Comments on: Defeating contact form spam by hiding the webmail script

By: Chris

Chris — Sat, 01 Jan 2011 02:47:20 +0000

@ ardamis

First up, this is a great strategy to help reduce spam DRAMATICALLY from contact form spam attacks! About three weeks ago, I had about 100 spam e-mails (all received at exactly 1PM) – and decided I had enough!

I got it to work initially on my website with no problems – just as it is outlined above – for over a week and a half now. I even used a “human respondent” question (1+1 = ?) to help further filter out the spam – and everything was working flawlessly.

However, this evening I went back in to remove my challenge question (as I kind of felt like my wedding clients might find it strange), and decided to replace it with a hidden spry form field box (which would be hidden with CSS) that would automatically prevent the form from being submitted if it WAS filled out…as no human should really be able to see it.

However, something got messed up… Now… I can’t get the spry validation AND the redirect to the proper PHP submission file to work at the same time.

I either get all my spry form fields to validate – but when I click on submit the contact page redirects me to the “No Java Script” decoy php file… OR I can get the form to submit properly to the real form mail php file…BUT the spry text fields are not validated first to assure that required form fields are filled out.

As soon as I add the ‘onsubmit=”return formProtect();” piece into the following code…

The spry validation no longer works…but the form does submit correctly (even if only one letter is typed into a field – and not all the required fields are filled out)

I can’t for the life of me figure out why it won’t all work now!!! Anyone have any suggestions? I would sure appreciate it!

By: Steev

Steev — Tue, 16 Mar 2010 14:22:05 +0000

I am having trouble combining these two functions to work together.

Can someone please show me the JavaScript code that I should use if I want to combine both methods into one JavaScript file, and call them with one single function?

By: ardamis

ardamis — Sat, 17 Jan 2009 15:49:46 +0000

Quite right.

And I explain how to create a ‘trap’ field for spam-bots in a similar post:

http://www.ardamis.com/2007/09/12/defeating-wordpress-comment-spam/

By: New Orleans Web Design

New Orleans Web Design — Tue, 13 Jan 2009 15:55:55 +0000

Here’s another possible addition to this equation: add a text field that is hidden via CSS. Name it “Subject” or something similarly-important-looking. Reject a submission if the field IS filled out; a human should never see it due to the CSS rule.

By: Contact Form Spam — Sumy Designs Web Design Blog

Contact Form Spam — Sumy Designs Web Design Blog — Mon, 15 Dec 2008 19:40:50 +0000

[...] I just implemented it today, so I will report back later with my success or failure.

By: defaultCharacter

defaultCharacter — Sat, 22 Nov 2008 21:40:58 +0000

Thanks for the tips, they were very helpful. I use an SaaS to capture sales leads submitted on a web page form; the data was going directly to the SaaS vendor’s database. The spammers copied the action URL and sent the string to our db with the required fields. As you suggested, I implemented a similarly named “formprotect.js” file, the fake php, and a note that appears if scripting is turned off on my site and reduced spam by about 95%. :) We don’t want to use the challenge/response technique as some people just won’t submit the form if there is too much for them to input, so I am still getting some odd submissions from the web (still some kind of bypass of the required fields), but will research those further.

I just don’t understand what these bizarre people hope to accomplish by spamming. They must spend a lot of time doing it.

Thanks again for sharing with us your creativity. :)

By: Todd

Todd — Wed, 29 Oct 2008 21:25:18 +0000

That’s when you build a new system, of course. Nothing lasts forever… especially not when people are trying to hack it all of the time.

By: Charles Sweeney

Charles Sweeney — Mon, 20 Oct 2008 20:46:07 +0000

What’s to stop a bot reading the correct form action in the JavaScript file? I can easily see how such a system would initially block bots due to security through obscurity but what happens when your system becomes well known?

By: Jack

Jack — Fri, 01 Feb 2008 17:21:18 +0000

Good work.

I’ve uploaded the “validate” script OK, but I’m still getting spam using the form fields.

Your “bad form / good form” script looks ideal. However, I’m have trouble with the code when I try to make both scropts work in the the same form action.

Any chnace you could post a simple form or text file with the double protection included.

Thanks anyway for the validate script.

Best regards

Jack

By: ardamis

ardamis — Wed, 26 Sep 2007 14:26:14 +0000

Well, ok, point taken. How about:

“To accommodate visitors who aren’t using JavaScript, the fake script could instead be a page explaining that JavaScript is required to submit the contact form and offering an alternate way to contact the author.”