Preventing Form Spam
A continuation of this post has been published, see: Preventing Form Spam, Part 2.
As most blog owners know, automated spam posts can be a major headache. Techniques like CAPTCHA were invented specifically to verify your human identify – although these programs require constant refinement, as spammers have defeated many of them. It’s a war out there, and as the spammers adapt, so must we.
While extra verification techniques like CAPTCHAs may be acceptable for a blog, members of the sales world understand that these mechanisms also act as deterrents to potential clients. Spam protection should ideally be seamless to the end user, with all of the heavy lifting done behind the scenes.
In-line web contact forms, like ours at Element TwentySix, will get spammed by these automated robots and – if left unprotected – you will likely receive spam advertisements in addition to legitimate inquiries into your product or service. Receiving spam is an absolute nuisance, although asking your potential client to do extra work to help make your life easier isn’t a much better alternative. (If you are curious why these spam robots exist in the first place, I will discuss SEO in a later topic.)
A clever technique that will dramatically cut down on the amount of form spam you receive involves the use of Javascript. Most spam robots do not support Javascript; thus, you can allow your legitimate Javascript-enabled users to post on your form, while foiling the spam robots. If you can accept the risk of alienating your Javascript-challenged visitors (estimated 0-2% of all internet users), this technique will work for you.
First, you’ll want to add an extra line of html code to your contact form. In this example, I used the class “spam”, but you can name it to something else if you choose. Set the value “sorry.html” to the URL of the page you want your users (or spambots) to see when Javascript is not enabled.
<form action="... ... <input class="spam" name="spambot" type="hidden" value="sorry.html" /> ... </form>
Now, in the HEAD section of your HTML, make sure you have the jQuery library (note: this can also be done in Javascript, but it is not as clean) as well as a simple line of code that removes all HTML input fields with the class “spam”.
<head> ... <script src="http://jqueryjs.googlecode.com/files/jquery-1.3.2.js" type="text/javascript" charset="utf-8"> </script> <script type="text/javascript"> $(document).ready(function(){ $("input.spam").remove(); }); </script> ... </head>
Now, the final change you’ll need to make is with your form mailer script. You can add the following line right after the <?php markup and you’ll be set! Anyone submitting the form that contains the spambot field must not have Javascript enabled; therefore, they will be redirected to the “sorry.html” page that you set up earlier.
if (isset($_POST['spambot'])) { // redirect user to location specified in spambot header("Location: http://" . $_SERVER["HTTP_HOST"] . "/" . $_POST['spambot']); die(); }
If your site is running on GoDaddy’s hosting platform, and you are using their provided script webformmailer.php, you can take advantage of this spam-prevention technique also. Since GoDaddy does not give you direct access to the contents of the webformmailer.php file, we’ll have to use a slight workaround. First, rename webformmailer.php to something different, like webformmailer-godaddy.php.
Now, upload a new webformmailer.php, which contains the code below:
<?php // if input form contains spambot field if (isset($_POST['spambot'])) { // redirect user to location specified in spambot header("Location: http://" . $_SERVER["HTTP_HOST"] . "/" . $_POST['spambot']); die(); } include("webformmailer-godaddy.php"); ?>
That’s all there is to it. If you are having trouble with spam, and would like to learn more about our services, please contact us.