views:

307

answers:

6

Hi

I want to add a simple Contact form to my web site so that customers can contact me easily.

<form>
    NAME
    <input type='text' name='name' />
    EMAIL
    <input type='text' name='email' />
    MESSAGE
    <textarea name='message' />
    <input type='submit' />
</form>

This form would simply email me the customers message.

But, I also want to reduce (not, I'm not saying eliminate but at least reduce), SPAM.

I've looked into using CAPTCHAs but, ultimately, I don't want to hinder the customer with having to fill out extra information.

Any ideas of a good simple spam prevention/reduction method I could use for my Contact form.

A: 
  1. When processing check the users headers, however most bots provide headers.
  2. Try and resolve the IP provided; if it resolves and provides a web page you can assume it's being sent from a server, therefore the chances of it being a bot are high.
  3. Have a question, for example "what is the name of this website?" or "What is 5 + 2?", however bots can bypass these quite easily.

I would personally recommend a combination of the above: When the form is submitted check the users headers + see if the IP is a webserver and if either are true, present captcha. However if this was me I'd just implement recaptcha it's a great service, pretty much 100% secure and very easy for end users, I love it.

citricsquid
2: you'll loose all proxy and Opera Mini users that way...
Wim
Option #3 is not an option I want to pursue. See my original post for explanation.
BillK
A: 

You can just log IP ($_SERVER['REMOTE_ADDR']) and forbid re-validation with this IP during 1 minute or, more precisly, start a session, give an ID no you visitor and forbid re-validation for 1 minute (or more but bot don't like to wait).

gromax
Bots usually don't keep cookies, so the session thing won't work. Also, most bots run on hacked client PCs, which leads to a never-ending supply of new IP addresses. I've never had problems with a large amount of spam submissions from a single IP address, it's always the accumulation over time from a lot of different clients that causes problems...
Wim
You're right Wim : it's just a good practice to avoid multiple submission.
Alysko
+2  A: 

Use Google or Yahoo mail account. They have good anti-SPAM filters.

Milan Babuškov
This is a good idea, gmail supports automatic forwarding of emails doesn't it? This could work well. Probably the easiest implementation too AND you risk loosing no potential customers due to captcha frustration.
citricsquid
+1; or any other inbox spam filtering. No reason to burden the user with a CAPTCHA or the users browsers with html-tricks. This is an inbox-problem.
Tomas
+2  A: 

The only (client-side) way other than a CAPTCHA type user confirmation would be to write the whole thing dynamically. A lot (but not all) of robots would probably ignore the dynamic content. Eg

document.write("<"+"form>"
  +" NAME "
  +" <"+"input type='text' name='name' /> "
  +"EMAIL "
  +"<"+"input type='text' name='email' /> "
  +"MESSAGE "
  +"<"+"textarea name='message' /> "
  +"<"+"input type='submit' /> "
+"<\/form> ");
Graza
Does that really work? That seems like a super simple way
BillK
I do a very similar thing where i simply set the email address dynamically on page load. The email is not in a single string, ie: `"my"+"email@"+domain+".com"`
Rob Fonseca-Ensor
All bots by-pass this.
Alysko
@Alysko: Really? I don't think so. Are you saying all bots completely understand and interpret Javascript? The only problem wit this is, not all clients understand Javascript either...
Tomas
*Some* bots would process it, but my guess is anyone who's writing a bot for speed would try to limit the amount of script processing, so a lot would skip it. **@Tomas** - agreed about the problem with not all clients understanding it though. This approach completely breaks graceful degradation or progressive enhancement. **@Rob** - I do similar things, but usually on separate lines, and with the `@` in hex, eg `m="my";m+="email\x40";m+="dom";m+="ain.c";m+="om";` - a paranoid solution, but I'd hope it tricks all bots. Again however - it breaks graceful degradation. Wim's solution looks awesome
Graza
+7  A: 

A very simple trick I've been using with a surprisingly good success rate is this: Provide a text field that is hidden from human users with style="display: none", but with an enticing name like email. Most bots will fill in something in this field, but humans can't see it so they wont. At the server, just make sure the field is empty, else treat the submission as spam.

Wim
Great idea. A combination of your idea and Graza might be just it.
BillK
This is a great idea! Alternatively, if bots are smart enough to ignore such tags, set `display:none` dynamically in javascript, and add a comment asking the user NOT to fill in the field in the case that javascript fails.
Graza
I love this idea. CAPTCHAs are a pain the neck. Spam prevention should be about detecting bots, not proving that the user is human.
Donal Boyle
excellent idea ! But now you give it to us, bots will know :)
Alysko
I am building a bot, as we speak, to incorporate this design... *evil laugh*
Anthony Forloney
A: 

You won't need to reduce spam cause the messages are not published on the website. A lot of spam is posted on forums and blogs because this will reach a large audience of viewers and bots.

For a private contact form, spam is ineffective, so you won't have to worry about large amounts. The few spam messages that you will receive can effectively be filtered with a spam filter on your inbox (for instance using gmail or yahoo), especially since the incoming messages are plain text without images.

Tomas
Unfortunately, this is not true. The current generation of spam bots just browses the web and posts into *all* forms they can find. They don't know, nor care, whether their post actually makes it onto a web page or not...
Wim
I'm getting less then 10 spams per day for such a private contact form on a big site. But even if you would get hundreds, what does it matter? Isn't that what we have spam-filters for? An input-side solution such as a captcha, or other solutions posted, are an unnecessary burden for a private contact form.
Tomas
Spam-filters can help in this case, but not always. My Drupal webform includes too much headers and footers which make the entire e-mail look OK to the filter, it doesn't trip on the relatively tiny amount of spam content in the middle.
Wim