Why do spammers fill out forms
Fight spambots without captcha
Contact forms are a good way to give visitors to your own website or blog the opportunity to get in touch. But bots have always been interested in sending unwanted advertisements through these channels. The great advantage of contact forms for spammers is that the mail resulting from the form is very likely to actually be read. There are now various solutions to prevent bots from filling out forms on their own website. One of the more well-known solutions is e.g. Both solutions are not optimal for real website visitors and can quickly become a disruptive factor. One should assume that Google records user data such as the IP address, user behavior and browser details. Without a suitable data protection notice, the use can be problematic.
What do spambots actually do?
Before we look at the possible solutions, first some interesting information about how most bots work. Bots are basically scripts that automatically search the Internet for websites and use them to search for forms, e-mail addresses and other information. The spambot jumps from page to page by following the links on the page. The Google Spider basically does nothing else, it visits a page, analyzes the content, sends information to the Google server and then jumps from page to page. The big difference between bots from e.g. Google and spammers is the behavior in relation to forms. Google bots don't fill out forms, spambots love forms.
Advantages of spambots
Approaches to fighting spambots
A normal visitor needs a minimum or maximum time to fill out a contact or comment form. You can safely assume that at least 10 seconds pass between visiting the site and sending the form. Bots can do this job in seconds. So we just have to find out how much time has passed between the page loading and the submission of the form in order to identify possible bots.
Bots who visit our site and want to submit forms must first pass the honeypot field with these changes and then submit the completed form at the right time.
Implementation with PHP, HTML and CSS
First, let's take a look at our HTML form with appropriate background information on the respective fields.
In the example we first have our normal input fields for name, e-mail, and the message to be sent. Then I built in a so-called nonce field for demo purposes. The "nonce" is supposed to ward off cross-site request forgery attacks and should be used in every form on your site. Practically all CMS systems and frameworks offer this function and should definitely be used. In the demo the fields are entered but not provided with functions.
The form field becomes interesting for the next input field with the name “subject”. This field is our honeypot field. The name of the form field is chosen so that it is registered as a subject field for possible bots and filled in appropriately. The form field is hidden via CSS and is therefore not visible to normal visitors. We hide the field via CSS, since bots would ignore form fields of the "hidden" type.
Our timer is located after our honeypot field. In the timer field we place an encrypted timestamp that is generated and inserted when the page is created using PHP. We also hide this field via CSS and give it a name that is interesting for bots in order to provoke changes to the field. In our contact.php file that processes the requests, this field is then decrypted and checked. Of course, we also take the opportunity to check whether a bot has made changes to the field.
Below is the function that is responsible for creating the encrypted timestamp.
We use the PHP function openssl_encrypt to encrypt the timestamp field. We transfer the current timestamp, the encryption method, a key and an initialization vector to this. The function also tests whether the selected encryption method is available and terminates the script if this is not the case. The timestamp field then looks like this in the finished form.
We come to contact.php in which we process the request received. Let's start with our honeypot field. As previously described, this field must be empty, if it is filled in, the request is most likely a bot. We test whether the POST variable is present and whether it is an empty string as expected. In the demo we end the execution if the subject field has not been passed.
In the next step we take care of our timestamp variable. This must be handed over to us and it must also be possible to decrypt it successfully. If the decryption does not work, the input field has been edited. This means that the bot or the user on the other hand has undesirable intentions. So the request is blocked. If the timestamp field can be decrypted, we compare the current time with the transferred time and determine the past seconds with our minimum and maximum values.
If the $ failmessage variable is true after execution, the chances are good that the request came from a bot. The variable $ honeypot contains the text that was entered in our honeypot field, or is empty if the variable has not been filled in. The $ timeError variable is set to true if there was a problem decrypting the transferred data, or if the elapsed time did not reach or exceeded the threshold values. Finally, the output of contact.php in our demo.
I have provided all data from the demo that was created for this post in this .zip file for you. Download
Simply knitted bots can be locked out quickly with these first measures. One advantage of these measures is that real visitors do not feel any of the measures. What is missing in our demo is further logic that blocks out possible attackers after several attempts. Denkar is a time block or blacklist. The legal viability of a blacklist under the GDPR is unfortunately questionable. It is also possible for the bot to trick the bot into a successful request in the background but not to take any actions. At this point, it would also be possible to show the bot a 404 error page and trick it into thinking that the form does not lead to anything.
If you have any further tips for the fight against form spam on your own website, please feel free to leave them in the comments.
I am also happy to help with the implementation of solutions against spam. Contact me or find out more about my other offers for the website creation.
- Parents usually forget about middle children
- What does giving give you
- How can I visualize the use of software licenses
- What screams i'm british
- Which is better biotechnology or life science
- How do you combine technology with art
- Are there unsafe areas in Denpasar Indonesia
- Schizophrenics lack dopamine
- Richard Feynman's memorization is useful
- How does variation create evolution
- Which is the best SEO training in Faridabad
- If 11X 12 120 Find X.
- Should I go to a club by myself?
- What is Beethoven's most popular symphony
- Is it true that brass kills bacteria?
- How does TheFancy plan to make money
- What are some examples of disproportionation reactions
- Civilization makes a country weak
- What is a canape
- How can I edit my pictures?
- Why don't we have robots yet
- Sasuke still has an Orochimarus curse sign
- When did you start traveling?
- Short term dating is wrong
- Who is Theo James
- How do you open people
- Why do some old people see ghosts
- What is Apollo's curse
- What are the best Korean manhwa books
- How do I shower with my friend
- Why does Haagen Dazs make people happy?
- Has spaghetti gluten on it
- How does banana yogurt taste