We all hate email spam in our email inbox, but rarely try to get to the root of the spam mail’s origin and purpose. Many webmasters face a problem of receiving spam emails through the forms on their website. These are usually contact forms which are setup for visitor’s to post their inquiries or to give feedback. Spammers try to hijack these forms to send spam mails, either by manipulating where the forms sends emails or by flooding the webmaster with junk mail. This article points out some of the ways in which you can fight spam in website forms meant for comments, feedback, inquiries and any other contact.
A very important part of having a secure form is to ensure that there is strict validation of the form fields. This is best explained by an example. When you are accepting a phone number through the contact form, you can code the form to ensure that only numbers are entered in the form field. Similarly for an email address field, the form must be able to determine a well-formed email address has been entered. If the fields contain anything which that field is not supposed to contain, like special characters or some funny text, then the form will throw an error and will not be submitted till the mistakes are corrected. This prevents any malicious code or text from being inserted in the form. It also prevents automated bots from filling up the form without understanding what is required and how it is to be filled.
One of the most effective ways of fighting form spam is by enabling a captcha at the end of each form. The captcha requires the user to enter a word or number verification which is shown in an image. This prevents bots and automated systems from sending the forms mindlessly. Since bots cannot usually detect text within images, they fail to enter the correct Captcha text preventing the form from being submitted.
Another simple trick that can be used to harass the spammers is to add a confirmation alert box which pops up to confirm the details that the user is trying to submit. Robots and automatic form submission software are unable to cause the clicking of the confirmation button in the alert box. Something like: Are you sure you want to submit the form? Yes/No Can be an added layer of protection from comment spammers. This is also a good way of allowing users to review the information they are sending and correct any mistakes or typos before submitting the form.
Akismet is an Anti-Spam plugin used for WordPress, which can identify genuine comments and filter out the spam comments. This can be helpful if you do not want to enable a captcha confirmation box or cannot have specific validation on your form. Similar anti-spam plugins are available for other platforms as well. While Akismet type plugins are not 100% correct and may lead to some false-positives, they do a really good job of filtering out the noise.
One of the most important things that a programmer can do to track the sources of spam and patterns of spam is to log additional information of the user. This means that along with the normal fields that the user is submitting, the form will also capture his / her IP Address, machine name, browser details, location information and similar information which can be used to trace the spam source. Using this information you can either take action against the spammer or even block his IP Address. This way he will not be able to keep harassing you or making random submissions.
Some programmers also swear by hidden form fields in CSS, which prevent the form field names from being seen by bots, thereby preventing them from knowing what data to auto fill in the text boxes. Consult your coder for the best solution for your website.