How to protect a Contact-Form from Form-Spam bots

January 28th, 2007

When you have a Contact-Form on your site, you are having problems with spam submissions to the form. Unfortunately, spammers have programs that find forms on the web, and automatically fill them out with spam messages.

The standard way out is the use of captchas. However, there are bots, that can recognize simple captchas in a second. Let’s review ideas of Form-Spam bots blocking without captchas.

Environment Checks

  • Every browser sends a HTTP_USER_AGENT value to a server. So a missing HTTP_USER_AGENT value almost always indicates a spammer bot.
  • The most of browsers (all modern browsers) send a HTTP_REFERER value, which would contain the submitted form URL. Whereas clever bots send this value, a missing HTTP_REFERER value could mean a bot submitting.
    Note. There are several firewall and “security” products which block HTTP_REFERER by default. So, none of these people could send a message if you block posting without HTTP_REFERER.

You can use this PHP-code to do the Environment Checks:

. . .
if ("POST" == getenv("REQUEST_METHOD")) {
if ("" == getenv("HTTP_USER_AGENT")
 || "" == getenv("HTTP_REFERER")) {
header("HTTP/1.1 404\r\nContent-Type: text/html\r\n\r\n");
// Send feedback email
. . .

Misleading the bots

The most of Spam bots investigate forms on common-used form-fields like ‘name’ and ‘email’. The comprehensible names help them to fill out your form in a right way. So if your form processor (script) checks on accuracy of email address, this would a correct address in the ‘email’ field.

You can rename the form-fields to do not give a prompt to spammers:
<form action="abc.php">
Your Name: <input name="p1" type="text" >
Your Email: <input name="p2" type="text" >

The form-processor should work with “p1″ instead of “name” and “p2″ instead of “email” in this case.

Multiple Step Forms

  • The most of Spam bots just post their message to the form action-script. So if you have a dynamic generated form of publish your form by a script (PHP or Perl), you can check if the form-page was loaded (read) before the form submitting. This would prevent about 80% of bots submit your form.

If you use PHP with your form, PHP session helps you:

. . .
if ("GET" == getenv("REQUEST_METHOD")) {
 $_SESSION["preloaded"] = true;
 // Print the Form Page
} else
if ("POST" == getenv("REQUEST_METHOD")) {
 if ($_SESSION["preloaded"]) {
  // Send feedback email
. . .
  • Some modern bots start loading a form before submitting. Two-step form could help you to bit them. Requiring that users preview their message before sending can stop the most of Spam bots that are not able to go through the multiple step preview process.
You can allow them to fill out the entire form at the First step:   Then make a Preview and require confitmation at the Next step:
Your Name:
Your Email:
Your Name: John Doe
Your Email:
Preview Comment:
John here!

PHP session helps you again:

. . .
if ("GET" == getenv("REQUEST_METHOD")) {
<!-- Show the Form-Page -->
<form method="post">
Your Name: <input name="name">
Your Email: <input name="email">
Comment: <textarea name="comment"></textarea>
<input type="submit" value="Preview">
} else
if ("POST" == getenv("REQUEST_METHOD")) {
 if (isset($_POST["comment"])) {
  // Save the Form values
  $_SESSION["comment"] = $_POST["comment"];
  $_SESSION["name"] = $_POST["name"];
  $_SESSION["email"] = $_POST["email"];
<!-- Show the Preview-Page -->
<form method="post">
Your Name: <?=$_POST["name"]?>
Your Email: <?=$_POST["email"]?>
Comment: <?=$_POST["comment"]?>
<input type="submit" value="POST!" name="post">
 } else
 if (isset($_POST["post"])
  && isset($_SESSION["comment"]))
  // Send feedback email width data from:
  // $_SESSION["name"]
  // $_SESSION["email"]
  // $_SESSION["comment"]
. . .
In other way you can get comment only at the First step:   Then make a Preview and require name and email at the Next step:
Your Name:
Your Email:
Preview Comment:
John here!

Extra Form-Fields

Yet another way to avoid of spamming by bots is Extra Form-fields where people have to answer an intellectual question like “which day comes after tuesday?” or “spell the number 7 in lowercase letters”. You can take a look at such form at the blog of Kim K. Jonsson.

In order to do not bother people with extra questions, you can invert the Extra Form-fields tactics. Place a blind field with an attractive name into your form. Only bots could detect this fields and fill it out. For example:
<form action="feedback.php">
Your Name: <input name="name" type="text" >
Your Email:
<input name="email" type="text" style="display:none;" >
<input name="x" type="text" >

Only bots would fill the “email” field, real people will enter emails into the “x” field.

Anders Brownworth suggests to make the Submit button as image and require realistic mouse coordinates with the form posting. Your form processor should then approve the coordinates with etalon. You can take a look at this way realized in the Anders blog.


Another idea is to use a JavaScript at the form to make some changes of the original before submission. This won’t require a server checks an will work with online autoresponse services. So if you can’t control the server-side scripts, this method is yours.

You can change a field-name of the form just before submission, so the live form would be accepted by service, but the original form from bots wouldn’t be accepted by service or server script:
<script type="text/javascript">
 function checkForm(theForm) {
  if (theForm && { = "email1";
  return true;
<form action="feedback.php" method="post"
 onSubmit="return checkForm(this);">
 <input name="email">
 <input name="name">
 <input type="submit">

While people would send their emails in “email1″ field, Spam bots will post “email” instead.

If you or your programmer familiar with AJAX, you can try a form that is either written with AJAX or uses AJAX to submit the contents.


The Encoding idea is to create an encrypted application variable that is passed in the comment form to the action page. If it exists and is of the right value, then the comment is from a form. If not or if it does not exist, then the content if from a bot.

Instead of passed in encrypted variable some of form values could be encrypted while the form is submitting and send over to a server-script to check the value. This combined method is used in the latest version of the “Comprehensive Feedback Form”.


by Michel Komarov, © Copyright 2007.


Share in social bookmarking:These icons link to social bookmarking sites where readers can share and discover new web pages.  digg BlinkList Reddit NewsVine YahooMyWeb co.mments

Related Articles:

How To Give a Discount to customers of your JV-partner

December 18th, 2006

Let’s suppose you decide to make JV with someone to sell you product.
One of the most popular methods is to give a discount to customers or subscribers of your JV partner. How to make it with your Order Page?
This simple PHP-script helps you modify your Order Page quick and easy.

Read the rest of this entry »

Normalize Their Names In A Web-Form

November 10th, 2006

When people input their names the data goes in the same format to the Data Base, and I have to correct each time manually.

I will explain you what I would like with examples:
  If the name input is: “RAUL”, I need it transformed to: “Raul”
  If the name input is: “RAúL”, I need it transformed to: “Raúl”
  If the name input is: “raúl”, I need it transformed to: “Raúl”
  If the name input is: “rAUl”, I need it transformed to: “Raul”
  If the name input is: “raUL”, I need it transformed to: “Raul”

… from correspondence

Some of autoresponders can capitalize the first letter of names, another can’t. You can force this with any autoresponder and opt-in / squeeze forms.

This simple JavaScript code allows you to normalize the format of names before your web-form is sent to a server.

Read the rest of this entry »

Content rotation

October 30th, 2006

There are many scripts which allow you to rotate banners, ad-blocks and canned paragraphs. This scripts provide you with lot of features such as statistics, split testing, cloaked links, etc. You may have a beautiful admin panel to control your campaigns…

But sometimes, all you need is rotate some content at your page. And you can implement it quick and simple without installation of a professional script.

Let’s suppose you have a main web-page where you’d like to rotate some content on.
You can create a number of files with the HTML-snippets to rotate them at your page: page1.html, page2.html, page3.html, page4.html

<a href=" &title=Content+rotation"> <img border="0" src="/wp-content/plugins/sociable/images/digg.png" width="80" height="70" /></a><br />
<a href=" &title=Content+rotation"> <img border="0" src="/wp-content/plugins/sociable/images/delicious.png" width="80" height="80" /></a><br />
<a href=" &title=Content+rotation"> <img border="0" src="/wp-content/plugins/sociable/images/reddit.png" width="90" height="90" /></a><br />
<a href=" &title=Content+rotation"> <img border="0" src="/wp-content/plugins/sociable/images/co.mments.gif" width="80" height="80" /></a><br />

Read the rest of this entry »

Custom Error Pages for Different Addon Domains

October 1st, 2006

I’d like software or a script that lets me use different custom error pages for different addon domains. In Cpanel at the moment you can only use the same custom error page for all addon domains and the main domain they are under. I don’t even know if what i ask is possible but I thought I’d post it anyway :-)


Many things are possible when you know what do you want ;-)

Let’s consider various domains you may have at the same hosting in addition to your main domain (site).

A Parked Domain is pointed to the same folder as your main domain and shares the files / pages of your main site.

An Addon Domain is similar to Parked Domains. But it is pointed to a sub-folder of your main domain (site), and can have it’s own settings. However you can’t create error pages for Addon Domains through your Control panel, you can do it by hand.

A Subdomain doesn’t have an independent domain name. It’s a composite domain name which is pointed to a sub-folder of your main domain (site).

Read the rest of this entry »

Comprehensive Feedback Form with Attachments

September 7th, 2006

You know that spam harvesters are able to take e-mails from websites if they are just coded in standard HTML. You could encode your email as I’ve described earlier. But a feedback form is the best approach.

The most of feedback forms allow them to enter their name, email and type a message. Sometime you may need to send an attached file (a photo, a screenshot…).

This Feedback-Form script provides you with an option to send an attached file with the form message.


Read the rest of this entry »

Simple Photo Album / Slide Show Generator

August 21st, 2006

I need a script or html coding that will enable me or my users to have a slide show of images. …there is a single image on the home page, that I would like to rotate like a banner - I expect the script here would do that, but inside there are albums. I want visitors to be able to watch a slide show in any album.


OK. The main issue is to gather images from your server folder. Javascript can’t do this. So we have to use a PHP-script to scan your server folder and generate a slide-show Javascript.

Read the rest of this entry »

Back To School with AutoResponse Plus

August 14th, 2006

I have a great news!
Neil Morgan starts the “Back To School” offer.

You get FREE Upgrade to the AutoResponse Plus RSS Module for ordering the ARP3 now.

Your subscribers now can choose how would they receive your messages.
The ARP3 with RSS Module is able not only to send emails but also provides your subscribers with a personalized RSS feed. This great new method guarantees delivery of your messages.

Neil is offering this to a limited number of people during August.
Check this link below (not an affiliate)

I hope this helps you to communicate with your customers better.

Yet another Countdown Timer

August 10th, 2006

You may have seen those timer based on a Flash animation. You have to be familiar with Flash Studio to create your own one.

My son created a simple JavaScript replica of this timer. His Online Countdown Timer became popular because of you can just insert a few lines of code into your html-page to get it working.

Read the rest of this entry »

Simple OTO and Countdown Timer

August 7th, 2006

You may remember my Countdown script. Now we can combine it with the Simple OTO script to show a Countdown timer only once.

There are 2 variants of the Countdown script. You can use it with a popup window and at your regular page without a popup window.
Here is a recipe to add the Simple OTO script to both variants.

Read the rest of this entry »