How to protect php form from spammers?

Hi from medieval York UK :wink:

Thanks to much help on this forum Ive manage to create a php form. Now I need to protect it from spammers I learn. Appreciating that i am a php noob what is the easiest way i can protect this form:

from poo landing in my inbox?

Thanks in advance,

You could add a captcha and/or honeypot:

One thing I found in the past was not to call a page contact!


As mentioned before. You can use honeypot It is a way to trap bots from submitting information through your forms and you can do some more stuff afterwards like banning the IP Address or doing research on it. Although I wouldn’t suggest using their way of checking for form submission. Don’t use Captchas. It won’t stop bots. Here’s Google’s ReCaptcha.

Some say banning IP Address is bad. I say it’s not. If the user did indeed do an attack, they most likely will feel guilty and probably won’t attempt to contact you. They’ll most likely try to find other ways of bypassing. If the user hasn’t done anything, they can simply request an IP unban. Otherwise, they could be the attacker. It’s logic common sense. The guilty person won’t contact you because you’ll know who they are, but a regular person who knows nothing that contacts you will most likely not be the attacker. Site admins aren’t as bad as people put them out to be.

How do they contact you when you have banned them from using the contact form?

On the page that tells them that they are banned, use Javascript to output the email they should contact. You should always check every now and then on that email to make sure legitimate users aren’t banned.

EDIT: Also, this let’s admins interact with their users which is probably the best thing you can do on a “service” like the web. No matter what, you still have to interact with people whether you like it or not. The #1 thing every user hates the most is being left in the dark or not being able to talk with the admins. This allows them to talk to you directly and privately. Why choose web programming if you don’t have the urge to talk with your users? If you don’t like talking with people, your best bet is to find a profession that doesn’t deal with people at all. That way you don’t have to deal with people anymore.

spammers can then use that address to spam you very easily as an email address added to the page in any way whatsoever is far less secure from spammers than even a basic contact form. At least with the form they don’t get an email address to use to send spam from anywhere other than the form.

I was referring about the bots. For human spammers, you can make a flood protection via PHP. Let them submit once. On the first submission, set a session using a timestamp. Next, wrap the form and the form submission around an if statement. If the time has passed x amount of minutes or seconds, they can submit again. If not, don’t give them a form to submit with until the time has passed.

Once the bots get an email address they don’t need to visit your site again to use it. Similarly with human spammers.The email address you provide for those where you have blocked the IP address for the form is the weak point in that setup as it means the spammers don’t need the form.

Then what do you propose?

Don’t ever put an email address in a web page - always use a contact form instead. Use a series of different CAPTCHA techniques with the form so that most real visitors don’t even realise that there is a CAPTCHA there (a minimum time for filling out the form is perhaps a good one to start with as real people will take at least that long unless they copy/paste. If they fail the first one you give a more obvious CAPTCHA and so on.

The problem with IPv4 is that the same address can be shared between tens of thousands of people. The problem with IPv6 is that one spammer can have tens of thousands of addresses.

I see. As I have said before, Captchas won’t stop bots at all. This actually will give your users the burden. So instead of stopping bots as an admin, you have put a burden on your users trying to stop bots. Most users are sick of Captchas and most big sites like Facebook don’t use Captchas anymore. There are some pages they use Captchas, but it is rarely seen now a days. Only websites that still use Captchas are old websites from the 90’s and the main problem, Google. I don’t even think Twitter uses Captchas. Here, I’ll just give you a search on them.’t+work

There’s a long long list of why Captchas won’t simply work. If anything, it would be much easier to just stop a flood for x amount of time. If they keep spamming the form, then it is best to find out the Mac address of the computer that is spamming the form and find a way to force them to stop. That is the only best thing to do because Captchas won’t work and banning IP Addresses won’t work.

Don’t think of CAPTCHAs as being only “blurry text”
Any ““Completely Automated Public Turing test to tell Computers and Humans Apart”” is a CAPTCHA

For example “1 plus 2 is ___”, “click the car image”, “don’t fill in this input”, “take at least 30 seconds to complete this form”, “rearrange the puzzle pieces” etc. are all CAPTCHAs

IMHO they all have pros and cons, and I agree with felgall that

Well, I guess there can be an exception. I’ve seen this in a few websites, but never really seen them implemented on a lot of websites.

What you could do is use a honeypot first. Once a bot or a user triggers that honeypot, give them a Captcha. For the users who like to spam, my answer still remains. There needs to be some sort of flood protection because giving a user some sort of form to submit makes no different then letting them submit the original form.

Yes, Flood protection is a very good idea. eg. similar to logging in, “3 Fails - wait a half hour and try again”

Unless someone has a strong desire to abuse a site they won’t like spending time waiting.

I mean this can still change in theory. If the spammer is really smart. They would use Firefox’s Inspect Element tool. Re-create the form and keep spamming. That’s only if they copy&paste the old form to a notepad or something.

However, you can actually stop this spam using PHP because the form isn’t supposed to be there. So inside the flood protection, you need to make another validation to make sure that the form doesn’t exist.

Requiring a valid SESSION value comes to mind.

Of course nothing is fool-proof. The trick is to make it difficult enough that they’ll move on unless they’re determined.

Yes. The main objective is to bore the person out. Make them think there is no possible way of bypassing the protection. With regular users, they’ll probably get bored after the first attempt. With a determined user, they could try for hours.

Yes that’s another effective CAPTCHA that most legit users will not see.

If you combine a honeypot and a time based CAPTCHA as a first step then you would trap most bots and let most real people through without them even realising that the CAPTCHA was there.

Only those legitimate users or real people spammers who are pasting everything into the form rather than typing it and those bots clever enough to avoid the honeypot would land in the third option requiring an additional CAPTCHA to try to distinguish between real people and bots. The “click on all the road signs/food/whatevers” providing a number of images where some contain the asked for item and some don’t seems to be a popular choice for this on sites I have seen switch from the blurry almost unreadable ones in recent months.

Flood control using a session is probably best for blocking the real people spammers. The most important thing to make this effective is to make sure that there is no way for them to obrtain an email address to allow them to bypass the form.

As much as I don’t like it because it breaks accessibility, the best way I’ve found is to submit via ajax.

Remember, spam only works at scale, they won’t bother to modify their code just for your particular form. Also you will have the opportunity to learn how to do ajax requests :smile:

If you do this, make sure there’s an alternate contact method like a phone number / email address or something like that.