One day after putting my site online and registering it with Google I got spam mail. How?

I put my website online last Sunday and registered it with Google at the same time. Before that, I didn’t even put a single link to the site anywhere online. And I don’t have any email address on my site, just a mail form that is protected with ReCaptcha v. 2; see

Still, I got a spam mail within 24 hours. :-((

I can tell that the mail was sent through the mail form, there’s no doubt about that. It seems to have been entered into the form manually (even though I’m not sure about that), but how is it possible that the spammer found my site so quickly?

If it is online it can be found. If you put it on Google and it was crawled, it can be found. Sorry to hear that the spammers are getting you early. Keep in mind that spammers also have their own bots and so could crawl your site any number of ways.

I wouldn’t waste your time on just the how, but plan for the eventual spam you will get.

The whole point of listing your site with Google is to allow it to be found more easily. So in that respect you got what you asked for.

If there is an actual human writing spam manually, there isn’t much you can do about that as they should be able to pass any Captcha. Though in my experience manual spam is very rare, it is usually bots which can be stopped.

But then Google must publish a list of newly registered sites every day, to which spammers subscribe or have access, doesn’t it? Because how else did the spammer know of my site? Like I wrote, I didn’t put any link to it online yet, because I’m still testing it and having it reviewed.

And the spammer was a company that sells a product to all businesses that have a website. I’m just worried that I will get much more spam, despite of my ReCaptcha-protected form.

How can they be stopped then? I thought that ReCaptcha v. 2 was the best spam protection except for v. 3? I also need to know that for my future customers. If don’t wanna sell them a ReCaptcha-protected form at a surcharge if it doesn’t work.

I just visited the contact form page with JavaScript disabled. I filled out the form and sent you a message.

When I submitted it, I got the message “Er is iets fout gegaan. Neem indien gewenst contact op via de pagina Bedrijfsinfo.” (Something has gone wrong)

Despite this warning, did any mail make it through?

1 Like

Captcha should stop bots, but if you have human spammers, that’s hard to stop, because what Captcha does is stop bots and let humans pass.
There are some methods that can be used, such as filtering for certain words or phrases if the spam follows common themes, filtering problem IPs, setting a timer between form load and submission, that is usually very effective against bots, but it may used to catch copy/paste spammers too if you set the right cut-off interval (and if that is how they are working).
Anyone feel free to add any more methods…

1 Like

Thanks for the effort! :slight_smile: But no, no mails made it through. The form can be submitted with Javascript disabled, but then the input values are not passed on, and the form handling PHP script throws the error that was printed on your screen.

Yeah, thought as much, but it was worth a try.

As to your original questions:

In all honesty I don’t know, but it’s probably not as difficult as you think. There are tools out there that claim to let you scan every (IPv4) address on the internet in less than 45 minutes.

Again, probably not as difficult as you think. There are various projects and services dedicated to bypassing captcha.

Did this happen to you? I’ve no idea. What you’re describing seems weird (that a spammer could find your unpublicized site and bypass your antispam measures), but not impossible. But like Martyr2 says, I wouldn’t waste your time fretting about it, rather prepare for the inevitable spam that will come and work out the best way to mitigate it.

And in that vein I find captchas to be a right PITA. They are notoriously inaccessible to people with certain types of disabilities (admittedly that article is a bit dated, but the point remains). I much prefer honeypots/bot traps which don’t impact the user experience, but are still effective against spam.


P.S. I used to have a contact form on my site that I took down due to spam. This stopped the majority of the mails I was receiving, but even with the contact form plugin uninstalled, I still received the occasional spam mail. I remember finding this very strange, as the address the contact form emails were sent to was never publicized anywhere on the internet.


Been a long time since I used reCaptcha but when I did it was broken pretty much immediately. So I switched to making my own very simple user check and didn’t get any spam from then on.

The problem with any system that is used by the masses is that it will be constantly be under attack and eventually they will find ways through. It’s a continual game of cat and mouse.

You may already be aware that the google recaptcha tool is also used for machine learning /AI purposes so its not a purely altruistic offering by Google.

I have taken the same approach on contact forms using my own hand-made bot traps that a normal user is oblivious to. So far it has been 100% effective against spam. It’s not that they are not trying, I set it up to report failed attempts by bots, so I know they do try, but also which traps are catching them. The most effective one going by results is the timer.

1 Like

I like the trick where you have a box to tick, along the lines of “I agree to the terms and conditions”. But in the CSS you style it as

display: none;

Then when processing the form reject it if the box has been ticked.

(Apologies if this is an old trick that is not very effective for some reason).

That is similar to a “honeypot” which is a hidden form field which a normal user will leave blank, becuase they never saw it or knew it was there, but the bot fills it in.

I didn’t realise that’s what it is called.

(I hate Captcha - “tick the boxes that show a female lesser spotted woodpecker”)

To all: thank you very much for your help.

On another forum it was suggested that (employees of) site hosts sometimes sell newly claimed URLs to certain parties. That might just have happened here, also because the spam mail that I got was from a company that offers a service to new-website owners. And I’m quite confident that the spam message was entered manually.

However, your replies made me do some more tests, and it appeared that reCAPTCHA doesn’t work with Javascript off. Then what’s the use? Very little, I guess, because spambots can easily do their work with JS off. Plus, there’s the issue of user friendliness.

So, I replaced with it with a honeypot. Thanks for the tip! I’ll let you know in a couple of months how that worked out, but so far, so good.