I am an amateur web designer, I have searched on stackoverflow.com and other websites and have found many fixes for this issue I'm having, but none of them have worked (probably because I implement them incorrectly). I'm hoping someone with more knowledge can help me with a simple fix or show me how to implement one of the fixes I've found.

The problem: I have a very simple php contact form on my business's website. It has worked great for years, but in the last week has been hacked. I now receive hundreds of contact form submissions a day with no comments, they only have (apparently valid) email addresses, and a string of characters in the name field (like "58ee8b52eef46").

I have tried several techniques to prevent this spam, and they either break my php form, or they don't prevent the spam. If possible I would like a solution that does NOT require a Captcha distorted text test, and does NOT require all fields of the form to be filled.

Here is my full PHP code:

<?php
if(isset($_POST['email'])) {
  $email_to = "[email protected]";
  $email_subject = "website form submission";

  function died($error) {
    echo "We are very sorry, but there were error(s) found with the form you submitted. ";
    echo "These errors appear below.<br /><br />";
    echo $error."<br /><br />";
    echo "Please go back and fix these errors.<br /><br />";
    die();
  }

  if (!isset($_POST['name']) ||
    !isset($_POST['email']) ||
    !isset($_POST['telephone']) ||
    !isset($_POST['comments'])) {
    died('We are sorry, but there appears to be a problem with the form you submitted.');       
  }

  $name = $_POST['name'];
  $email_from = $_POST['email'];
  $telephone = $_POST['telephone'];
  $comments = $_POST['comments'];

  $error_message = "";
  if(strlen($error_message) > 0) {
    died($error_message);
  }
  $email_message = "Form details below.\n\n";

  function clean_string($string) {
    $bad = array("content-type","bcc:","to:","cc:","href");
    return str_replace($bad,"",$string);
  }

  $email_message .= "Name: ".clean_string($name)."\n";
  $email_message .= "Email: ".clean_string($email_from)."\n";
  $email_message .= "Telephone: ".clean_string($telephone)."\n";
  $email_message .= "Comments: ".clean_string($comments)."\n";

  $headers = 'From: '.$email_from."\r\n" .
             'Reply-To: '.$email_from."\r\n" .
             'X-Mailer: PHP/' . phpversion();
  @mail($email_to, $email_subject, $email_message, $headers);  
?>

Thank you for contacting us. We will be in touch with you soon. You will now be redirected back to example.com.
<META http-equiv="refresh" content="2;URL=http://www.example.com">

<?php
}
die();
?>

A simple trick is to create a honeypot field:

html

<!-- within your existing form add this field -->
<input type="text" id="website" name="website"/>

css

/*in your css hide the field so real users cant fill it in*/
form #website{ display:none; }

php

//in your php ignore any submissions that inlcude this field
if(!empty($_POST['website'])) die();

An even simpler approach that works for me. Literally all spam that I receive(d), had a url in the message. So I filter on that, and have not received any spam messages since. I used to get about 10 a week.

Add this under your line   $error_message = "";   in your php-file:

if(preg_match('/http|www/i',$comments)) {
    $error_message .= "We do not allow a url in the comment.<br />";
  }

The /i in the preg_match makes it case independent. The 'http' also filters for 'https'.

Create a form field and hide it for the users. In the php script check if this field is submitted, but empty. Now you know the request is from your form and a user.

Spam will fill the hidden field, or if they use your php script direct the spam protection field is not set.

HTML

<input name="website" type="text" class="website"/>

CSS

form .website{ display:none; } /* hide because is spam protection */

PHP

# spam protection
if (isset($_POST["website"]) && $_POST["website"] == "") {
  # your php code to mail here
} else {
  http_response_code(400);
  exit;
}

You can find more method's how to protect a php form spam here: https://zinoui.com/blog/protect-web-forms-from-spam

Usually the bots submit a form very fast. So, based on that, another solution could be to add another hidden field that contain the number of seconds that passed from when the page was oppened. This can be done using JavaScript. Then check it in PHP. If the number of seconds is smaller than 5 seconds then it's spam (It's more likely that the real client needs more time to fit the form). You can adjust the number of seconds based on how many fields the form contain.

Hidden fields, silly questions (what is 3+4?), etc, are not very effective at blocking spam on forms.

I researched this several years ago, and came up with a solution I call "FormSpammerTrap". It uses JavaScript code to 'watch' for focus/onclick on required fields. Automated processes, unless highly customized for a specific site (which takes more time than spambot owners want to take), can't 'focus/onclick' a required field.

I have a free solution at my www.FormSpammerTrap.com site. And there's a form there that spambots can try to spam...and they haven't, for more than 3 years. You are welcome to try it out...it's all open source, so you can see how it works. (And, if you use the form, I don't harvest your email. I reply once, then delete your email.)

My technique is much more effective in blocking spambots. They haven't been able to spambot the contact form on that site.

For my answer, since i got through this i will simply add some new possibilities because the honeypot by Steve is extremely good but got hijaked (perhaps new softwares for spamming these days) and the handmade captcha like (what is 3+4) did not work for me even with random numbers, it worked for a while but stopped working after some time. Don't know how they got past this but i had to add some codes...

So i managed to get the IP of the spammer like this:

$ip = $_SERVER['REMOTE_ADDR'];

Then added $ip to the sent email by my php code in the subject then added this code to check the results without spamming my inbox:

if ($ip == '1.1.1.1') /*<-- this is an example*/
{
 $fp = fopen('spam_log.txt', 'a');
 fwrite($fp, 'Inputname: '.$inputname.' IP: '.$ip."\n");
 fclose($fp); die;
}

With this, i was safe for a while because the ip of the spammer did not change very often.

What i got the most were urls so i added this:

if (strstr($inputname, 'http')){die;} /*<-- did that for each input i had*/
if (strstr($inputname, 'www')){die;} /*<-- did that for each input i had*/

But sometimes i received spams without urls... by chance i got essentially cyrillic spam emails so i used this code:

$inputname_cyrillic = (bool) preg_match('/[\p{Cyrillic}]/u', $inputname);
if ($inputname_cyrillic){die;}

You can also add Arabic or Greek if needed that works fine since i cannot read these languages and am not interested in it.

If you're Russian or Arabic or Greek you can do the reverse and simply add the {Common} code which is A-Z related if you only want to receive cyrillic or Arabic, or Greek characters.

This thread helped me a lot so i wanted to contribute of my experience.

I have analyzed the spam I get for some time now. I have noticed that:

1. There is an overlap in time to submit form between spam and non-spam.

   I don't know if the slow spam is human submitted or the bots have been programmed to wait, but the slowest spam I get takes 26 seconds, and some non-spamming humans are faster than that (8 seconds).

   I often compose messages in a text editor and mostly don't submit them right away, so when I submit the message I visit the website and then copy-paste the message to the form, and submitting the message only takes a few seconds. I guess that's what these non-spammers do.

   7% of the spam is slower than 5 seconds.

2. Only about half the spam fills in the hidden honeypot field (48%).

3. Most spam contains an URL in the message body, but about 3% does not and some non-spam does.

Together, these three methods filter out the vast majority of the spam I get, but there are quite a few false negatives and some false positives.

But I have found one single indicator that detects 100% of my spam and does not mistake any non-spam for spam and that is

the language of the message.

I run a non-English website and all my spam is in English, while none of the non-spam is in English.

Therefore, all I have to do is search the message body for words like "you" that are common to all messages and do not exist in my own language.

This might not help those that run a website for an English-speaking audience, but many websites aren't in English, and for them this might be an additional indicator of spam.

If the spam you're getting does not have a comment, why not simply add a check for that? There's absolutely no reason for a real, human visitor to submit your contact form without a comment.

Since you don't want to add a captcha, the easiest solution in the short term would be to check that the comment is a minimum number of characters and contains at least a certain number of words.

For example:

$comments = trim($_POST['comments']); // trim() to strip off whitespace from beginning and end, like spaces and linebreaks

if (strlen($comments) < 20 || substr_count($comments, " ") < 3) {
    died('Your comment is too short.');
}

This is a very simple check to see that the comment contains at least 20 characters and at least 3 spaces (4 words). Tweak as needed.

Honeypot method is simply better. But still we can do best as a developers. Particularly filtering SPAM words..

• We did SPAM words filtering as porn, sex, http/www, money etc in our clients sites & it works well.

• You may try those links here lively and check..

  We used the below script for EMAIL & MESSAGE fields. It will block mail spam of from MAIL.RU domains too.

if (!preg_match("/^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,5})$/i", $email));if (preg_match('/mail.ru/', $email)){$errors .= "\n Error: Invalid Email Address";}

if (preg_match("/^abc|jpg|png|dating|funding|inbound|www|viagra|porn|sexy|honey|game|и|д|й|л|à/i", $message)){$errors .= "\n Error: Spammy message";}

I managed to solve my problem of spam coming through a web email form by generating, on the html form page using js, a random number between 0-9, and then created a corresponding image for each number in text form (eg, "one", "two", "three"...). The text of the number is light coloured (more difficult to OCR scan) and a bit obfuscated by other artifacts I put in the image. The user must convert these text numbers (I have 3 but more could be easily added) to real numbers and submit them on the form. The PHP on the server detects whether that submitted number corresponds to the random generated number and if does not it rejects the submission.

However, there were a couple spams that were still getting through. To find out how, I decided to include in the email that was sent to me the number that the user typed in when submitting the form to see if OCR had been used on the webpage, or if the form was actually filled out manually. To my surprise, no number appeared which is impossible if the form were submitted from the html form page. This meant that the spam email was being generated by the php itself, bypassing the html form.

There is a lot of information on the Internet about how easily external data can be injected into the php, specifically the variables in the php mail() function. To counter that, I limited the file access permission on the server to 600 for this php file, and also placed this file in its own directory with another tight file access permission of 710. A bot would have great difficulty reading this file with these permission constraints. This seems to have solved the problem so far.

I should also mention that I hid any email address in the html and php files. For spammers, getting valid emails is profitable. For the former I created an image of the email address and displayed it on the html page as an image. Sure, OCR scanning of the web page could decode it, but so far not. For the latter, I divided up into pieces any email address in the file, and re-assembled them at the point where mail() needs it. That way, text scanning these files on the server, if that should still happen, will not directly reveal any email addresses.

6 years have passed since this question was asked. The best solutions at the time were to implement a honeypot and ReCaptcha.

Today, because of the advent of LLMs, there is a much better way to handle contact form spam: Use one of the APIs like BotButcher or Akismet to send the message to have it classified. Only pass on messages that have been classified as not spam. These services are very cheap and very effective. The additional benefit is you can now remove Recaptcha or any other "Are you a human?" challenges - which makes for a better user experience.

I have another method which I have used successfully on several web sites for over ten years, without so much as a single successful spam robot attack. I know from the server logs that the forms are spammed hundreds of times per day, but none of it has gotten through to me. This method doesn't need Captcha or any other purchased software. I will try not to give all the details here, but I'll say enough that most people can implement it.

First, you will need a simple text-based graphic which shows an anti-spam "code' and, critically, the prompt for the form field with which it is used.

Second, you will need an email script which will accept aliases (e.g. FormMail and many others). Create on your form a required field with the name of "recipient" (or whatever field name to which your email script expects to send the form input). Display your "code" graphic, with the embedded prompt next to it. Make sure that you set up your email script to accept whatever code you have used in the graphic as the alias for the real email recipient (you).

When this is implemented, a human can easily read and enter the code you have chosen in your graphic (i.e. the email alias set up in the email script). A spam robot sees only a blank field.

If the robot chooses to fill that field randomly, it will generate an error in the email script saying, in effect, that the recipient doesn't exist. You never see that error, nor do you ever get any spam. I have tried most of the other approaches described in other posts here, but none has been 100% effective as this one has been.

Of course, a human being can defeat this, but if he does you simply change the graphic and the email alias in your script setup. Then, he must start over with a manual submission.