6 Modern Solutions to Protect Web Forms From Spam

By
Jennifer Kyrnin
Jennifer Kyrnin
Writer
  • University of California
  • University of Washington

Jennifer Kyrnin is a professional web developer who assists others in learning web design, HTML, CSS, and XML.

Learn about our Editorial Process
Updated on June 27, 2020
Reviewed by
Jerrick Leger
Jerrick Leger headshot
Reviewed by Jerrick Leger
Jerrick Leger is a CompTIA-certified IT Specialist with more than 10 years' experience in technical support and IT fields. He is also a systems administrator for an IT firm in Texas serving small businesses.
Learn about our Editorial Process

Spam is a problem that all website owners struggle to deal with. The simple truth is that if you have any web forms to collect information from your customers on your site, you are going to get some spam submissions. In some cases, you may get lots and lots of spam submissions.

Spam is a huge problem even on forms that don't do anything that could conceivably benefit the spammer (like repost back to the website where they would be able to add backlinks to other sites). Spammers use web forms to try and promote their own businesses and sites and they use them for more malicious purposes as well. Blocking spammers from your web forms can be an important productivity tool and will keep your website comment section from looking shabby.

Spam avalanche
Tim Robberts / Stone / Getty Images

In order to protect your web forms, you need to make it difficult or impossible for an automated tool to fill in or submit the form while keeping it as easy as possible for your customers to fill out the form. This is often a balancing act as if you make the form too hard to fill out your customers will not fill it out, but if you make it too easy you'll get more spam than real submissions. Welcome to the fun times of managing a website!

Add Fields That Only Spam Bots Can See and Fill In

This method relies on either CSS or JavaScript or both to hide form fields from customers visiting the site legitimately while displaying them to robots that only read the HTML. Then, any form submission that contains that form field being filled out can be considered spam (since a bot clearly submitted it) and deleted by your form action script. For example, you could have the following HTML, CSS, and JavaScript:










Email address:
Email:

CSS in 

styles.css

file 


#email2 { display: none; }

JavaScript in 

script.js

file 


$(document).ready(
function() {
$('#email2').hide()
}
);

The spam robots will see the HTML with the two email fields, and fill in both of them because they don't see the CSS and JavaScript that hides it from real customers. Then you can filter your results and any form submissions that include the 

email_add

field are spam and can be deleted automatically before you ever have to deal with them manually.


This method works well with less sophisticated spam bots, but many of them are getting smarter and are now reading CSS and JavaScript. Using both CSS and JavaScript will help, but it won't stop all the spam. This is a good method to use if you aren't terribly worried about spam but would like to make it slightly harder for the spambots. Your customers won't notice it at all.

Use a CAPTCHA

A CAPTCHA is a script to block spam bots from accessing your forms while humans can (for the most part) get through. If you've ever filled out a form and had to retype those squiggly letters, you have used a CAPTCHA. You can get a free CAPTCHA solution from ReCAPTCHA.

CAPTCHAs can be effective at blocking spam. Some CAPTCHA systems have been hacked, but it's still an effective block. The problem with CAPTCHAs is that they can be very difficult for people to read. ReCAPTCHA includes an audible version for blind people, but many people don't realize they can listen to something and get through. It's never a good idea to frustrate users, and these form CAPTCHAs often do just that.

This method works well for important forms you want to protect like registration forms. But you should avoid using CAPTCHAs on every form on your page, as that can deter customers from using them.

Use a Human-Friendly Bot-Unfriendly Test Question

The idea behind this is to put a question that a human can answer, but a robot would have no idea how to fill it in. Then you filter the submissions to look for the correct answer. These questions are often in the form of a simple math problem like “what is 1+5?”. For example, here is the HTML for a form with a question like this:


Email address:

A zebra is black and


Then, if the 

stripes
value is not “white” you know it's a spambot and you can delete the results.

Use Session Tokens That Are Applied at the Site Level and Required by the Form

This method uses cookies to set session tokens when a customer visits the website. This is an excellent deterrent for spam bots because they don't set cookies. In fact, most spambots arrive directly at the forms, and if you have the session cookie not set on the form, that will ensure that only people who visited the rest of the site are filling out the form. Of course, this could block people who bookmarked the form. Learn how to write your first HTTP cookie.

Record Data From the Form Submissions Like IP Address and Use That to Block Spammers

This method is less of a front-line defense and more of a way to block spammers after the fact. By collecting the IP address in your forms, you can then detect patterns of use. If you receive 10 submissions from the same IP in a very short period of time, that IP is almost certainly spam.

You can collect the IP address using PHP or ASP.Net and then send it with the form data.

PHP: 

$ip = getenv("REMOTE_ADDR") ;

ASP.Net 

ip = '

This method works well if you don't get a lot of continuous spam, but instead get periodic bursts of activity, such as with a sign in form. When you see people attempting to access your protected areas multiple times knowing their IP so you can block them can be strong protection.

Use a Tool Like Akismet to Scan and Delete Spam Submissions

Akismet is set up to help bloggers block comment spam on their forms, but you can also buy plans to help you block spam on other forms as well.

This method is very popular among bloggers because it is so easy to use. You just get an Akismet API and then set up the plugin.

The Best Spam Management Strategy Uses a Combination of Methods

Spam is big business. As such, spammers are getting more and more creative in their ways of getting around spam blocking tools. They have more sophisticated spambot programs and many are even employing low-paid people to post their spam messages directly. It is nearly impossible to block a real human who is submitting spam manually via a form. No one solution is going to catch every type of spam. So, using multiple methods can help.

But remember, don't use multiple methods that the customer can see. For example, don't use both a CAPTCHA and a human-answerable question on the same form. This will annoy some customers and will lose you legitimate submissions.

Specific Tools for Fighting Comment Spam

One of the most common places people see spam is in comments, and this is often because they use a standard blogging package like WordPress. If you are hosting WordPress yourself, there are a few things you can do to fight comment spam specifically. And these work for any blogging system that you have access to the files:

  • Don't use standard URLs for forms Most comment spam is automated, and they go out to WordPress and other blog sites and just attack the form directly. This is why you will sometimes see comment spam even if you have comments removed from your template. If the comment file (usually called 
    comments.php
    ) exists on your site, spammers can and will use it to post spam comments to your blog. By changing the file name to something else, you can block these automated spambots.
  • Move your form pages periodically — Even if you're not using a standard file name for your comments or form fields, spammers can find them if they are linked on your site. And there are many spam businesses where all they do is sell lists of URLs to forms where spammers can write their posts. I have a couple of form pages that have not been active in over five years that still get periodic hits by spammers. They get a 404 and I see that in my stats, so I know I shouldn't use that page again.
  • Change the name of your form action scripts periodically — But just like the form pages, you should periodically change the name of any scripts you point to in the
    action
    attribute of your forms. Many spammers point directly to these scripts, bypassing the forms completely, so even if you move your form page, they still can submit their spam. By moving the script, you drive them to a 404 or 501 error page instead. And just like the previous suggestion, I have scripts that have been deleted from my server for years that spammers still try to hit.

Spammers are really annoying, and as long as the cost to send out the spam is so much lower than the return, there will always be spammers. And the arms race of protection tools versus spammer bots will continue to escalate. But, hopefully, with a combination of the tools listed here, you will have a strategy that will last a few years.

Format
mla apa chicago
Your Citation
Kyrnin, Jennifer. "6 Modern Solutions to Protect Web Forms From Spam." ThoughtCo, Apr. 5, 2023, thoughtco.com/solutions-to-protect-web-forms-from-spam-3467469. Kyrnin, Jennifer. (2023, April 5). 6 Modern Solutions to Protect Web Forms From Spam. Retrieved from https://www.thoughtco.com/solutions-to-protect-web-forms-from-spam-3467469 Kyrnin, Jennifer. "6 Modern Solutions to Protect Web Forms From Spam." ThoughtCo. https://www.thoughtco.com/solutions-to-protect-web-forms-from-spam-3467469 (accessed April 19, 2024).