Prevent php web contact form spam
Solution 1
A simple trick is to create a honeypot field:
html
<!-- within your existing form add this field -->
<input type="text" id="website" name="website"/>
css
/*in your css hide the field so real users cant fill it in*/
form #website{ display:none; }
php
//in your php ignore any submissions that inlcude this field
if(!empty($_POST['website'])) die();
Solution 2
An even simpler approach that works for me. Literally all spam that I receive(d), had a url in the message. So I filter on that, and have not received any spam messages since. I used to get about 10 a week.
Add this under your line $error_message = ""; in your php-file:
if(preg_match('/http|www/i',$comments)) {
$error_message .= "We do not allow a url in the comment.<br />";
}
The /i in the preg_match makes it case independent. The 'http' also filters for 'https'.
Solution 3
Hidden fields, silly questions (what is 3+4?), etc, are not very effective at blocking spam on forms.
I researched this several years ago, and came up with a solution I call "FormSpammerTrap". It uses JavaScript code to 'watch' for focus/onclick on required fields. Automated processes, unless highly customized for a specific site (which takes more time than spambot owners want to take), can't 'focus/onclick' a required field.
I have a free solution at my www.FormSpammerTrap.com site. And there's a form there that spambots can try to spam...and they haven't, for more than 3 years. You are welcome to try it out...it's all open source, so you can see how it works. (And, if you use the form, I don't harvest your email. I reply once, then delete your email.)
My technique is much more effective in blocking spambots. They haven't been able to spambot the contact form on that site.
Solution 4
Usually the bots submit a form very fast. So, based on that, another solution could be to add another hidden field that contain the number of seconds that passed from when the page was oppened. This can be done using JavaScript. Then check it in PHP. If the number of seconds is smaller than 5 seconds then it's spam (It's more likely that the real client needs more time to fit the form). You can adjust the number of seconds based on how many fields the form contain.
Solution 5
For my answer, since i got through this i will simply add some new possibilities because the honeypot by Steve is extremely good but got hijaked (perhaps new softwares for spamming these days) and the handmade captcha like (what is 3+4) did not work for me even with random numbers, it worked for a while but stopped working after some time. Don't know how they got past this but i had to add some codes...
So i managed to get the IP of the spammer like this:
$ip = $_SERVER['REMOTE_ADDR'];
Then added $ip to the sent email by my php code in the subject then added this code to check the results without spamming my inbox:
if ($ip == '1.1.1.1') /*<-- this is an example*/
{
$fp = fopen('spam_log.txt', 'a');
fwrite($fp, 'Inputname: '.$inputname.' IP: '.$ip."\n");
fclose($fp); die;
}
With this, i was safe for a while because the ip of the spammer did not change very often.
What i got the most were urls so i added this:
if (strstr($inputname, 'http')){die;} /*<-- did that for each input i had*/
if (strstr($inputname, 'www')){die;} /*<-- did that for each input i had*/
But sometimes i received spams without urls... by chance i got essentially cyrillic spam emails so i used this code:
$inputname_cyrillic = (bool) preg_match('/[\p{Cyrillic}]/u', $inputname);
if ($inputname_cyrillic){die;}
You can also add Arabic or Greek if needed that works fine since i cannot read these languages and am not interested in it.
If you're Russian or Arabic or Greek you can do the reverse and simply add the {Common} code which is A-Z related if you only want to receive cyrillic or Arabic, or Greek characters.
This thread helped me a lot so i wanted to contribute of my experience.
user7858610
Updated on January 03, 2022Comments
-
user7858610 over 2 years
I am an amateur web designer, I have searched on stackoverflow.com and other websites and have found many fixes for this issue I'm having, but none of them have worked (probably because I implement them incorrectly). I'm hoping someone with more knowledge can help me with a simple fix or show me how to implement one of the fixes I've found.
The problem: I have a very simple php contact form on my business's website. It has worked great for years, but in the last week has been hacked. I now receive hundreds of contact form submissions a day with no comments, they only have (apparently valid) email addresses, and a string of characters in the name field (like "58ee8b52eef46").
I have tried several techniques to prevent this spam, and they either break my php form, or they don't prevent the spam. If possible I would like a solution that does NOT require a Captcha distorted text test, and does NOT require all fields of the form to be filled.
Here is my full PHP code:
<?php if(isset($_POST['email'])) { $email_to = "[email protected]"; $email_subject = "website form submission"; function died($error) { echo "We are very sorry, but there were error(s) found with the form you submitted. "; echo "These errors appear below.<br /><br />"; echo $error."<br /><br />"; echo "Please go back and fix these errors.<br /><br />"; die(); } if (!isset($_POST['name']) || !isset($_POST['email']) || !isset($_POST['telephone']) || !isset($_POST['comments'])) { died('We are sorry, but there appears to be a problem with the form you submitted.'); } $name = $_POST['name']; $email_from = $_POST['email']; $telephone = $_POST['telephone']; $comments = $_POST['comments']; $error_message = ""; if(strlen($error_message) > 0) { died($error_message); } $email_message = "Form details below.\n\n"; function clean_string($string) { $bad = array("content-type","bcc:","to:","cc:","href"); return str_replace($bad,"",$string); } $email_message .= "Name: ".clean_string($name)."\n"; $email_message .= "Email: ".clean_string($email_from)."\n"; $email_message .= "Telephone: ".clean_string($telephone)."\n"; $email_message .= "Comments: ".clean_string($comments)."\n"; $headers = 'From: '.$email_from."\r\n" . 'Reply-To: '.$email_from."\r\n" . 'X-Mailer: PHP/' . phpversion(); @mail($email_to, $email_subject, $email_message, $headers); ?> Thank you for contacting us. We will be in touch with you soon. You will now be redirected back to example.com. <META http-equiv="refresh" content="2;URL=http://www.example.com"> <?php } die(); ?>
-
user7858610 about 7 yearsHi, thank you for this answer. I have implemented another fix similar to yours. However we occasionally get a form submission from someone who simply wants to know more information, and only includes and email or phone number with no comments. We have actually turned leads like this into sales so I don't want to remove the possibility of receiving forms without comments. I hope that makes sense.
-
rickdenhaan about 7 yearsMakes sense, but that really opens the door for spam bots. In that case you may want to consider adding a "just send me information" checkbox and disabling the submit button by default (so that the bots can't submit the form), then enabling it using javascript when the comment has been entered or the user checks that checkbox.
-
user7858610 about 7 yearsThank you! This is very simple and easy to implement. It meets all of my criteria. However, currently the spam I'm getting has the 'comments' field empty. What if it also leaves the ''websites' field empty, won't I still get the spam?
-
Steve about 7 yearsYes,
website
is a good general choice, because most dumb spambots are looking to drop a link. You can add as many honeypot fields as you like. You could even add a honeypot calledemail
, and rename your real email field to something else (likeemailaddress
). -
vega almost 7 yearsI tried to do that and inserting the fields and hiding them worked fine, but I cannot find the correct position where to enter the PHP code (with the die) into my PHP file. It just stops anywhere, even when those fields are not filled in.
-
Steve almost 7 years@vega change from
isset
to!empty
that was a mistake in my answer - empty form fields are submitted as empty strings, so will always be set -
Rick Hellewell about 6 yearsActually, form spammers will be able to 'find' that hidden field. So the technique is not very effective, IMHO. You are better off using some sort of 'human detection', like checking for focus on a field. That (along with some other things) is the technique I used on my FormSpammerTrap code. Much more effective technique, IMHO.
-
Rick Hellewell about 6 yearsNot sure that disabling the submit button will work with spambots that use automated techniques (like CURL). Their techniques will be able to 'see' a hidden field - even a hidden submit button, and submit the form.
-
Steve about 6 years@rickhellewell sure it's not foolproof by any means, but it is very quick to implement and still blocks a good 90% if form spanbots, which are not JavaScript or CSS aware
-
Rick Hellewell almost 6 yearsNot sure why the downvote: **Added 12 Jul 2018 ** The trick is to add an on-click/on-focus event that changes the action parameter to the actual processing page. Otherwise, the default value I use is a honeytrap-type site. I think it's hard for a spammer to simulate those events, although possible perhaps. The technique blocks a lot of bot-spammers. And still, after a couple of years using the technique on that site, the form hasn't been spammed by bots. (I define a bot spammer that sends multiple submits via the attack, not just one submit.) Works for me.
-
Stephen R almost 6 yearsIs your system compatible with legit form fillers such as 1Password?
-
Rick Hellewell almost 6 yearsShould be, although I've never tried it. It just has some Javascript to change things with an on-click and on-focus event. Since spam bots can't do Javascript (easily), this blocks a lot of them. You can easily add reCaptcha to the form if you want. Nothing fancy about it, just implemented into the forms so all you need to do is change a few variables, include a file, and call the function that 'builds' the form. It's free to try out and use; full featured. Check out the site for details.
-
bolvo about 5 yearsThis post is 2 years old and no longer seems to do anything. I have tried this on a few websites and the bots seem to take this technique into account.
-
Steve about 5 years@bolvo yes, it only protects against dumb bots - the OP specifically wanted a simple to implement solution, thats invisible to users. My prefered solution is recaptcha v2
-
ReverseEMF about 5 yearsHad the problem of Browser auto-completing one or more of my honeypots. Fix was to add " autocomplete='off' " attribute to each honeypot element.
-
User over 4 yearsYou can combine the two and generate a random number or similar. I've found a combination to be highly effective.
-
User over 4 yearsCombining honeypot with time taken to fill form (under 5 seconds highly likely to be spam) and random number generation had been highly effective. Captcha are too much for a simple contact form, although they have improved.
-
Abhishek Choudhary about 4 yearsIf the bot is designed for a specific website, it would not fall in this trap
-
ControlZ almost 4 yearsI've been using this on a site that receives a lot of spam from bots and it works! How would you add a second input, for example, address? I tried below and neither worked. if(preg_match('/http|www/i',$company)) { and if(preg_match('/http|www/i',$message)) { if(preg_match('/http|www/i',$message,$company)) { echo
-
AymDev almost 4 yearsOh, brilliant !
-
Rocky Kev over 3 yearsCan you re-write this to provide more step-by-step processes and break out the wall of text? This is really difficult to parse.
-
Rick Hellewell over 3 yearsExcept that some times you need to let a URL be in the message. My FormSpammerTrap solution (now at version 10, soon to be version 11) allows for multiple URLs plus a lot of other customization of the form. Very effective techniques used in the code - my sites don't get spam.
-
Rick Hellewell over 3 yearsForm fillers work with FormSpammerTrap (FST). And much customization is available to build a form with all types of fields. Bot protection is excellent; I've never gotten automated spam with my solution. Version 11 to be released soon. All the details on the FST site.
-
Rick Hellewell over 3 yearsIt's very easy for a robust spam bot to find and submit hidden fields. And those bots can be highly automated to find and exploit forms.
-
S. W. G. about 2 years@alimack how do you use random number generation in securing the form? Do you refer to nonce?
-
User about 2 years@S.W.G here's a simple example. stackoverflow.com/questions/28338414/…
-
Rick Hellewell about 2 yearsUp to version 14 now; working on version 15. V14 has tons of new features (languages and more) and there are tons of customizable features. You can add FST spam blocking to any form. Still all free. See v14 in use on my FormSpammerTrap site (link above). Been around since 2011 - still the best solution, IMHO.