Comments on: Defeating contact form spam by hiding the webmail script

By: Steev

Steev — Tue, 16 Mar 2010 14:22:05 +0000

I am having trouble combining these two functions to work together.

Can someone please show me the JavaScript code that I should use if I want to combine both methods into one JavaScript file, and call them with one single function?

By: ardamis

ardamis — Sat, 17 Jan 2009 15:49:46 +0000

Quite right.

And I explain how to create a ‘trap’ field for spam-bots in a similar post:

http://www.ardamis.com/2007/09/12/defeating-wordpress-comment-spam/

By: New Orleans Web Design

New Orleans Web Design — Tue, 13 Jan 2009 15:55:55 +0000

Here’s another possible addition to this equation: add a text field that is hidden via CSS. Name it “Subject” or something similarly-important-looking. Reject a submission if the field IS filled out; a human should never see it due to the CSS rule.

By: Contact Form Spam — Sumy Designs Web Design Blog

Contact Form Spam — Sumy Designs Web Design Blog — Mon, 15 Dec 2008 19:40:50 +0000

[...] I just implemented it today, so I will report back later with my success or failure.

By: defaultCharacter

defaultCharacter — Sat, 22 Nov 2008 21:40:58 +0000

Thanks for the tips, they were very helpful. I use an SaaS to capture sales leads submitted on a web page form; the data was going directly to the SaaS vendor’s database. The spammers copied the action URL and sent the string to our db with the required fields. As you suggested, I implemented a similarly named “formprotect.js” file, the fake php, and a note that appears if scripting is turned off on my site and reduced spam by about 95%. We don’t want to use the challenge/response technique as some people just won’t submit the form if there is too much for them to input, so I am still getting some odd submissions from the web (still some kind of bypass of the required fields), but will research those further.

I just don’t understand what these bizarre people hope to accomplish by spamming. They must spend a lot of time doing it.

Thanks again for sharing with us your creativity.

By: Todd

Todd — Wed, 29 Oct 2008 21:25:18 +0000

That’s when you build a new system, of course. Nothing lasts forever… especially not when people are trying to hack it all of the time.

By: Charles Sweeney

Charles Sweeney — Mon, 20 Oct 2008 20:46:07 +0000

What’s to stop a bot reading the correct form action in the JavaScript file? I can easily see how such a system would initially block bots due to security through obscurity but what happens when your system becomes well known?

By: Jack

Jack — Fri, 01 Feb 2008 17:21:18 +0000

Good work.

I’ve uploaded the “validate” script OK, but I’m still getting spam using the form fields.

Your “bad form / good form” script looks ideal. However, I’m have trouble with the code when I try to make both scropts work in the the same form action.

Any chnace you could post a simple form or text file with the double protection included.

Thanks anyway for the validate script.

Best regards

Jack

By: ardamis

ardamis — Wed, 26 Sep 2007 14:26:14 +0000

Well, ok, point taken. How about:

“To accommodate visitors who aren’t using JavaScript, the fake script could instead be a page explaining that JavaScript is required to submit the contact form and offering an alternate way to contact the author.”

By: betabug

betabug — Wed, 26 Sep 2007 13:46:38 +0000

“To satisfy accessibility concerns for visitors who aren’t using javascript, the fake script could be a page explaining that javascript is required to submit the contact form.”

…that’s going to help those people a lot, e.g. if they are blind.