The contact form on my main site, www.dangifford.com was recently discovered by spam bots.
Instead of enquiries from people wanting me to perform magic, I have been bombarded with links to sites selling ringtones, watches and various pills and potions. So it was time to sort it out and put in some preventative measures.
Spam proofing a form is pretty straightforward in PHP. There are many free PHP contact form scripts that will add captchas and other anti-spam measures to your forms. Unfortunately, my site is static HTML on a basic hosting package with no PHP. It uses the venerable FormMail CGI script from Matt’s Script Archive to process forms.
I considered trying to add a captcha, a simple arithmetic or spelling question to ensure a human is using the form, and modifying the script to check the answer. However, my programming skills aren’t up to it (I’m just a messy hacker) and besides, I want to prevent spam, not make using my forms harder for genuine users.
So I’ve used a much simpler solution involving fake form fields. (See this article)
Add a fake textarea field to the form, giving it an easily identifiable name such as ‘comments’ or ‘message’. Rename the genuine field. For example change ‘comments’ to ‘whattheysay’.
In the stylesheet for the page, create a class including the rule ‘display: none;’ and apply it to the fake field.
Normal users will not be able to see, and therefore not be able to enter text into the fake field. But the spam bots will find it in the code and fill it with links to dodgy sites.
So, when the form is processed by the FormMail CGI script, it only needs to test for content in the fake field to determine if the message is spam.
Open up FormMail.cgi in a text editor and find the send_mail function. Enclose it in an if statement that checks whether the ‘comments’ fake field is empty. Here is the relevant code:
sub send_mail {
# Only send email if spam trapping field is empty #
if ($Form{'comments'} eq '') {
# ....rest of send_mail function.... #
# closing bracket for spam if statement #
}
}
That’s it!
In the spam emails I received, it was the textarea fields (named ‘comments’) that spammed, so that is the field I’ve faked. Other forms may have different fields that get filled with spam, but I suspect spam bots target textarea fields where they can add the most text.
Problems/ room for improvement?
I suppose spam bots might learn to detect fields hidden using this CSS technique, however there are other CSS tricks that can be used to hide the fake fields.
You could also do something other than just not sending the email. Maybe bounce it back to the spammer? I’m just happy not wasting my bandwidth downloading it.
People using alternative stylesheets (for accessibility reasons) will be able to see the fake field. For those users, add a note next to the field saying something like ‘This field is used to detect spammers – don’t write anything in it!’. Give it the same display none class as the fake field and it will disappear when viewed using the standard stylesheet.
No more spam so far…..
