How to solve spam mail issue

im getting lot of spam in websites, how can i solve this issue…??
im have tried few methods. recpatch.
2. try block country with ip address.

  1. Hidden fields…
<input type="hidden" name="secretField" placeholder="same as below" class="form-control"  value="imnotspammer">
<input type="hidden" name="secretBlank" placeholder="same as above" class="form-control"  value="">

Checking for input field:
if ($_REQUEST['secretField'] != 'imnotspammer'){
    die('<h2 class="">Form Could not be submitted. Spam detected</h2>');
if ($_REQUEST['secretBlank'] != ''){
    die('<h2 class="">Form Could not be submitted. Spam detected</h2>');
  1. Filtering Spam words.
$spam_words =
    'bitch','ww','cum','hacker','money','Buy','Order','Meet singles','Near you','Near you','Additional income','Be your own boss','Robot','More Internet Traffic','Performance','Sale','Sales','Search engine listings','Search engines','Subscribe','Visit our website','Web traffic','traffic','100%','satisfied','Giving away','Warranty','Winner','Winning','won','Sleazy','Shady','Prize','Guarantee','free','Double your','Hurry up','Offer expires','crypto','Cryptaxbot','@Cryptaxbot','Exclusive deal','Compete for your business', '<','>'

all four method in single form but still getting spam mail…

First off, you’ll never filter out all spam. The thing is are your methods working? Are you still getting spam with the stop words you are checking for and from the countries you’re filtering out?

Personally I wouldn’t let the spammer know that you have detected spam. It gives them the chance to edit their spam to get round your checks. Let them think the email has been sent and they’ll go on to the next spamee.

1 Like

You could try, what I have recently learned is called a form honeypot. Create a check box on the form with the text eg “I accept the terms and conditions” but with CSS style it

display: none;

so that humans can’t see it but a bot will and will then check it. Then when processing the form simply don’t proceed with the sending of the mail if the box has been checked.

I’ve noticed that some bots have learnt to get around Recaptcha. That is the problem with common Captcha types, they are the one they are working on cracking.

These are usually effective in my experience.

Agreed, thet them think they have won, when if fact they have not. And don’t give them clues as to the purpose of the hiiden honeypot inputs. Using type="hidden" tells them they shouln’t see it.

The hidden inputs are honeypots.

Another one that I have found very effective is a form timer. Record the time on the form request. Record the time of submission. Compare the two to get the time elapsed. If it is below a value you set, consider it a bot.
You can also use an access token, to stop those who spoof your form on their own machine and send the submission request to your server. A random string (different every time) in a hidden input. It is recorded and passed to the validation script, then compared against the value submitted from the form.
A good combination of methods used together canwork.

1 Like

This is called Cross Site Forgery Request token, or CSRF token for short.


Funny, I knew there was a term for it, but could not remember what it was called, just how to doit.

1 Like

Besides bad words also check text for unwanted url parts like '<','http','www','.com','http:','@' etc.
I have an old list (many years ago) of agent/spiders and a snip of code I used. As it is a long list I put it on a file and uploaded it. This was one of the first checks I did. I also had a database table blockedips to hold a list of ips that I blocked and I would query this table and put these ips into an array $badips. This code was all on a file that was included on all my pages before output to the browser so if it is a blocked ip they just wouldn’t have access at all.


So before doing any text searches for bad words they have to pass the spider test and my blockedips list with this simple IF condition.

if(!in_array($ip_address,$badips) && isset($nobot)){
	//Band word check

If text did not pass the word check I would save their ip address and date into a database table called ip_tracking then I query the ip_tracking table using today’s date and the ip address and I count the records. I set a threshold of 75 and if this count is surpassed, their ip was added to the blockedips table. Bots can hit your form rather quickly and I caught many at this setting. Anyway this is what I did many years ago on a site… I am sure other might have a more modern approach.

spiders.php (8.2 KB)

1 Like

Another check that can detect form spoofing, and really should be part of any robust validation system is checking all the inputs and values are as they should be.
You can create a function to check each input in turn. Start with an array of all the form’s inputs, then check if each one isset(). In a valid subission from your site all should be set (with the exception of checkboxes) but spoofed forms may miss some inputs out.
Then with the values, some values are pre-set in the form, such drop-down selects, radios and checkboxes. Check the submitted values for these against an array of proper values that you have offered as choices. Bots will often tamper with the pre-set values, an honest user would not do this, so the bots give themselves away doing this.
Again all part of the validation process, but checking user input matches the type and obays any contraints will catch out the bots. Eg, checking a string obays any min/max length constrints, also min/max numerical inputs, required inputs are !empty().
Basically every constraint you put on form inputs has to be checked in validation, and bots will reveal themselves by not adhering to those constraints.


I had the same problem. First you need to not display an actual email address, once people have that you need to rely on your email server/client to filter out spam. You cannot prevent people from sending unsolicited mail to an email address - but strictly speaking this is not spam if entered manually.

Most spam problems are the result of a contact form which robots find and complete. I deal with this in a number of ways.

My php form has fields hidden by css (dont use html input type = hidden, it is to easy to detect and bypass), any of these fields completed = must be a robot.

I also count number of words in the message, many spam messages (for some reason) only include one or two words.

Next I check time to complete the form, many robots complete the form in less than 1 second, just establish shortest time a human could complete it and take a couple of seconds off.

This has eliminated spam for me. To avoid unwanted emails that still get through, I am developing a ‘blacklist’ which is simply a text file and each entry in my text file is compared against the mail content and any matches rejected.

Spam is sent to a separate spam@ email address and as other posters have mentioned I do not notify the sender that the mail has been rejected. This allows me to see how effective my system is, detect any non spam that is rejected, and tweak as necessary.

These precautions have virtually eliminated spam from my contact form.

I am stealing the token idea !

Check out the link @rpkamp posted for more info on that.
But multiple layers of invisible captcha is very effective, without spoiling the experience for honest users. A combination of tokens, timers, honeypots and robust validation can make for a watertight form.

1 Like

tnanks, that helps

can you guide me in this, i have know idea for checking time to complete the form.
i have already followed others process.

next what i have done is check the equation (numerical captch) if the equation match then only submit button is displayed, do you suggest me this feature…???

solve the equation
Sum of 3 + 4 =
two number are randomly generate each time when page loads…

what do say about this feature…

I am not a teacher or by any means a seasoned pro, but happy to share how I done it (I am sure someone here can improve on it, but it works) -

I have 2 php pages, one for the form display and then a second to process the input.

I appreciate that it is better practice to have the form and the form processing in the same page, and would mean I don’t need to use a session var. But to be honest my code got so complex I decided to split the actions. I will later look to combine within one script, when my brain stops hurting :grinning:

Start the first page with

session_start(); $_SESSION["form_started"] = microtime(true);

This opens a session and then sets a session variable to store the time the form page is opened. I use the ‘true’ parameter to return the time in seconds rather than microseconds. Being a session variable it will be available to the second, or process page.

When the form is submitted it opens the second page, and the first thing I do is to open the session again so the variables will be available.


Then i set another normal variable to store the time this page opened, because this is also the time the form was submitted.

$form_completed = microtime(true);

Finally I set my time limit as anothe var

$time_limit = 10; // Less than this time and it is probably spam.

Then it is simple maths to calculate the form completion time by subtracting the start time from the finish time.

$form_duration = $form_completed - $_SESSION["form_started"];	

I then compare this to my preset value and if it is less, treat as spam

if ($form_duration < $time_limit) { .... } // Action to take if form completed too quickly, indicating probable spam

finally I format the number for reporting and easier debugging so I have seconds to 2 dec places using

number_format((float)$form_duration, 2, '.', '')

Remember, form is probable spam if time to complete it is LESS THAN the time limit and if it’s completed in less than 1 second, it has to be spam. I suggest reporting on times taken to complete and which messages are spam and you can soon come up with a time above which you are confident it is legit, and below which you are confident it is spam.

Regards your second question, simple ‘captcha’ questions like that are quite easy for robots to detect and bypass, but mainly, I hate anything that affects the user experience. I want spam protection but I don’t want to delegate it to all my visitors. It can be the difference between a click and no click.

Don’t forget to change your code so fields are hidden using css rather than html, it is harder for robots to detect. Also I agree with others - don’t notify that spam has been detected or form is rejected, don’t warn spammers that they need to improve their bots!

Note - for my development, emails detected as spam were sent to a separate spam account and all emails had the time to complete added to the message body. In this way I could compare mail content to time taken and settle on an ideal value.

Good luck !


This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.