tags:

views:

307

answers:

6
+3  Q: 

Spam Prevention/Reduction - Contact Form ?

Hi

I want to add a simple Contact form to my web site so that customers can contact me easily.

<form>
    NAME
    <input type='text' name='name' />
    EMAIL
    <input type='text' name='email' />
    MESSAGE
    <textarea name='message' />
    <input type='submit' />
</form>

This form would simply email me the customers message.

But, I also want to reduce (not, I'm not saying eliminate but at least reduce), SPAM.

I've looked into using CAPTCHAs but, ultimately, I don't want to hinder the customer with having to fill out extra information.

Any ideas of a good simple spam prevention/reduction method I could use for my Contact form.

A: 
  1. When processing check the users headers, however most bots provide headers.
  2. Try and resolve the IP provided; if it resolves and provides a web page you can assume it's being sent from a server, therefore the chances of it being a bot are high.
  3. Have a question, for example "what is the name of this website?" or "What is 5 + 2?", however bots can bypass these quite easily.

I would personally recommend a combination of the above: When the form is submitted check the users headers + see if the IP is a webserver and if either are true, present captcha. However if this was me I'd just implement recaptcha it's a great service, pretty much 100% secure and very easy for end users, I love it.

citricsquid  2010-02-09 16:09:07
2: you'll loose all proxy and Opera Mini users that way...
Wim  2010-02-09 16:14:17
Option #3 is not an option I want to pursue. See my original post for explanation.
BillK  2010-02-09 16:14:30
A: 

You can just log IP ($_SERVER['REMOTE_ADDR']) and forbid re-validation with this IP during 1 minute or, more precisly, start a session, give an ID no you visitor and forbid re-validation for 1 minute (or more but bot don't like to wait).

gromax  2010-02-09 16:09:28
Bots usually don't keep cookies, so the session thing won't work. Also, most bots run on hacked client PCs, which leads to a never-ending supply of new IP addresses. I've never had problems with a large amount of spam submissions from a single IP address, it's always the accumulation over time from a lot of different clients that causes problems...
Wim  2010-02-09 16:16:48
You're right Wim : it's just a good practice to avoid multiple submission.
Alysko  2010-02-09 16:42:47
+2  A: 

Use Google or Yahoo mail account. They have good anti-SPAM filters.

Milan Babuškov  2010-02-09 16:10:03
This is a good idea, gmail supports automatic forwarding of emails doesn't it? This could work well. Probably the easiest implementation too AND you risk loosing no potential customers due to captcha frustration.
citricsquid  2010-02-09 16:11:31
+1; or any other inbox spam filtering. No reason to burden the user with a CAPTCHA or the users browsers with html-tricks. This is an inbox-problem.
Tomas  2010-02-09 17:28:49
+2  A: 

The only (client-side) way other than a CAPTCHA type user confirmation would be to write the whole thing dynamically. A lot (but not all) of robots would probably ignore the dynamic content. Eg

document.write("<"+"form>"
  +" NAME "
  +" <"+"input type='text' name='name' /> "
  +"EMAIL "
  +"<"+"input type='text' name='email' /> "
  +"MESSAGE "
  +"<"+"textarea name='message' /> "
  +"<"+"input type='submit' /> "
+"<\/form> ");
Graza  2010-02-09 16:11:44
Does that really work? That seems like a super simple way
BillK  2010-02-09 16:13:48
I do a very similar thing where i simply set the email address dynamically on page load. The email is not in a single string, ie: `"my"+"email@"+domain+".com"`
Rob Fonseca-Ensor  2010-02-09 16:18:51
All bots by-pass this.
Alysko  2010-02-09 16:40:57
@Alysko: Really? I don't think so. Are you saying all bots completely understand and interpret Javascript? The only problem wit this is, not all clients understand Javascript either...
Tomas  2010-02-09 17:43:01
*Some* bots would process it, but my guess is anyone who's writing a bot for speed would try to limit the amount of script processing, so a lot would skip it. **@Tomas** - agreed about the problem with not all clients understanding it though. This approach completely breaks graceful degradation or progressive enhancement. **@Rob** - I do similar things, but usually on separate lines, and with the `@` in hex, eg `m="my";m+="email\x40";m+="dom";m+="ain.c";m+="om";` - a paranoid solution, but I'd hope it tricks all bots. Again however - it breaks graceful degradation. Wim's solution looks awesome
Graza  2010-02-11 09:48:39
+7  A: 

A very simple trick I've been using with a surprisingly good success rate is this: Provide a text field that is hidden from human users with style="display: none", but with an enticing name like email. Most bots will fill in something in this field, but humans can't see it so they wont. At the server, just make sure the field is empty, else treat the submission as spam.

Wim  2010-02-09 16:12:39
Great idea. A combination of your idea and Graza might be just it.
BillK  2010-02-09 16:16:03
This is a great idea! Alternatively, if bots are smart enough to ignore such tags, set `display:none` dynamically in javascript, and add a comment asking the user NOT to fill in the field in the case that javascript fails.
Graza  2010-02-09 16:16:36
I love this idea. CAPTCHAs are a pain the neck. Spam prevention should be about detecting bots, not proving that the user is human.
Donal Boyle  2010-02-09 16:19:54
excellent idea ! But now you give it to us, bots will know :)
Alysko  2010-02-09 16:39:44
I am building a bot, as we speak, to incorporate this design... *evil laugh*
Anthony Forloney  2010-02-09 17:56:14
A: 

You won't need to reduce spam cause the messages are not published on the website. A lot of spam is posted on forums and blogs because this will reach a large audience of viewers and bots.

For a private contact form, spam is ineffective, so you won't have to worry about large amounts. The few spam messages that you will receive can effectively be filtered with a spam filter on your inbox (for instance using gmail or yahoo), especially since the incoming messages are plain text without images.

Tomas  2010-02-09 16:18:17
Unfortunately, this is not true. The current generation of spam bots just browses the web and posts into *all* forms they can find. They don't know, nor care, whether their post actually makes it onto a web page or not...
Wim  2010-02-09 16:19:59
I'm getting less then 10 spams per day for such a private contact form on a big site. But even if you would get hundreds, what does it matter? Isn't that what we have spam-filters for? An input-side solution such as a captcha, or other solutions posted, are an unnecessary burden for a private contact form.
Tomas  2010-02-09 17:26:54
Spam-filters can help in this case, but not always. My Drupal webform includes too much headers and footers which make the entire e-mail look OK to the filter, it doesn't trip on the relatively tiny amount of spam content in the middle.
Wim  2010-02-09 23:06:05

related questions

Autosizing Textarea
Regular expression for parsing links from a webpage?
What are good tools for creating compiled HTML help files (.chm)?
Looking for WYSIWYG HTML editor
Any reason not to start using the HTML 5 doctype?
HTML comments break down
HTML Comments Markup
Setting a div's height in HTML with CSS
Wrapping lists into columns
Is a "Confirm Email" input good practice when user changes email address?
<XMP> Tag
HTML version choice
Options for HTML scraping?
How do you disable browser Autocomplete on web form field / input tag?
How do I make a checkbox toggle from clicking on the text label as well?
Html CSS Editor
Wordpress theme development offline tools
How do I give my web sites an icon for iPhone?
In HTML, how to word-break on a dash?
Detecting font in JavaScript
How do you test layout design across multiple browsers/OSs?
How do I print an HTML document from a web service?
Multiple submit buttons on a HTML form
How can I determine a web user's time zone?
Why doesn't the percentage width child in absolutely positioned parent work in IE7?