Hi there, the contact form is public and it seems it has no security mechanisms in place.
There are a few common security features that you can apply to your form to prevent spam.
Probably the most popular is the captcha, however this affects usability in a negative way as captchas are normally quite hard to figure out for the user. Assume some users will give up before being able to submit the form.
So I’m going to favour a few other mechanisms that happen under the hood and are unobtrusive.
One of those is the token. The idea is that on every page request that prints the form you generate a unique token and put it in a hidden field in the form, as well as store it in the server session. Then once the form is submitted you can check that the hidden field’s token is the same as the one stored in the session and if it’s not then you invalidate the submission. This prevents bots from trying to brute force the form and it’s specially useful in login forms. If you combine this with time… the time elapsed between the generation of the token and the submission of the form then you can check that the form was not submitted too quickly. Bots normally will submit forms much quicker than a human so what I normally do is check if the time elapsed is less than a second and if it is then I invalidate the submission.
The other method I can think of is the honey-pot method, and this will probably get rid of a big chunk of spam but not all… It consists in having a text field in your form that is not visible to the user. Bots will normally try to fill in all fields so once the form is submitted you can check if this field has a value and if it does then you invalidate the submission.
I hope these tips have helped you.
All the best…