam on your Contact Form are the same. The primary things is to never expose you email address, not even in a graphical form. Not even using javascript to dynamically make it up.

Bots are smart and getting smarter. If your email address is on the Client side, it will get compromised. If you are getting random emails that make no sense, or you are receiving emails about how to improve your website, these are undoubtedly the work of Bots.

Captchas

Captchas are graphical measures to stop spamming. If you hate your clients, then go ahead and implement a complex one. Some of them are really bad, it is so hard to figure out the blurred images and photos. I absolutely hate them, especially the ones that ask you to match boats or cars.

They can be very effective, but not always. Some of them are pointlessly trivial for a Bot to crack. You can sign up with an organisation like reCaptcha or you can Roll Your Own. Even if you decide to use Captcha, you should definitely use a few additional techniques from the list below.

Trivial Questions

Bots are written generically, so you can fool them with a trivial question. Just add another question that is compulsory. But keep it simple (and language friendly). Some examples are.

• How much is 1+4?
• What letter does the word Pizza end with?
• What letter comes after p?

And always check the answer server side. Do not use javascript to check this answer.

Hidden Fields

Bots have the zeal of filling any input field. You can use this to your advantage. Just add some additional fields that are hidden. They are not visible to people, but Bots can still read them. You can and should use more than one. Some examples are -

• Have a blank field - and check that it remains blank.
• Have a field with a value - and check that it remains intact.
• Have a field with the server timestamp - and check that it is not blank and calculate the time required to fill the form. Bots are faster than people.

Some caveats. Check this server side. And make the fields authentic, give them labels with normal names such as phone, city or middle name.

Prohibit Links

Many Bots are trying to provide you with links to click on. If you need an URL, provide a field for it. But do not deliver the message if there is a link in the content. You can check this client side or server side. But server side is good enough. Here is a regex that may be used for this

e ~[a-z]+://\S+~i

Use a preview

Show the preview of the complete formatted message together with a Submit Button. Most Bots will not realise that there is another step to complete.

Disable the Submit button

There are so many sites where the contact form stays intact and a message pops up to say that it has been submitted. There are two problems with this.

• A valid user can miss this message and press the Submit button again.
• A Bot could press the Submit several times, because the Form still looks the same as before it was submitted.

So, show the form again if you must, but replace the Submit button with a permanent success message

Do not call it Contact

Do not call your Contact Form file contact.php. Be more imaginative. Bots will still find it, it will just slow them down.

Do not index the Contact Form

Do not let the Contact Form be indexed. The Bots will still find it once they are on your site. But it may reduce the incidence a little bit. You may use a meta tag on your form, such as this

<meta name="robots" content="noindex"/>

or put it in the robots.txt file.