DEV Community

loading...
Cover image for Preventing contact form spam

Preventing contact form spam

MD Geus
・3 min read

The contact form

Everyone who has a contact form on his website will receive spam.
It’s a fact.

Alt Text

I’m not a fan of captcha.
Especially when you are running a B2B web shop you don’t want your customers to click all cars or bridges, they will stop filling in the form and go to another website where they can type in their question and click the sent button and you lost a potential sale.

I think I’ve managed to reduce the spam messages to a minimum by adding a few checks.

The form

The first step to take is on the form itself.
Add an input field, but use css to hide it for the visitor.

When a bot is crawling your site and filling in the form, it will fill in this field.
This is an indication that it is spam, because a visitor will not fill this field.
In my case I just want the customer name, phone, email and message, so I have added a hidden url field.

This is the line it’s all about

<div id="antispam"><label for="url">URL :</label><input id="url" class="form-control" autocomplete="off" name="url" type="text" /></div>

Also, don’t forget the autocomplete=”off”
We don’t want autofill systems of our visitors to auto fill this field

You only need to check on this field before sending the message.
so in my case, I’m doing this in the controller where the form is processed.

if (
(null != $this->input->post(‘url’)) ||
(‘’ == $this->input->post(‘message’)) ||
(preg_match(“/\[url=/i”, $this->input->post(‘messasge’))) || (preg_match(“/^[0–9 ]*$/”, $this->input->post(‘message’))) || (preg_match(“/(girls|sex|qualify|viagra|dating|blackjack|cryptocurrency|money|gagner|Weight|cbd|cannabis|fuck|surveys|forex|invest|australians|Madchen|Marihuanan)/i”, $this->input->post(‘message’)))
) { // mark as spam !

(And, yes, I use the codeigniter framework)

The first check is if the url field is not null ( this means, the url field has a value, and it must be spam).
The seond check is if the message itself is empty.
Ofcourse I will check this before sending the form, but I’ve noticed that sometimes (maybe older browsers or with javascript disabled etc.), it will pass this test and the form can be sent with an empty message field

The third check is to see if there is “[url=” in the text.
This is how you display an url in the markdown markup language and normal visitors of your website will not use markdown in your contactform.

Then, I che ck if the message not only contains numbers. I know it’s weird, but we’ve received multiple contact form entries where there was no text, only combinations of numbers.
So when there is a word in the message field, it will pass this test and will not be defined as spam (Yet).

The last line is something else.
These are unique words that where in the messages we received.
The trick is to identify an unique word that is only used in spam messages and will not be used by your customers when they want to ask you something.
This list of words will grow in time. I just add new words when another spam message passes this test.

By now, I have reduced the amount of spam messages to zero.

Discussion (0)