What is web form spam?
Web form spammers usually intend to promote their own websites - by adding backlinks to a comment - or use the form for malicious events like phishing. When you're offering a free whitepaper, for instance, the spammer gets the opportunity to send a phishing link to your mailbox(es). As these links can be harmful to your company, you'd like your webforms protected from these activities.
These types of spamming activities are either done manually or automatically. Manual spamming mostly happens when companies hire people to fill out (all) web forms they can find on the web. They get paid to leave comments or submit contact forms containing backlinks. The goal is to increase traffic to their website, gain ad revenue, or create fake leads for a competitor's sales team. These activities lead to a spoiled comment section, resulting in user churn and bad ROI's.
Automatically filled in forms (spambots) do the same thing, without the effort of manually looking for forms. Setting up a spambot enables a spammer to spam more in less time, supposedly making them more efficient. The thing with spambots, though, is that they are detected quickly.
Helpful tools to detect spambots in web forms
There are numerous tools available to capture spambots and prevent their attempt to spam your web forms. Most of them are WordPress-plugins. If your website runs on WordPress, you can quickly implement tools like Akismet and Project Honeypot, actively battling web form spam. Akismet decides whether someone's input to your web form is considered spam. Project Honeypot uses invisible fields (honeypots) to lure spambots. When a submission contains these hidden elements, you'll know it's a spam submission.
Another trusted tool to prevent web form spam is reCaptcha. After the flopped Captcha-project, Google rebuilt the tool to a more sophisticated technique. It automatically detects abusive traffic on your website but does not invade your user experience (like Captcha did).
Set maximum lengths
As spambots usually carry large messages, setting a maximum amount of characters reduces spam risk. Most forms allow maxlength:(num) to define this maximum length. It requires your other, real-life customers to shorten their comments, which can be annoying. Be aware that some forms need to have longer input sections, and some can live with a shorter one - it's about balance.
Add a quiz element
Though we're not promoting pictures or fun details (for serious businesses), a web form can contain quiz-like fields. As spambots recognize the "email" field as the field where they can leave an email address, it's much harder to recognize and answer a question. The thing to consider here is how hard your question should be. Sure, you don't want spambots to solve it easily, but your visitors should understand it still.
A common practice for spammers (manually and automatically) is the spreading of links. By disabling links in your form, you're preventing your website from malicious backlinks or phishing links. It does, however, also prevent clean links from being placed.
Let web forms require cookies
Another method used to detect and deter spambots is the infamous cookie. With cookies, website owners track their visitors across their website. Spambots, however, do not set cookies. Requiring cookies to fill in a web form thus protects it from these spambots.
Creating invisible fields
PHP methods to stop web form spam
In addition to all the techniques already named, there are some .php-methods you can use to stop your web forms from getting spammed:
- Record data from submissions, allowing you to block notorious IP addresses. Some spambots fire multiple submissions in a short period of time, from the same IP address. Blocking that address makes sure that won't happen again;
- Change the name of your comments.php. Spambots detect these as being the comment section, even if they're not live on your website anymore. Changing the name reduces this risk.
There are multiple ways to defend your web forms from spam. As effective as they can be, you should always be cautious. Making your forms too difficult for your visitors will result in user churn, losing your customers. It's always a matter of balancing between the effort spammers are willing to make versus the effort your visitors want to put in filling in your web forms.