If you have a website that contains a contact form, it is highly likely that you have received spam. No, not the canned meat popularised during the second world war. The spam I am referring to is the unsolicited email messages that you will receive through your website or even directly into your email inbox.
There are two types of spam, one that is sent directly to your email and the other, that I will be focusing on is the type that comes from spambots filling in forms on your site. I will be ignoring the first type as this is unavoidable and your email provider will likely have intelligent spam filters that remove them from your inbox for you.
The issue with the spam coming from your website is that you have very little control over it. Once the form is submitted then it is sent via your website directly to your inbox. It is difficult for your email provider to filter these emails as they will likely be coming from a known email address (your website) and have a similar format to all the other email sent to you from that form. To tackle this we first need to understand how a spambot even works.
How do spam bots fill out the form?
The term “spambot” is used to cover a wide array of tools that will go to a web site and try to breach it. There are many pieces of software that will do this and they are freely available such as XRumer. They are quick to set up and once started there is no need for any user interaction.
One of the first steps is to add a list of websites to the software, these can be found by buying a list of sites or by allowing it to find sites on large search engines like google. Once it finds a site it will look at all public pages, if one has a form it will try to complete that form to see what response it gets. Here is where we will attempt to stop it going any further.
Some spam bots are sales spambots where they post sales pages to forums asking users to go to a like and purchase something that is too good to be true. Once the user fills in the form with their details they will then use their details for nefarious activities.
Steps we can take to reduce spam
There are a number of steps we can take to reduce spambots from filling out the forms on your site. Some of them are more intrusive than others and are likely to reduce the number of serious customers filling in your forms. Often we use multiple ways to stop spambots as some are able to bypass the steps mentioned below.
CAPATCHAs, like Google reCAPTCHA, is one of the more visible ways to stop spambots. It is quite popular and is reasonably effective.
This is an intrusive method and we would only advise the use of this if some of the other methods are not as effective as we would like.
#2 Maths question
A maths question is another visible spam prevention. This is filed within your form that asks a simple maths such as 3 + 2. A human will be able to easily answer this question but a spambot will not be able to answer as it uses the names of the fields to identify what should go in the field. For example, in a "Name" field, it would add a generic name. If the maths question is incorrect or not filled in the form will be rejected.
This is another intrusive method and similar to the CAPTCHA method we would only advise it to be used if the other methods were not working. We would advise the CAPTCHA before this method.
A honeypot is used to trick the bot into filling in a hidden field within the form. If this field is populated the form will be rejected. To ensure this works correctly you need to use an inviting field name such as “URL” or “EMAIL” as most spambots will look for these fields specifically.
This method is non-intrusive to the user as they should not see the field at all.
#4 Bot trap
When a spambot looks over your site it inspects each page of the site and navigates to each page one at a time. If we add a link to all pages that we can instruct Google to ignore but spambots will still navigate to we will then be able to ban the IP address of the spambot from viewing the site.
This is another non-intrusive method but it does have some unintended drawbacks. If a user accidentally navigates to this URL they will be banned from using the site. I would not advise using this method for that reason alone.
#5 User Token
A user token is a unique string of characters that is attributed to a single user. This data is normally stored within the cookies of the browser of the user and is exempt from the GDPR cookie law. On every form on the site, the user token is added to a hidden field within the site. If the user token does not match that of the user or it is not completed then the form will be rejected. This works as most spambots do not allow cookies to be stored.
The User token method is another non-intrusive method and one we would apply to all sites we build at Gecko.
#6 User IP address
If there is a flood of form submission from the same IP address within a short period of time then this is a flag to the system that there is a spambot trying to do some damage. The IP address will most likely be blocked from accessing the site and there for preventing this particular spambot from doing it again.
This is another non-intrusive method but it has the same drawbacks as the Bot Trap method. If a genuine user or users with the same IP address fill in the form a number of times within a short time then they will be banned from using the site. For this reason, I would not advocate this is used on a site.
Akismet is a WordPress anti-spam plugin that has a vast library of data on what is and what is not spam. If you run a WordPress site I would highly recommend that you install and make use of Akismet as Wordpress is one of the hardest hit platforms for spam.
Got any questions on website spam? Get in touch with us.