Ok form spam has been driving me up the wall for a while not... Currently I'm fielding all the requests for some of my clients because of the problem it's become.

I know it's an issue and it must be driving others nuts as well.

Ip Address blocking is a rather narrow fix and doesnt stop those who send the junk once.

Plus, does anyone have any clue why this method has become so popular. In the past contact forms were only subject to the jerk who was bent on sending the site owner a hate message.

Most users have dynamic and/or shared IP addresses these days due to the huge shortage of public IP addresses in IPv4, so IP address blocking is more of a problem than it is a solution to this.

I have had this issue too.

One of the best and most common ways to deal with this (though I haven't used it myself yet) is to use what is known as CAPTCHA.

http://en.wikipedia.org/wiki/Captcha
http://www.evolt.org/securing_forms_random_image
http://www.sitepoint.com/article/toughen-forms-security-image/
http://blogs.securiteam.com/index.php/archives/208
http://www.devshed.com/c/a/PHP/Security-Images-in-PHP/
http://www.php-mysql-tutorial.com/user-authentication/image-verification.php
Auto-Image Verification (http://www.phpnoise.com/tutorials/1/1)

That or do server-side validation of form fields...no spam robot will waste it's time with that.

There isn't much to validate in a lot of contact forms and it's easy to put something in the form of a valid email address.

I suppose another thing you could do would be to use form control names that didn't indicate what each was for and validated the one for an email address. A bot might not be able to figure it out.

I was registering on a dog forum the other day, and rather than a captcha they had a field with a question in front "what is another term for 'canine'?"

I thought it was a good way to create a field that could be validated without forcing us to screw our eyeballs around trying to figure out a captcha.

Dave

There isn't much to validate in a lot of contact forms.

You and I obviously work on entirely different forms for a daily living :D

and it's easy to put something in the form of a valid email address.

That's why you validate other fields...plus there's no REAL easy way to validate an email address. The only real reason I hate CAPTCHA at this point is because most of the images are terribly difficult to read.

on the question System... that's the system We have in place here for the forums. The CAPTCHA has been broken by the bots using OCR, which does creates a huge strike against it.

On top of that CAPTCHA creates a barrier, I would prefer not put between the site readers and my clients. This is for comment/feedback forms if it was for a forum I think using both systems is worth the time of the person filling it out and the site operator.

Ryan makes a good point on the validation script... but what if I take it a step further! Typically I have named all my fields to work with Autocomplete scripts... Perhaps that's half of my problem, So if I insert a script to validate the fields and rename the field for email to something non-emailish. that could be simple enough to beat the bot. What are your thoughts?

I don't think I completely follow...but at any rate, you shouldn't have to rename any of the fields. Just use PHP or another server-side language to validate there's something entered in the fields, or go a step further and use regular expressions to ensure you're getting the correct pattern of input. Whatever you do, don't put the email address of the recipient in the form HTML code, just in the server-side script.

We use ASP and ASP.NET with validation for our forms, but the spam keeps coming. For a while, there was one service that entered an email address into every field -- I guess just to make sure it was penetrating the validation.

You can over-validate forms, though. If you put in too much validation, with prompts for correction, it can really tick off the customer. We found this out when we constructed a "sensitive" form with very specific validation. If the customer was corrected more than once, then they wouldn't submit the form - to hell with it. :p

Recently, we've had a rash of user registration spam for a blog my employer hosts. We had to make registration open without moderation, because it is an evolving statewide blog. However, some service got hold of the form and started putting names and email addresses in there. It was a huge mess, in that we had to validate every legitimate user.

I just found this one (http://www.modernbluedesign.com/web-design-blog/fighting-spam-with-css/). It uses a hidden field created by CSS. Interesting ...

Not the best service...but with little spare time for my own site at times, it worked very well...no more spam.

http://www.protectwebform.com/

Lee that idea is awsome... I did a quick version of that on the form I'm having the greatest amount of spam submits... (4-200 a day)

I'll report back on this!

OH KDLA If you use WordPress here is a great way to weed out spam.

Spam Karma 2
http://unknowngenius.com/blog/wordpress/spam-karma/

Spam by robots is easy to take care of, its the human spam that you really can't control.

Anyway, here's my method, worked 100% for robot spam.

Just create an extra hidden field for the form labeled something general like "comments" or "name" (if you already have a name field, consider renaming it to something else and name your hidden field "name").

Then, when the form is submitted, check to see if the hidden field has a value, if it does, then you know your form was submitted by a robot because no user has access to that field.

Worked excellent for me, no captcha's necessary. Good luck.

Lee that idea is awsome... I did a quick version of that on the form I'm having the greatest amount of spam submits... (4-200 a day)

I'll report back on this!
Ill be very interested to hear what happens.

well I've been using this CSS hidden method for a good week or so now...

It looks like it's working much better than I could have hoped for! As you can imagine I can't force the bots to fill in the field so it's not 100% effective... Unless those few submits are human spammers, but here it is by the numbers

Sept 11th-17th
12 total forms
2 leads
10 Spam

Sept 4th-10th
57 Total Forms
3 leads
54 Spam

So I think that for wanting the least amount of site reader hassle this is a good way to go! IF spam becomes a hassle as it as on this site.

Great! I'm going to try it now. Thanks. (Might be good for a write-up ... hint, hint)

I got your hint... I'll put it on my list :)

Theres some timer scripts out there that will refuse to accept a form if its been filled out within seconds. It was a forum hack thing I saw when trying to download stuff for my phpbb2 forum.