Why do spammers fill out forms

Fight spambots without captcha

Contact forms are a good way to give visitors to your own website or blog the opportunity to get in touch. But bots have always been interested in sending unwanted advertisements through these channels. The great advantage of contact forms for spammers is that the mail resulting from the form is very likely to actually be read. There are now various solutions to prevent bots from filling out forms on their own website. One of the more well-known solutions is e.g. Both solutions are not optimal for real website visitors and can quickly become a disruptive factor. One should assume that Google records user data such as the IP address, user behavior and browser details. Without a suitable data protection notice, the use can be problematic.

What do spambots actually do?

Before we look at the possible solutions, first some interesting information about how most bots work. Bots are basically scripts that automatically search the Internet for websites and use them to search for forms, e-mail addresses and other information. The spambot jumps from page to page by following the links on the page. The Google Spider basically does nothing else, it visits a page, analyzes the content, sends information to the Google server and then jumps from page to page. The big difference between bots from e.g. Google and spammers is the behavior in relation to forms. Google bots don't fill out forms, spambots love forms.

Advantages of spambots

Spambots are trimmed for speed and at the same time try to use as few resources as possible. Spammers consider quantity rather than quality and time is money. Running a spam server costs money and in most cases the spams sent have little chance of success. The aim is to send as many spam messages as possible. A large number of bot instances run simultaneously on each server and browse the Internet at the same time. In order to be able to run more bots per server, bots use simple requests that are sent to web servers. The returned HTML code is then analyzed. Supplied CSS or JavaScript code is usually not interpreted in order to save resources and time.

Approaches to fighting spambots

So we know roughly how spambots work and what goals the bots pursue. A bot that comes to its own website scans all sub-pages, stops at every form it finds and tries to fill it out and send it off. We can assume that the majority of the bots ignore things like CSS and JavaScript. This fact, which can also be interpreted as an advantage of spambots, can be used to our advantage.


A honeypot is an area of ​​your own website that is made invisible or unrecognizable for normal visitors. In our case we will build a honeypot in the form of an input field in our form. This field is then hidden via CSS or, if desired, via JavaScript. Spambots who visit our site and find the contact form see the honeypot as a normal input field and are tempted to fill it out. When processing the form, a short query as to whether the honeypot input field has been filled out is sufficient to be able to assume with a fair degree of certainty that the request was sent by a robot.


A normal visitor needs a minimum or maximum time to fill out a contact or comment form. You can safely assume that at least 10 seconds pass between visiting the site and sending the form. Bots can do this job in seconds. So we just have to find out how much time has passed between the page loading and the submission of the form in order to identify possible bots.

Bots who visit our site and want to submit forms must first pass the honeypot field with these changes and then submit the completed form at the right time.

Implementation with PHP, HTML and CSS

First, let's take a look at our HTML form with appropriate background information on the respective fields.

In the example we first have our normal input fields for name, e-mail, and the message to be sent. Then I built in a so-called nonce field for demo purposes. The "nonce" is supposed to ward off cross-site request forgery attacks and should be used in every form on your site. Practically all CMS systems and frameworks offer this function and should definitely be used. In the demo the fields are entered but not provided with functions.

The form field becomes interesting for the next input field with the name “subject”. This field is our honeypot field. The name of the form field is chosen so that it is registered as a subject field for possible bots and filled in appropriately. The form field is hidden via CSS and is therefore not visible to normal visitors. We hide the field via CSS, since bots would ignore form fields of the "hidden" type.

Our timer is located after our honeypot field. In the timer field we place an encrypted timestamp that is generated and inserted when the page is created using PHP. We also hide this field via CSS and give it a name that is interesting for bots in order to provoke changes to the field. In our contact.php file that processes the requests, this field is then decrypted and checked. Of course, we also take the opportunity to check whether a bot has made changes to the field.

Below is the function that is responsible for creating the encrypted timestamp.

We use the PHP function openssl_encrypt to encrypt the timestamp field. We transfer the current timestamp, the encryption method, a key and an initialization vector to this. The function also tests whether the selected encryption method is available and terminates the script if this is not the case. The timestamp field then looks like this in the finished form.

We come to contact.php in which we process the request received. Let's start with our honeypot field. As previously described, this field must be empty, if it is filled in, the request is most likely a bot. We test whether the POST variable is present and whether it is an empty string as expected. In the demo we end the execution if the subject field has not been passed.

In the next step we take care of our timestamp variable. This must be handed over to us and it must also be possible to decrypt it successfully. If the decryption does not work, the input field has been edited. This means that the bot or the user on the other hand has undesirable intentions. So the request is blocked. If the timestamp field can be decrypted, we compare the current time with the transferred time and determine the past seconds with our minimum and maximum values.

If the $ failmessage variable is true after execution, the chances are good that the request came from a bot. The variable $ honeypot contains the text that was entered in our honeypot field, or is empty if the variable has not been filled in. The $ timeError variable is set to true if there was a problem decrypting the transferred data, or if the elapsed time did not reach or exceeded the threshold values. Finally, the output of contact.php in our demo.

I have provided all data from the demo that was created for this post in this .zip file for you. Download


Simply knitted bots can be locked out quickly with these first measures. One advantage of these measures is that real visitors do not feel any of the measures. What is missing in our demo is further logic that blocks out possible attackers after several attempts. Denkar is a time block or blacklist. The legal viability of a blacklist under the GDPR is unfortunately questionable. It is also possible for the bot to trick the bot into a successful request in the background but not to take any actions. At this point, it would also be possible to show the bot a 404 error page and trick it into thinking that the form does not lead to anything.

More intelligent bots that can, for example, send forms with a time delay and can also read CSS or JavaScript, are unfortunately not very impressed by the measures shown above. Possible further safeguards would be, for example, the use of a one-time token that is stored in the session of each visitor and is queried and tested when the form is processed. If all else fails, you can of course always include a security query in the last instance.

If you have any further tips for the fight against form spam on your own website, please feel free to leave them in the comments.

I am also happy to help with the implementation of solutions against spam. Contact me or find out more about my other offers for the website creation.