Stop Spamming from Contact Form

Report · Feb 21, 2018

I have a contact form on my site and have started getting spam through it.

I have looked into ways to prevent this and the one that I like is the question and answer to prove your not a Bot.

Here is the code for my Contact Form

<?php

// Set email variables

$email_to = 'nigel_utt@hotmail.co.uk';

$email_subject = 'Form submission';

// Set required fields

$required_fields = array('fullname','email','comment');

// set error messages

$error_messages = array(

'fullname' => 'Please enter a Name to proceed.',

'email' => 'Please enter a valid Email Address to continue.',

'comment' => 'Please enter your Message to continue.'

);

// Set form status

$form_complete = FALSE;

// configure validation array

$validation = array();

// check form submittal

if(!empty($_POST)) {

// Sanitise POST array

foreach($_POST as $key => $value) $_POST[$key] = remove_email_injection(trim($value));

// Loop into required fields and make sure they match our needs

foreach($required_fields as $field) {

// the field has been submitted?

if(!array_key_exists($field, $_POST)) array_push($validation, $field);

// check there is information in the field?

if($_POST[$field] == '') array_push($validation, $field);

// validate the email address supplied

if($field == 'email') if(!validate_email_address($_POST[$field])) array_push($validation, $field);

}

// basic validation result

if(count($validation) == 0) {

// Prepare our content string

$email_content = 'New Website Comment: ' . "\n\n";

// simple email content

foreach($_POST as $key => $value) {

if($key != 'submit') $email_content .= $key . ': ' . $value . "\n";

}

// if validation passed ok then send the email

mail($email_to, $email_subject, $email_content);

// Update form switch

$form_complete = TRUE;

}

function validate_email_address($email = FALSE) {

return (preg_match('/^[^@\s]+@([-a-z0-9]+\.)+[a-z]{2,}$/i', $email))? TRUE : FALSE;

}

function remove_email_injection($field = FALSE) {

return (str_ireplace(array("\r", "\n", "%0a", "%0d", "Content-Type:", "bcc:","to:","cc:"), '', $field));

}

?>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<head>

<title>Contact Form</title>

var nameError = '<?php echo $error_messages['fullname']; ?>';

var emailError = '<?php echo $error_messages['email']; ?>';

var commentError = '<?php echo $error_messages['comment']; ?>';

</script>

</head>

<h2> We appreciate your feedback.</h2>

<?php if($form_complete === FALSE): ?>

"/><?php if(in_array('fullname', $validation)): ?><span class="error"><?php echo $error_messages['fullname']; ?></span><?php endif; ?>

</div>

<div class="context">e.g. John Smith or Jane Doe</div>

</div>

<br>

<div class="label">Your Email Address</div>

</div>

<div class="context">We will never share your details</div>

</div>

<br>

<div class="label">Your Message</div>

</textarea><?php if(in_array('comment', $validation)): ?><span class="error"><?php echo $error_messages['comment']; ?></span><?php endif; ?>

</div>

</div>

<p>

</p>

</div>

</form>

<?php else: ?>

<p style="font-size:18px; font-family:Verdana, Geneva, sans-serif; font-weight:bold; color:#000; margin-left:25px;">Thank you for your Message!</p>

setTimeout ('ourRedirect()', 5000)

function ourRedirect(){

location.href='index.html'

}

</script>

<?php endif; ?>

</div></div>

</body>

</html>

Can someone please tell me what I need to do and where I need to put the necessary code.

Thanks in advance!

Report · Feb 21, 2018

You are not saying what type of spam that you are getting. Is someone physically filling in the form or is it a spam robot that comes along.

The latter can easily be fixed with reCAPTCHA: Easy on Humans, Hard on Bots

Wappler is the DMXzone-made Dreamweaver replacement and includes the best of their powerful extensions, as well as much more!

Report · Feb 21, 2018

Not sure. How do I find out?

All I know is I am getting a lot of spam from Russia. Names and emails are being filled in, for example

New Website Comment: fullname: JamesTobemail: jamesessay@mail.rucomment: <a href=https://goo.gl/B1NpJo>help me write my essay</a>

Report · Feb 21, 2018

One thing that I have done to cut down on 'bots filling out the form is to use JavaScript to add the form element to the DOM 5 seconds after the page loads. If the 'bot doesn't see the form immediately, it moves on.

HTH,

^ _ ^

UPDATE: Another thing that I do is use RegEx to strip all HTML tags out of user input, leaving the content between open/closing tags.

Report · Feb 21, 2018

Wolfshade, sorry but I don't understand any of that!

Report · Feb 21, 2018

For the first part, I use JavaScript to run a function five seconds after the page loads (setInterval('myFunction',5000)). This function creates a form object, adds the fields to it for name and email address and a submit button, then inserts it into the DOM (Document Object Model) so that it appears from nowhere on my webpage. When 'bots scan your pages, any pages that don't have a form are pretty much ignored. That's why I delay by 5 seconds - the 'bots don't "see" a form and move on before the form loads.

For the second part, it's called "user input validation and sanitization", and if you are not doing it, you are making things way too easy for any malicious actors who visit your site. I wrote a ColdFusion function that accepts a string (in this case, an email address or a person's name) and uses RegEx (Regular Expression) to strip out any HTML tags (like <script></script>) as part of the process of sanitizing user input, so that malicious code and redirect links are stopped before the data is processed.

HTH,

^ _ ^

Report · Feb 22, 2018

Wolfshade, you lost me!

Where would the SetInterval function placed?

Report · Feb 22, 2018

Use a security maths question that your users must complete. In this instance its 3 x 4 = ? but you can change it to what you require.

Add another row (see code below) right after your 'Your Message' row and before <div class="Submit">

<div class="label">Security Question: 3 x 4 = ?</div>

</div>

</div>

Add the below php code to the existing php code, directly after: if(!empty($_POST)) {

// Security check

$alien_attack = $_POST['alien_attack'];

if(empty($alien_attack)) {

$error['alien_attack'] = "Please provide the correct answer";

}

if($alien_attack != "12") {

$error['alien_attack'] = "Please provide the correct answer";

}

Then change the line of php code below:

// basic validation result

if(count($validation) == 0) {

To this:

// basic validation result

if(count($validation) == 0 && !isset($error['alien_attack'])) {

As a further counter measure if the above is having little effect you could also include a hidden form field which if filled in by a bot the php script stops running. Bots usually fill out all the form field they find.

Add the below directly before <div class="Submit">

Then add the php code below to the existing php code directly after: if(!empty($_POST)) {

$alien = $_POST['alien'];

if(!empty($alien)) {

exit;

}

Report · Feb 23, 2018

Thanks osgood, I will give this a try!

Report · Feb 23, 2018

Osgood, I cannot find

if(!empty($_POST)) {

anywhere.

Report · Feb 23, 2018

nigelh70638339 wrote
Osgood, I cannot find
if(!empty($_POST)) {
anywhere.

About 17 lines down from the top of your code you pasted:

// check form submittal

if(!empty($_POST)) {

Report · Feb 23, 2018

Thanks osgood! You are a STAR!!!!

Thanks Wolfshade!

Report · Feb 22, 2018

At the bottom of the page, just before the closing </body> tag.

<script type="text/javascript">
    function myFunction(){
          //code to create form element and populate with elements, then insert into DOM.
          }
    setInterval('myFunction()',5000);
</script>
</body>

HTH,

^ _ ^

Report · Feb 23, 2018

Thanks for that Wolfshade!

Report · Feb 21, 2018

Nothing will stop human spam. But a simple math problem will stop robots.

Alt-Web Design & Publishing: Responsive Contact Form with Bootstrap 3.2 and PHP (Part 1)

Nancy O'Shea— Product User, Community Expert & Moderator

Report · Feb 22, 2018

Nancy, I don't use Bootstrap. I plain and simple don't understand it.

Stop Spamming from Contact Form

1 Correct answer