How to protect a Contact-Form from Form-Spam bots

When you have a Contact-Form on your site, you are having problems with spam submissions to the form. Unfortunately, spammers have programs that find forms on the web, and automatically fill them out with spam messages.

The standard way out is the use of captchas. However, there are bots, that can recognize simple captchas in a second. Let’s review ideas of Form-Spam bots blocking without captchas.

Environment Checks

  • Every browser sends a HTTP_USER_AGENT value to a server. So a missing HTTP_USER_AGENT value almost always indicates a spammer bot.
  • The most of browsers (all modern browsers) send a HTTP_REFERER value, which would contain the submitted form URL. Whereas clever bots send this value, a missing HTTP_REFERER value could mean a bot submitting.
    Note. There are several firewall and “security” products which block HTTP_REFERER by default. So, none of these people could send a message if you block posting without HTTP_REFERER.

You can use this PHP-code to do the Environment Checks:

<?php
. . .
if ("POST" == getenv("REQUEST_METHOD")) {
if ("" == getenv("HTTP_USER_AGENT")
 || "" == getenv("HTTP_REFERER")) {
header("HTTP/1.1 404\r\nContent-Type: text/html\r\n\r\n");
exit;
}
// Send feedback email
}
. . .
?>

Misleading the bots

The most of Spam bots investigate forms on common-used form-fields like ‘name’ and ‘email’. The comprehensible names help them to fill out your form in a right way. So if your form processor (script) checks on accuracy of email address, this would a correct address in the ‘email’ field.

You can rename the form-fields to do not give a prompt to spammers:
<form action="abc.php">
Your Name: <input name="p1" type="text" >
Your Email: <input name="p2" type="text" >
</form>

The form-processor should work with “p1″ instead of “name” and “p2″ instead of “email” in this case.

Multiple Step Forms

  • The most of Spam bots just post their message to the form action-script. So if you have a dynamic generated form of publish your form by a script (PHP or Perl), you can check if the form-page was loaded (read) before the form submitting. This would prevent about 80% of bots submit your form.

If you use PHP with your form, PHP session helps you:

<?php
. . .
session_start();
if ("GET" == getenv("REQUEST_METHOD")) {
 $_SESSION["preloaded"] = true;
 // Print the Form Page
} else
if ("POST" == getenv("REQUEST_METHOD")) {
 if ($_SESSION["preloaded"]) {
  // Send feedback email
 }
}
. . .
?>
  • Some modern bots start loading a form before submitting. Two-step form could help you to bit them. Requiring that users preview their message before sending can stop the most of Spam bots that are not able to go through the multiple step preview process.
You can allow them to fill out the entire form at the First step:   Then make a Preview and require confitmation at the Next step:
Your Name:
Your Email:
Comment:
 
Your Name: John Doe
Your Email: john@doe.com
Preview Comment:
Hi,
John here!

PHP session helps you again:

<?php
. . .
session_start();
if ("GET" == getenv("REQUEST_METHOD")) {
?>
<!-- Show the Form-Page -->
<form method="post">
Your Name: <input name="name">
Your Email: <input name="email">
Comment: <textarea name="comment"></textarea>
<input type="submit" value="Preview">
</form>
<?php
} else
if ("POST" == getenv("REQUEST_METHOD")) {
 if (isset($_POST["comment"])) {
  // Save the Form values
  $_SESSION["comment"] = $_POST["comment"];
  $_SESSION["name"] = $_POST["name"];
  $_SESSION["email"] = $_POST["email"];
?>
<!-- Show the Preview-Page -->
<form method="post">
Your Name: <?=$_POST["name"]?>
Your Email: <?=$_POST["email"]?>
Comment: <?=$_POST["comment"]?>
<input type="submit" value="POST!" name="post">
</form>
<?php
 } else
 if (isset($_POST["post"])
  && isset($_SESSION["comment"]))
  // Send feedback email width data from:
  // $_SESSION["name"]
  // $_SESSION["email"]
  // $_SESSION["comment"]
 }
}
. . .
?>
In other way you can get comment only at the First step:   Then make a Preview and require name and email at the Next step:
Comment:
 
Your Name:
Your Email:
Preview Comment:
Hi,
John here!

Extra Form-Fields

Yet another way to avoid of spamming by bots is Extra Form-fields where people have to answer an intellectual question like “which day comes after tuesday?” or “spell the number 7 in lowercase letters”. You can take a look at such form at the blog of Kim K. Jonsson.

In order to do not bother people with extra questions, you can invert the Extra Form-fields tactics. Place a blind field with an attractive name into your form. Only bots could detect this fields and fill it out. For example:
<form action="feedback.php">
Your Name: <input name="name" type="text" >
Your Email:
<input name="email" type="text" style="display:none;" >
<input name="x" type="text" >
</form>

Only bots would fill the “email” field, real people will enter emails into the “x” field.

Anders Brownworth suggests to make the Submit button as image and require realistic mouse coordinates with the form posting. Your form processor should then approve the coordinates with etalon. You can take a look at this way realized in the Anders blog.

JavaScript

Another idea is to use a JavaScript at the form to make some changes of the original before submission. This won’t require a server checks an will work with online autoresponse services. So if you can’t control the server-side scripts, this method is yours.

You can change a field-name of the form just before submission, so the live form would be accepted by service, but the original form from bots wouldn’t be accepted by service or server script:
<script type="text/javascript">
<!--
 function checkForm(theForm) {
  if (theForm && theForm.email) {
   theForm.email.name = "email1";
  }
  return true;
 }
 //-->
</script>
<form action="feedback.php" method="post"
 onSubmit="return checkForm(this);">
 <input name="email">
 <input name="name">
 <input type="submit">
</form>

While people would send their emails in “email1″ field, Spam bots will post “email” instead.

If you or your programmer familiar with AJAX, you can try a form that is either written with AJAX or uses AJAX to submit the contents.

Encoding

The Encoding idea is to create an encrypted application variable that is passed in the comment form to the action page. If it exists and is of the right value, then the comment is from a form. If not or if it does not exist, then the content if from a bot.

Instead of passed in encrypted variable some of form values could be encrypted while the form is submitting and send over to a server-script to check the value. This combined method is used in the latest version of the “Comprehensive Feedback Form”.

 

by Michel Komarov, © Copyright 2007. iCoder.com

 

Share in social bookmarking:These icons link to social bookmarking sites where readers can share and discover new web pages.  digg del.icio.us BlinkList Reddit NewsVine YahooMyWeb co.mments

Related Articles:

2 Responses to “How to protect a Contact-Form from Form-Spam bots”

  1. Discount Checks Says:

    Discount Checks…

    Thanks for creating a really informative site. It’s more than most people do! The How to protect a Contact-Form from Form-Spam bots — Ask … was very helpful indeed. Jeremy….

  2. Preventing Webform Based Spam Says:

    […] 3. Environment Checks (http://askmichel.icoder.com/2007/01/28/how-to-protect-a-contact-form-from-form-spam-bots/) Every browser sends a HTTP_USER_AGENT value to a server. So a missing HTTP_USER_AGENT value almost always indicates a spammer bot. The most of browsers (all modern browsers) send a HTTP_REFERER value, which would contain the submitted form URL. Whereas clever bots send this value, a missing HTTP_REFERER value could mean a bot submitting. Note. There are several firewall and “security” products which block HTTP_REFERER by default. So, none of these people could send a message if you block posting without HTTP_REFERER. You can use this PHP-code to do the Environment Checks: […]

Got a question?   Leave a Reply

You must be logged in to post a comment.