OK, so I have a previous post that explains
how to make a PHP contact form. Easy enough. It works great. Well, a few months ago I started getting spam emails from my contact form. This is lame. Basically, a bot has found my contact form, and it's been flooding my inbox with fake email addresses, and 5 or 6 url links in the message.
I thought I would append my initial post with what I've done to fix the problem.
1. Rename the form (add a "2" or something) Like this: before=contactForm.php; after=contactForm2.php. Which means you will need to make sure the path in the html form is pointing to the right place.
2. Add a "hidden" field in the contact form.
Like this:
<input type="text" name="email2" style="display:none" />
<input type="hidden" name="redirect_thanks_url" value="http://www.yourdomain.com/thankyou.htm" />
I put it between the last text field and above the submit button, but it doesn't matter where you put it...in fact, we might all help defeat spam bots if we put them in different places and even name the fields differently. In this example it's "email2"...see in the code above, and also in the php code below.
3. Add this php code to the for script (which you can download from the other post I talked about).
if(isset($_POST["email2"])) {
if(!empty($_POST["email2"])) {
# THIS IS PROBABLY SPAM
header("Location: ".$_POST["redirect_thanks_url"]);
exit();
}
}
You'll need to add it somewhere in the code inside the main opening and closing php code, make sure you don't put it inside another function. I put mine right after line 12 in the script mentioned on the other post.
What it's doing is basically telling the spam bot that there is a field to fill in. Bots are attracted to fields. So we attract it with a label like "email2" or "message" or something that's not already in use, but still attractive...not something like "honeypot" or "spamtrap".
It's hidden from humans, so if it's a human filling out the form, the script checks to see if the field is blank. If it's not blank, the script tosses the submission, but redirects to a thank you. I read that some bots wait to see if the redirect goes to an error page or not, then will try again.
Now, it's possible that spammers will teach their bots to look for "hidden" fields and not fill them in at some point, but then we can come up with something else.
For the time being, this helps.
Again, the contact form on the previous post still works just fine, but I'm afraid it's just a matter of time before a spam bot finds it and starts spamming you.
Hopefully you remembered where you got the script in the first place and checked back to see if there was a solution.
What a pain this spam thing is. It's like a battle of escalations and counter attacks. Kinda fun, just annoying and time wasting.
I looked into some CAPTCHA solutions but it was really difficult to implement, and most of them cost money. (CAPTCHA by the way means "Completely Automated Public
Turing test to tell Computers and Humans Apart"
Hope this helps.
jorge
