Making a form spam-proof

Have a form linked to cgi and it’s working as expected, but getting severely hit by spammers using it. Without using any js or css what would be the quickest and easiest way to make the form spam-proof please? Any help much appreciated. Dez

You could prevent / hinder automated submission by using a captcha, or manually coding some kind of logic question (e.g. what colour is the sky?) which you then evaluate after submission.

An alternative method is to create a text input in your form and hide it using CSS.
Normal users won’t see it, but bots will invariably fill it out.

Yes, the second method Pullo mentions is better, because it doesn’t punish your legitimate users. It’s often called the “honeypot” method, and there are lots of threads here on that subject, as well as elsewhere. Forget CAPTCHA: it’s garbage.

Ultimately, the only way to make a form spam proof is to make it impossible to fill out. Otherwise, you will still get idiots inserting spam manually into your form, even if the bots are thwarted. :frowning:

I quite like this one:, especially as poes jumps in towards the end and the discussion drifts towards accessibility / usability.

We often get clients requesting that we put on a captcha to thwart spammers, but I often tell them that robots will easily be able to get past the captcha. Sometimes they insist, so we put up a captcha anyway! As long as there is a public form to fill on a website, someone will get around to filling it out with spam or junk.

Thanks all - it’s appreciated. How about a checkbox, that had to be ticked?

This is a form element like any other that a bot could easily fill out.
What might make more sense was a checkbox that is hidden by default that must remain blank à la honeypot).

However, if you are being bombarded with spam anyway, you could try both methods and see what makes a bigger impact.

Check box is good to have but making multiple page form is the answer.

If your page #1 collect personal info and page #2 is asking you to confirm correctness
by checking box in order to get to next page #3 that collects CC info, for example, and
only after all that jumping hoops your form can be submitted… oh well, spammer will give up
after page #2 and bots after page #1.




Quite possibly. But your legitimate users might give up, too. :smiley:

You are still punishing the user here, when a simple honeypot will stonker most of the rubbish. [/ot]

I don’t think so.

How is my form different from form where all fields compounded on single page?
Amount of fields never changed and as far as legit concern it takes the same
amount of time to complete 20 of them.



But going from page to page while filling out a form crushes the confidence of many users—myself included. You wonder where it will all end, and if your data will be saved if you need to go back. And what happens if you submit the form finally, but there was something amiss on page one? etc. I’d say avoid multi-page forms like the plague.

Now, that’s funny, LOL

Well, we rather to loose a few impatient, irritated clients than deal with plague of spam.
How serious are we about dealing with spammers? Well, over 30,000 on our blacklist since
beginning of this year might give you some idea.



Sounds like you haven’t blocked those bots yet. I doubt individual spammers could post that much. Have you tried a honeypot?

Just in case you have missed that first time

and bots after page #1.

As to honeypot… well, since AMRAY have joined NANAE about 12 years ago

Our blacklist is for people who were determined enough and jumped the hoops
and went all the way to spam us, somewhere about 8 of every 10.

You do realize I’m talking about AMRAY Web Directory?



O, OK. It sounded like you were saying you’d had 30,000 spam emails since the start of the year. :slight_smile: