I currently have a website already published and online with a contact form page, and for a while, I have been receiving submissions that only contain random strings of characters (such as "wneodsidhfnwekdi") and usually some suspicious URL. Is there some kind of filter I can write into the page to prevent submission of the form whenever there are non-word text in the form? The page is currently in html, but I am willing to convert to php if necessary.

The standard solution to this is called a CAPTCHA, one of those images with letters/numbers to type to verify that the form is not being submitted by a robot.
(Of course this will not stop a human, but it will stop the most basic bots that just run around looking for any forms they can submit without a specific purpose.)

A CAPTCHA can be easier or harder to crack, which also usually means that it will be more or less annoying for your visitors.

There are plenty of options out there (now that you have the term to search for), so you can find one you like. ReCAPTCHA is a relatively popular one.


Two alternatives:
1. Email verification-- you can require that all submissions are verified by email-- when the form is submitted it is stored somewhere temporarily (a database?) then a verification email is sent to the user; when the user clicks on a link in that emails or enters a code from that email, the original content of the form is submitted/emailed/whatever.
This is more often used for forum signups and so forth, but it's possible. It's more work for both you and the users, but it's also probably more reliable than a CAPTCHA.

2. Because most of the spam you receive will be from unintelligent bots that don't specifically target your site, literally any kind of limit/filter will probably stop 90% of the spam. So you can use a CAPTCHA-alternative, like a checkbox that says "Check this if you are not a robot" or something along those lines. Be more or less creative with it, but you'll find that even a very minimal filter like that will do a lot against the bulk of the spam messages. It won't work if someone targets your site specifically, but from what you said that's not the case.



Regardless of what you do, you will need PHP (or another serverside language-- ASP, CGI, Perl, etc.) because you'll need to process the form yourself to stop the automated submissions.

One thing to add -
Most spam bots just fill out every field they can find on a form, so if you add a hidden field to your form and there is a value in it, the submitter is probably a spam bot...

This is called a honeytrap.

That's a good point-- as probably the very easiest solution to the problem, that would work well. It still requires PHP, but for verification it would simply be one line of code-- "if [value exists], [stop]".


One thing I wonder about though is how much of the spam is actually sent through the webpage. Is that true? Or is it often the case that they simply take the form's action (submitting URL) and submit remotely?
I've heard cases of both, but I don't know which is more common in these random bot attacks.
If it's submitted remotely, then a passive filter ('if something extra exists') might not block it.

One more thing WorldWiz -
I'd suggest having a look through this (http://www.dynamicdrive.com/forums/showthread.php?t=69315) thread.
We had a discussion about captchas and you may find it usefull.

As for what you said djr33, you could set a session variable on the form and if it isn't there when the form is submitted - they've skipped the form.

As for what you said djr33, you could set a session variable on the form and if it isn't there when the form is submitted - they've skipped the form.
That's a good idea and easy. But it only means that they visited the website at some point (recently) before submitting the form-- it might still be submitted externally. Checking the HTTP_REFERER info in PHP might help, but because that's voluntary information (usually correct when sent by a browser, but probably not by a malicious bot) it won't help much here.

Checking a session variable won't hurt anything though and it's a reasonable idea. At least that way it would block any automated submissions if your URL happens to end up on a "spam here" list. (I don't know if those exist, but I imagine they might-- databases of pages that have forms.)


And while I'm replying again, one more point to add: you will need to keep this filter on the website forever. Just because the spam goes away with it doesn't mean they've stopped trying. In the first place they probably can't tell if you receive the messages or not, so they'll have no idea that their attempts are being blocked. They'll keep "sending" it and nothing will happen. You could put a warning on the website: "Spam detected. Message not sent." But 1) that might inspire them to become more clever about getting around your filter and 2) they probably wouldn't ever bother reading it to be honest. The goal of spam like this is bulk not quality.

Oh... one more thing I just thought about-
If a spam bot tries to spam your site and fails, chances are it'll just move on. As djr33 said "The goal of spam like this is bulk not quality." if it fails, it'll just try a different website.

Your security doesn't have to be military grade or anything like that; it just has to be good enough to stop the basic spam bots.

Your security doesn't have to be military grade or anything like that; it just has to be good enough to stop the basic spam bots. Absolutely. But--

If a spam bot tries to spam your site and fails, chances are it'll just move on. As djr33 said "The goal of spam like this is bulk not quality." if it fails, it'll just try a different website.As I said, the problem is that often it's not clear that it fails. On my personal site for example, I used to receive about one spam email per day on my contact form. Then I added some very basic measures against bots and I haven't received any (non-human) spam since. I assume they're still trying to send it though, because they never saw that I received it in the first place. A lot of spam is sent blindly hoping that some of it might get through.

I assume they're still trying to send it though, because they never saw that I received it in the first place. A lot of spam is sent blindly hoping that some of it might get through.

a great example of this is the dozen banned dynamic drive members who still go on every day (clearly showing that they are bots) and yet they still come on and try to find a way through. Back to the original question, you can just set up some simple form validation if you want a quick fix.

Thanks for all the info. I forgot all about CAPTCHA. I'm trying to insert RECAPTCHA now, but I'm stuck at programming the human verification part, given that I'm not very literate in web design. I've inserted the html for the captcha into my page, but now I don't know how to "do a POST with the given parameters." Can anyone help me out? By the way, I already have validation checks for other field boxes, and I have a validation page that the user is redirected to, so ideally I'd just like a simple pop-up alert for when the form fails the captcha check. Thanks.

Aside from actually doing it for you, it's difficult to explain if you don't have that background. However, ReCAPTCHA is very popular so you should be able to look up a tutorial-- maybe try youtube for a video tutorial.
And if that doesn't work, I'm certain you can find a very detailed tutorial on another CAPTCHA. For your current situation, there won't be a big difference from one to another, just whatever is easiest to set up.

Cool. I've got the captcha working based on a youtube tutorial, so now my last question is, how do I code the texts ("captcha accepted" and "captcha not accepted") to appear as pop-ups instead of as text at the top of the page?

You'd have to edit the recaptcha code to do that, and I'm not sure exactly how/where you'd do it. It shouldn't be too hard, honestly-- just replace them with script tags and alert() code, but it might be hard to find it and to make them work properly. If you have trouble, 1) see if anyone has tried something similar; or 2) you might want to look into another captcha script that is more customizable or easier to modify-- or just leave it as is.