I started getting emails last month from the forms on one of my client’s websites. The spam came as a long string of links in the comments section of one of the forms. The idea for this type of spam is, I think, to boost search engine ranking by increasing the clicked rate to your site. It is easy enough to detect and delete but still, its quite a pain to delete 10-12 emails a day. Not to mention there is a more malicious form of form spamming that I was lucky enough not to have been attacked by where the spammer inputs php code into the form fields which tricks your mail server into sending bogus messages from your return address. This has had the effect of some sites being blacklisted from search engines for spamming, but I hear that google and others are going to be lenient on this in response to the rise in form spam in the recent months.

So there was the worst case scenario and to avoid it all together we needed to add some sort of form validation. Client side java script could be used, but if the spammer simply turned off java script, we’d me back to a naked form, so although useful to make sure humans are using real email addresses (with the @ symbol) it would be useless to stop a bot.

The next step would be to use a captcha, but I hate these things and good OCR software can read them better then people with poor eye sight so this isn’t the best answer either. New captchas are evolving into fill in the blanks, picture description, and general questions (“whats the letter after b?”). Machines will not understand the question and thereby cannot guess the answer.

But still, this is slightly intrusive because it requires the user to think. Sometimes that’s enough to put people off. I wanted a solution that eliminated bot generated spam without encumbering the real users at all.

My solution was code the PHP mailto into an if statement that checked the value in a hidden field. If anything had been entered into this field then we can deduce that it was not filled out by a human (who would never see this field) so the request fails the php if statement and the mail command is never fired.

However, the PHP code will still look like the page email was sent. This is important as it lets the spammer think everything has worked. After putting this into play spam on our forms has effectively ended. I say effectively because I read somewhere that some people actually sit an copy and paste this sort of junk into forms by hand. What a waste. No one reads it anyway.

I just wanted a solution that freed up my client without affecting his customers.

The HTML/CSS looks like this:
<input style=”display:none” type=”text” id=”email” name=”email”>

PHP:
$test = $_POST["email"];

if ($test == “”) {
mail($mailto, $mailsubj, $mailbody, $mailhead);
}

Currently I’m working on a great book by: Steve Krug called Don’t Make Me Think.

 Update: August 1st, 2008:
To eliminate the “random blanks” I got from users pressing the back button and non javascript browsers I modified the above code to include a few more conditions. Read the next article on using the IF equal to AND not equal to function in php to find out more.