Prevent php web contact form spam

I am an amateur web designer, I have searched on stackoverflow.com and other websites and have found many fixes for this issue I'm having, but none of them have worked (probably because I implement them incorrectly). I'm hoping someone with more knowledge can help me with a simple fix or show me how to implement one of the fixes I've found.

The problem: I have a very simple php contact form on my business's website. It has worked great for years, but in the last week has been hacked. I now receive hundreds of contact form submissions a day with no comments, they only have (apparently valid) email addresses, and a string of characters in the name field (like "58ee8b52eef46").

I have tried several techniques to prevent this spam, and they either break my php form, or they don't prevent the spam. If possible I would like a solution that does NOT require a Captcha distorted text test, and does NOT require all fields of the form to be filled.

Here is my full PHP code:

<?php
if(isset($_POST['email'])) {
  $email_to = "[email protected]";
  $email_subject = "website form submission";

  function died($error) {
    echo "We are very sorry, but there were error(s) found with the form you submitted. ";
    echo "These errors appear below.<br /><br />";
    echo $error."<br /><br />";
    echo "Please go back and fix these errors.<br /><br />";
    die();
  }

  if (!isset($_POST['name']) ||
    !isset($_POST['email']) ||
    !isset($_POST['telephone']) ||
    !isset($_POST['comments'])) {
    died('We are sorry, but there appears to be a problem with the form you submitted.');       
  }

  $name = $_POST['name'];
  $email_from = $_POST['email'];
  $telephone = $_POST['telephone'];
  $comments = $_POST['comments'];

  $error_message = "";
  if(strlen($error_message) > 0) {
    died($error_message);
  }
  $email_message = "Form details below.\n\n";

  function clean_string($string) {
    $bad = array("content-type","bcc:","to:","cc:","href");
    return str_replace($bad,"",$string);
  }

  $email_message .= "Name: ".clean_string($name)."\n";
  $email_message .= "Email: ".clean_string($email_from)."\n";
  $email_message .= "Telephone: ".clean_string($telephone)."\n";
  $email_message .= "Comments: ".clean_string($comments)."\n";

  $headers = 'From: '.$email_from."\r\n" .
             'Reply-To: '.$email_from."\r\n" .
             'X-Mailer: PHP/' . phpversion();
  @mail($email_to, $email_subject, $email_message, $headers);  
?>

Thank you for contacting us. We will be in touch with you soon. You will now be redirected back to example.com.
<META http-equiv="refresh" content="2;URL=http://www.example.com">

<?php
}
die();
?>

Hi, thank you for this answer. I have implemented another fix similar to yours. However we occasionally get a form submission from someone who simply wants to know more information, and only includes and email or phone number with no comments. We have actually turned leads like this into sales so I don't want to remove the possibility of receiving forms without comments. I hope that makes sense.

Makes sense, but that really opens the door for spam bots. In that case you may want to consider adding a "just send me information" checkbox and disabling the submit button by default (so that the bots can't submit the form), then enabling it using javascript when the comment has been entered or the user checks that checkbox.

Thank you! This is very simple and easy to implement. It meets all of my criteria. However, currently the spam I'm getting has the 'comments' field empty. What if it also leaves the ''websites' field empty, won't I still get the spam?

Yes, website is a good general choice, because most dumb spambots are looking to drop a link. You can add as many honeypot fields as you like. You could even add a honeypot called email, and rename your real email field to something else (like emailaddress).

I tried to do that and inserting the fields and hiding them worked fine, but I cannot find the correct position where to enter the PHP code (with the die) into my PHP file. It just stops anywhere, even when those fields are not filled in.

@vega change from isset to !empty that was a mistake in my answer - empty form fields are submitted as empty strings, so will always be set

Actually, form spammers will be able to 'find' that hidden field. So the technique is not very effective, IMHO. You are better off using some sort of 'human detection', like checking for focus on a field. That (along with some other things) is the technique I used on my FormSpammerTrap code. Much more effective technique, IMHO.

Not sure that disabling the submit button will work with spambots that use automated techniques (like CURL). Their techniques will be able to 'see' a hidden field - even a hidden submit button, and submit the form.

@rickhellewell sure it's not foolproof by any means, but it is very quick to implement and still blocks a good 90% if form spanbots, which are not JavaScript or CSS aware

Not sure why the downvote: **Added 12 Jul 2018 ** The trick is to add an on-click/on-focus event that changes the action parameter to the actual processing page. Otherwise, the default value I use is a honeytrap-type site. I think it's hard for a spammer to simulate those events, although possible perhaps. The technique blocks a lot of bot-spammers. And still, after a couple of years using the technique on that site, the form hasn't been spammed by bots. (I define a bot spammer that sends multiple submits via the attack, not just one submit.) Works for me.

Is your system compatible with legit form fillers such as 1Password?

Should be, although I've never tried it. It just has some Javascript to change things with an on-click and on-focus event. Since spam bots can't do Javascript (easily), this blocks a lot of them. You can easily add reCaptcha to the form if you want. Nothing fancy about it, just implemented into the forms so all you need to do is change a few variables, include a file, and call the function that 'builds' the form. It's free to try out and use; full featured. Check out the site for details.

This post is 2 years old and no longer seems to do anything. I have tried this on a few websites and the bots seem to take this technique into account.

@bolvo yes, it only protects against dumb bots - the OP specifically wanted a simple to implement solution, thats invisible to users. My prefered solution is recaptcha v2

Had the problem of Browser auto-completing one or more of my honeypots. Fix was to add " autocomplete='off' " attribute to each honeypot element.

You can combine the two and generate a random number or similar. I've found a combination to be highly effective.

Combining honeypot with time taken to fill form (under 5 seconds highly likely to be spam) and random number generation had been highly effective. Captcha are too much for a simple contact form, although they have improved.

If the bot is designed for a specific website, it would not fall in this trap

I've been using this on a site that receives a lot of spam from bots and it works! How would you add a second input, for example, address? I tried below and neither worked. if(preg_match('/http|www/i',$company)) { and if(preg_match('/http|www/i',$message)) { if(preg_match('/http|www/i',$message,$company)) { echo

Oh, brilliant !

Can you re-write this to provide more step-by-step processes and break out the wall of text? This is really difficult to parse.

Except that some times you need to let a URL be in the message. My FormSpammerTrap solution (now at version 10, soon to be version 11) allows for multiple URLs plus a lot of other customization of the form. Very effective techniques used in the code - my sites don't get spam.

Form fillers work with FormSpammerTrap (FST). And much customization is available to build a form with all types of fields. Bot protection is excellent; I've never gotten automated spam with my solution. Version 11 to be released soon. All the details on the FST site.

It's very easy for a robust spam bot to find and submit hidden fields. And those bots can be highly automated to find and exploit forms.

@alimack how do you use random number generation in securing the form? Do you refer to nonce?

@S.W.G here's a simple example. stackoverflow.com/questions/28338414/…

Up to version 14 now; working on version 15. V14 has tons of new features (languages and more) and there are tons of customizable features. You can add FST spam blocking to any form. Still all free. See v14 in use on my FormSpammerTrap site (link above). Been around since 2011 - still the best solution, IMHO.