Prevent Form Spam - How to reduce and/or prevent spam sent by Contact Us forms

Banning user agents based on IP address can be a waste of time if the IP address is spoofed. If someone is smart enough to create a spam-bot, they're also smart enough to spoof the IP address sent with the request.

Open your stylesheet and add a new style class that suppresses the display of a particular class.

input.my_url{display:none;}

Open your Contact form and add a field named "my_url" near the submit button.

<input type="text" name="my_url" class="my_url" value="">

In your script which validates user input for the Contact form, evaluate the contents of $_POST['my_url']. It should be empty. The stylesheet should have suppressed display to humans, but a spam robot would likely enter a value.

<?php if(!empty($_POST['my_url'])){ die('Have a nice day elsewhere.'); } ?>

Another technique is to instantiate sessions using PHP. This should initialize $_COOKIE['PHPSESSID']. Simply suppress the display of your Contact form if $_COOKIE['PHPSESSID'] is not set, and echo a statement about cookies being required for form submission. This is relatively easy to do, and may prevent some spambots from ever seeing your Contact form.

While using PHP sessions, generate a random string when the user first arrives at the site, and save it in a session variable. On the Contact form, break up the random string into about 4 chunks, each displayed using a different font color. Ask the user to enter the red characters in a box near the submit button. Validate the submitted data and generate an error message if the wrong value is posted. An example of this is available here. Robots won't be able to guess the random string. A red string of letters is easier for the user to deal with than skewed Captcha images.

Using random questions and answers can also work, but if the site evolves into a multi-language site, then there are more translations required. Usage of a randomly generated string is less hassle than translating a bunch of questions and answers.

Spambots often post the same data to multiple fields, often "http://" or "[url". Most validation scripts loop through the $_POST variables. When looping through the $_POST values, conditionally increment a counter.

<?php
$http_counter = 0;
foreach($_POST as $key => $val){
   if(stristr($val, 'http://')){ $http_counter++; }
   if(stristr($val, '[url=')){ $http_counter++; }
}
// Legitimate users might enter one URL in their message.
if($http_counter > 1){ die('Have a nice day elsewhere.'); }
?>

Validate fields against one another ... disallow the posting the same value to multiple fields. Proper validation of user input is key to beating form spam.

Refrain from displaying email addresses on web page in text form. Display images instead, or force users to use the Contact form in order to help measure user interest in the site.

You can find some examples of PHP code for forms and validation of user input by visiting this project where you can select a MySQL database, select a table, and then select the type of code to generate. The selected table is analyzed and a variety of forms generated in a few seconds. For your other form needs, see also PHP Form Generator.