I wrote a blog post last year about “How to Stop Contact Form Spam” and it seems to do the job to weed out the bots from hitting your form processing script automatically and submitting a bunch of spam. However, it looks like one of my websites is getting hit manually by a person or script – they are filling out all of the required fields with a valid-formatted email address and actually clicking the submit button to access the confirmation page. However, they are flooding the “Message” textarea box with thousands of pharmaceutical words, some of which are hyperlinked to their spam sites. The most logical way I can think of to combat these spammers is to screen out all submissions that have keywords in the anchor text of any links submitted. I don’t want to disallow URLs completely, but only those that contain custom anchor text. I’ve Googled variations of “anchor text contact form spam” but have come up with nothing.
The majority of the websites I develop for clients have contact forms on them for a variety of reasons. First, it’s more convenient for users to fill out a form within their browser window as opposed to requiring them to open up their email software to write an email from scratch. Second, it’s the primary method of measuring generated leads/conversions, and clients can require exactly the information they need to qualify leads. Third, by using a contact form, clients won’t have to publish an email address on the site for spam bots to harvest. However, contact forms are definitely vulnerable to being flooded with spam and that’s why I am writing this post on how to prevent exactly that. I use a variety of methods which tend to prevent 99% of automated spam submissions:
Step 2. Validate The Referrer – If you are using a separate file to process the form, make sure to validate that the form is being submitted from the page with the contact form. This will prevent bots and spammers to automatically access the processing file to spam it. However, the referrer can easily be spoofed and often is, so this method alone is certainly not bulletproof.
Step 3. Hide Fields with CSS – Most bots and spammers will automatically fill out every form field that is on the page. One way to stop them is to insert a blank field in the form but hide with CSS “display: none;”. Add some code to your form processing file to check to ensure that the hidden field remains empty; if it’s not, it’s most likely filled out by a spammer and thus should not be processed.
Follow those 3 steps and you’ll be much better protected against contact form spam. There are definitely additional measures you can use such as more complicated JS validation, CAPTCHAs, and asking simple questions that only humans can answer (1+2=?, what color is a cardinal?, etc.), but I’ll write more about those in another post.