One of the most challenging issues with HTML forms is dealing with spam and form hijacking. That’s why our form to email script generator: Forms To Go, offer many options to prevent unwanted script execution: stopwords, HTTP referer, IP filtering and access code or Captcha.
And one of the most frequently asked pre-sales questions from our customers is how to effectively stop spam from HTML forms. With a minimal effort you can accomplish a 99% efficiency on preventing spammers to use robots to spam your form or trying to perform the well known form hijacking and email injection.
Make sure that your form to email script is not outdated
It’s incredible how many websites are hosting HTML forms with scripts created many years ago. With a continue growth of the internet and more spammers trying to find ways to exploit scripts to send unsolicited email, you should try to keep your form to email scripts updated frequently. Scripts updates are always coming out from different vendors and open source sites, offering enhanced protection that will protect you.
Add some fake elements in your HTML form to distinguish between robots and humans
One common trick had been to add a textarea field and make it invisible to the user. When a robot visits your site and tries to fill all the form’s fields with values, will also fill the invisible field. Then in your form to email script you can stop the script execution if the invisible field has some value.
Example: add an invisible text field to your HTML form with the help of CSS.
<textarea name=”comments” cols=”40″ rows=”12″ style=”display:none;”>
and then validate the field comments in your form to email script: if it contains any value, then it is spam. You can also achieve the same result with a one line text field:
<input type=”text” name=”comments” size=”12″ style=”display:none;”>
but robots love multiline text fields.
In Forms To Go you can validate this field by ‘Number of Characters’ from 0 to 0. So, if the field contains at least 1 character, the error landing page will be shown and the spam won’t be delivered.
You might think that it easy for robots, which are developed by great programmers, to have some intelligence built in and determine if a form field has the invisible attribute set in order to avoid filling it. Yes, it can be, but it is not the common.
If you’re worried about that, then you can perform the inverse approach: create a text field with some content and ask the user to remove it before submitting the form, otherwise it will be considered SPAM.
Example: add this text field to your HTML form:
<input type=”text” name=”removeme” value=”Delete this text or the submission will be considered spam”>
and then in your form to email script perform a validation: if the field removeme contains any characters, then the form was filled by a robot and not a human. With Forms To Go you validate the same way as the previous example.
Are these tips 100% bullet-proof? No, but they can help reduce the spam and when combined with features like Captcha, reduce the spam to almost zero.