Hi from medieval York UK 
Thanks to much help on this forum Ive manage to create a php form. Now I need to protect it from spammers I learn. Appreciating that i am a php noob what is the easiest way i can protect this form:
from poo landing in my inbox?
Thanks in advance,
David
One thing I found in the past was not to call a page contact!
As mentioned before. You can use honeypot http://bigsquare.co.uk/simple-php-honey-pot-spam-prevention It is a way to trap bots from submitting information through your forms and you can do some more stuff afterwards like banning the IP Address or doing research on it. Although I wouldnât suggest using their way of checking for form submission. Donât use Captchas. It wonât stop bots. Hereâs Googleâs ReCaptcha. http://www.shieldsquare.com/sorry-google-captcha-recaptcha-doesnt-stop-bots/
Some say banning IP Address is bad. I say itâs not. If the user did indeed do an attack, they most likely will feel guilty and probably wonât attempt to contact you. Theyâll most likely try to find other ways of bypassing. If the user hasnât done anything, they can simply request an IP unban. Otherwise, they could be the attacker. Itâs logic common sense. The guilty person wonât contact you because youâll know who they are, but a regular person who knows nothing that contacts you will most likely not be the attacker. Site admins arenât as bad as people put them out to be.
How do they contact you when you have banned them from using the contact form?
On the page that tells them that they are banned, use Javascript to output the email they should contact. You should always check every now and then on that email to make sure legitimate users arenât banned.
EDIT: Also, this letâs admins interact with their users which is probably the best thing you can do on a âserviceâ like the web. No matter what, you still have to interact with people whether you like it or not. The #1 thing every user hates the most is being left in the dark or not being able to talk with the admins. This allows them to talk to you directly and privately. Why choose web programming if you donât have the urge to talk with your users? If you donât like talking with people, your best bet is to find a profession that doesnât deal with people at all. That way you donât have to deal with people anymore.
spammers can then use that address to spam you very easily as an email address added to the page in any way whatsoever is far less secure from spammers than even a basic contact form. At least with the form they donât get an email address to use to send spam from anywhere other than the form.
I was referring about the bots. For human spammers, you can make a flood protection via PHP. Let them submit once. On the first submission, set a session using a timestamp. Next, wrap the form and the form submission around an if statement. If the time has passed x amount of minutes or seconds, they can submit again. If not, donât give them a form to submit with until the time has passed.
Once the bots get an email address they donât need to visit your site again to use it. Similarly with human spammers.The email address you provide for those where you have blocked the IP address for the form is the weak point in that setup as it means the spammers donât need the form.
Then what do you propose?
Donât ever put an email address in a web page - always use a contact form instead. Use a series of different CAPTCHA techniques with the form so that most real visitors donât even realise that there is a CAPTCHA there (a minimum time for filling out the form is perhaps a good one to start with as real people will take at least that long unless they copy/paste. If they fail the first one you give a more obvious CAPTCHA and so on.
The problem with IPv4 is that the same address can be shared between tens of thousands of people. The problem with IPv6 is that one spammer can have tens of thousands of addresses.
I see. As I have said before, Captchas wonât stop bots at all. This actually will give your users the burden. So instead of stopping bots as an admin, you have put a burden on your users trying to stop bots. Most users are sick of Captchas and most big sites like Facebook donât use Captchas anymore. There are some pages they use Captchas, but it is rarely seen now a days. Only websites that still use Captchas are old websites from the 90âs and the main problem, Google. I donât even think Twitter uses Captchas. Here, Iâll just give you a search on them.
https://www.google.com/search?q=why+captcha+doesnât+work
https://www.google.com/search?q=why+captcha+is+bad
Thereâs a long long list of why Captchas wonât simply work. If anything, it would be much easier to just stop a flood for x amount of time. If they keep spamming the form, then it is best to find out the Mac address of the computer that is spamming the form and find a way to force them to stop. That is the only best thing to do because Captchas wonât work and banning IP Addresses wonât work.
Donât think of CAPTCHAs as being only âblurry textâ
Any ââCompletely Automated Public Turing test to tell Computers and Humans Apartââ is a CAPTCHA
For example â1 plus 2 is ___â, âclick the car imageâ, âdonât fill in this inputâ, âtake at least 30 seconds to complete this formâ, ârearrange the puzzle piecesâ etc. are all CAPTCHAs
IMHO they all have pros and cons, and I agree with felgall that
Well, I guess there can be an exception. Iâve seen this in a few websites, but never really seen them implemented on a lot of websites.
What you could do is use a honeypot first. Once a bot or a user triggers that honeypot, give them a Captcha. For the users who like to spam, my answer still remains. There needs to be some sort of flood protection because giving a user some sort of form to submit makes no different then letting them submit the original form.
Yes, Flood protection is a very good idea. eg. similar to logging in, â3 Fails - wait a half hour and try againâ
Unless someone has a strong desire to abuse a site they wonât like spending time waiting.
I mean this can still change in theory. If the spammer is really smart. They would use Firefoxâs Inspect Element tool. Re-create the form and keep spamming. Thatâs only if they copy&paste the old form to a notepad or something.
However, you can actually stop this spam using PHP because the form isnât supposed to be there. So inside the flood protection, you need to make another validation to make sure that the form doesnât exist.
Requiring a valid SESSION value comes to mind.
Of course nothing is fool-proof. The trick is to make it difficult enough that theyâll move on unless theyâre determined.
Yes. The main objective is to bore the person out. Make them think there is no possible way of bypassing the protection. With regular users, theyâll probably get bored after the first attempt. With a determined user, they could try for hours.
Yes thatâs another effective CAPTCHA that most legit users will not see.
If you combine a honeypot and a time based CAPTCHA as a first step then you would trap most bots and let most real people through without them even realising that the CAPTCHA was there.
Only those legitimate users or real people spammers who are pasting everything into the form rather than typing it and those bots clever enough to avoid the honeypot would land in the third option requiring an additional CAPTCHA to try to distinguish between real people and bots. The âclick on all the road signs/food/whateversâ providing a number of images where some contain the asked for item and some donât seems to be a popular choice for this on sites I have seen switch from the blurry almost unreadable ones in recent months.
Flood control using a session is probably best for blocking the real people spammers. The most important thing to make this effective is to make sure that there is no way for them to obrtain an email address to allow them to bypass the form.
As much as I donât like it because it breaks accessibility, the best way Iâve found is to submit via ajax.
Remember, spam only works at scale, they wonât bother to modify their code just for your particular form. Also you will have the opportunity to learn how to do ajax requests 
If you do this, make sure thereâs an alternate contact method like a phone number / email address or something like that.