Filtering Contact form spam

Several web sites have been getting lots of bogus crap sent in through the web forms lately. After going through them I noticed a few things and put together some filters to try and reduce the amount of spam. While these aren’t perfect by any means, they seem to be helping so far. Due to the web site audiences not always being “computer friendly” I didn’t want to use CAPTCHA as I think it would just prevent more real submissions. Here’s the filters I put in place so far:

  1. Timestamp the form
  2. Validate the first and last name
  3. Check for html/code

I put a very simple timestamp on the submission form that takes the current time and adds one hour. This value is then compared to the actual time on the submission page, if the current time is less than this value, the form is considered valid. This is basically checking that someone isn’t just saving the form and using it repeatedly.

$formexpires = (3600 + idate(U));

I noticed that in almost all of the spam forms, the first and last name used were identical. So this became my second filter. In the example below, I’m converting the strings to all lowercase just in case they start having caps in the future.

if (strtolower($firstname)==strtolower($lastname))
    echo ‘First & Last names are identical, probably spam.’;
    } else {
    echo ‘Name check ok.’;

Last but not least, all the fields are checked for code being submitted. This is common practice in web forms. All I’m doing is comparing the original field with the cleaned field, if they’re the same (meaning no code) then it passes. If there was code removed and they don’t match, it’s probably spam.

$origcomments = $comments;
$comments = strip_tags($comments);

if ($comments==$origcomments)
    echo ‘No code detected in comments.’;
    } else {
    echo ‘Code detected in comments, probably spam.’;

I’m sure there are more elegant things that can be done, I’ll definitely be looking to improve and add onto the filters but this seems to be a good start. One thing I should add is that the actual form page does make use of a JavaScript form checker to be user friendly and help catch the honest mistakes in a user-friendly manner. These are all filters on the actual process page designed to fight spam.

Explore posts in the same categories: Tech

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: