Tuesday, July 10, 2007

How to stop spam bots with FormMail and CSS

Most people who run their own websites have some kind of online form for getting information from a potential client or site visitor, unfortunately there is little to stop spammers or spam bots from using these forms too. Which means you'll receive an endless stream of information about cheap holidays, medication and porn sites, rather than the enquiries about your products and services that you hoped you'd get.

The more popular and better ranked your site is, the more of these spammers use your contact form, if you're lucky it could just be 20-30 a day, if not it will be upwards of 100 a day. One of the major causes for so much spam coming through your online form, is the form itself. Most people use a ready made form, and why not? Why pay someone else, or spend the time writing thousands of lines of code for a script youself, when you can download one for free? Not to mention that custom written scripts, particularly those that will be the target of countless spammers, have to be very secure. With the free scripts available on line you are assured that thousands, if not millions of people are testing that script and any holes are quickly discovered.


The most popular on line form script is FormMail from Matt's Script Archive. Many web hosts offer this free with their hosting packages, some web designers offer this too and it is available to download in countless locations. The reason for the huge popularity (the site has a PageRank of 7/10) of this script is that it is free, it has been around since 1995 so almost everyone in the industry has heard of it, and it is very simple to use, even for those with little or no knowledge of HTML or Perl.

What isn't generally known is that the script was written by Matt when he was about 16 and still a high school student studying Perl (the programming language that the script is written in), so unfortunately the script was (and still is) full of holes. In fact even though it is still one of the most widely used form to email scripts the general consensus within the webmaster community is 'Don't Use It!'

A better and easier to use script was made by the nms project. This is generally regarded as a far more secure script by the webmaster community but works in a similar way, so no need to change all of your online forms. This is the script that is generally used by Horizon Web Development in their online forms but even though it is quite secure, it still isn't perfect, spammers can still get through by simply filling in your form or by creating an automated 'robot' or spam bot to do it for them.

This is very difficult to guard against as there is no real way for the form to be able to tell a spam bot from a real person, or is there?

The CSS trick

There is a trick to fool spam bots into filling the form out in a particular way so that they give themselves away, without annoying or asking for extra input from potential clients, as a word verification test would do.

It is actually amazingly simple, just add an extra text field and name it something that a spam bot would mostly likely be programmed to fill in automatically, such as 'Surname' or 'First Name' or some other variation of it that you haven't used in your real form and assign it to the class 'Surname'. Then in your Stylesheet simply add the following bit of code:

Surname {

visibility: hidden;


The 'Surname' field will then be hidden from legitimate users, so they can't accidentally fill it in, but not from spam bots who will see it as merely another field to fill in on your form and mostly likely just another space to insert countless porn links.

So simple and yet brilliant, except that that is as far as I managed to get. As I mentioned our web forms use nms FormMail, but unfortunately there aren't any Perl programmers in the Horizon Web Development Team. We tried and failed to guess at how to edit the FormMail script so that it would verify the 'Surname' field and automatically reject any forms that had that field filled in, our knowledge of HTML, CSS and PHP not really coming in handy.

Many, many hours were spent trawling the internet for a solution, but amazingly none of us were able to find one. Even though it is the most widely used FormMail script, there was no solution to be found for Matt's FormMail script either. It was as if the users of these scripts had never needed to verify fields in their forms.

NMS FormMail

Then I struck gold! This site:- http://codingforums.com/showthread.php?t=113863 in which 'rwedge' had revealed the answer. Again it was amazingly simple, using the nms FormMail script (and I advise anyone that is using Matt's Script to change to this one as it is far easier to set up and much more secure), add this piece of code into the user customisation section:

# --------------------------
# Place any custom code here

use CGI;
sub spam {
my $q = new CGI;
my $spamcheck = $q->param('Surname') || '';
if ($spamcheck ne '') {
print "Location: http://www.farfaraway.com\n\n";

Then find the section below and comment it out by adding a # to the first line.

# use CGI;
use POSIX qw(locale_h strftime);
use CGI::NMS::Charset;

Surname of course being the name of the trick field that you want the spam bots to fill in and location where you want them to be directed after your FormMail script rejects them.

It was all so simple and yet amazingly effective. I felt that I had no choice but to write something about it so that anyone else searching for a solution won't have to devote hours and hours like we did to find the answer.

No more spam

Since adding that field to our forms and adding the above code to our script we've not had a single spam email via the contact form. If only all other spam could be dealt with so effectively.

Update: This article was written over a year ago and, as yet, still no spam via the contact form!

Labels: , , , ,


  • Great solution...thanks!

    Now for a dumb question...

    What's the html code for Surname?
    Is it...

    input type="text" id="Surname" name="Surname" value=""

    By Anonymous Anonymous, At 4:38 PM  

  • All the code that you'd need for the form would be:

    input name="Surname" type="text" class="Surname"

    Then you'd need to add the following to the stylesheet:

    .Surname {
    visibility: hidden;

    This will make your Surname field invisible to all but the Spam bots.

    By Blogger Horizon Web Development, At 6:40 PM  

  • You've done a great service by making this solution known!
    However, in the perl code shown:

    my $spamcheck = q->param('Surname') || '';

    the "greater than" character seems to be html-ized. Should be:

    my $spamcheck = $q->param('Surname') || '';

    Thanks for this solution!

    By Anonymous Anonymous, At 5:59 AM  

  • Thanks for the comment. I wish I could take all the credit but I only came up with half the solution, I got the Perl code from this forum:


    It works brilliantly though. Two months on and since using it I haven't had any spam through the online forms.

    By Blogger Horizon Web Development, At 1:28 PM  

  • Guys

    I'm just trying to implement this and noticed that in the original thread, rwedge said that "...The nms script evokes CGI.pm farther down in the script, find it and comment it out:"

    Did you do this as well as implement the custom code??

    By Anonymous Anonymous, At 4:50 PM  

  • Hello, yes we did comment out the section lower down (just added a # in front of the first):

    # use CGI;
    use POSIX qw(locale_h strftime);
    use CGI::NMS::Charset;

    As well as adding the custom code.

    Not sure what difference it makes to be honest as we never tried it without commenting out that section. But it works perfectly with it commented out.

    By Blogger Horizon Web Development, At 1:37 PM  

  • Thanks anonymous no.2 for pointing that out (and sorry for the late acknowledgement), missed that greater than sign when it was published to the page. Changed it now though.

    By Blogger Horizon Web Development, At 1:44 PM  

  • It seems that the spambots are out for revenge!

    We've had three spam comments today alone so unfortunately have had to enable the annoying word verification thing on comments.

    On the plus side it must the article is useful.

    By Blogger Horizon Web Development, At 6:28 PM  

  • Fantastic! I have been searching for this for about a year and have tried all sorts of useless catchpa and other devices. This works really well. Only one thing to add; perhaps not a good idea to call your 'name' field in the hidden HTML anything like 'Surname'. If anyone is using AutoFill from the browser or a Google toolbar, it will find the field and populate it.

    Thanks again, really pleased I found this.


    By Anonymous Anonymous, At 3:38 PM  

  • Brilliant - nice one for pursuing a good solution to this. I'm going to use it on all my client's sites.

    I imagine the majority of mail forms must be abused by spamming and most folk will just put their hands up and put up with it.

    By Anonymous Anonymous, At 4:09 PM  

  • Thanks for the comment.

    I agree, many people have unfortunately gotten used to spam and just see it as part of the internet.

    It was great to discover that some spam at least, can be stopped. Six months on and we haven't had any spam via our online forms.

    By Blogger Horizon Web Development, At 5:35 PM  

  • Help. I have researched this subject a lot recently...
    I have a gdform.asp as a formmailer. I have inserted the hidden text field, so now I can indentify the spam bots. Your code for blocking those emails uses the codes beginning with use cgi...
    Will this work on a asp form too? If yes, how do I implement into my gdform?
    Sorry, I'm a newbie at this...

    By Anonymous Anonymous, At 9:50 PM  

  • Unfortunately using the CGI code in the ASP form won't work.

    We don't work in ASP here so cannot give you any help on altering gdform.asp.

    The only thing that I could suggest is, if your host supports it, using a CGI script instead such as the NMS FormMail mentioned in the post.

    You shouldn't need to alter your form much, if at all.

    Other than that you could try searching for other free ASP formmail scripts that are more adaptable.

    By Blogger Horizon Web Development, At 11:53 PM  

  • I had some trouble implimenting the textbox hidden visibility, as your CSS line only appeared to hide the box text....I had to use the following CSS to additionally hide the textbox.
    Works great many thanks...one flaw I could see, is if like me, my clients hit the TAB key to skip across fields and accidentally enter into the hidden field and type something they could be sent to farfaraway.com.

    Thanks again


    By Blogger wwwdesign, At 10:39 AM  

  • This post has been removed by the author.

    By Blogger wwwdesign, At 10:41 AM  

  • Sorry, here is the simple CSS code:

    My class is [.input1].....


    By Blogger wwwdesign, At 10:49 AM  

  • Hi Gaz,

    It depends on how you have set up your input field.

    < input name="Surname" type="text" class="Surname" />

    Here we've given it the class Surname, therefore in the CSS we'd need to set up that class and make it hidden.

    .Surname {
    visibility: hidden;

    Obviously if you have given your field a different class, then you must define this in the stylesheet. You should also remember that your class should only apply to that one field, otherwise all of them will be hidden.

    This isn't explained very well in the article.

    The CSS that you have used:


    Won't hide that box, it will just remove the border and margin around items with the class input1. This may be why you can tab into the box.

    If the box is hidden, you shouldn't be able to tab into it.

    Hope this helps.

    By Blogger Horizon Web Development, At 4:45 PM  

  • You found the answer because you went to the absolute best resource on the internet.

    Codingforums.com is the best of the best. :)

    By Blogger Robert, At 4:38 AM  

  • Hi,

    Thanks for all of the info. It worked like a charm for me for a day and then the spam came pouring in even heavier than before.

    Have you found that it's still working for you?

    Thanks again for the help anyway.

    By Blogger JMD, At 3:53 PM  

  • Thanks for the comment JMD, sorry to hear that it isn't working well for you.

    Have you tried changing the field name? Make sure that it is something that spam bots are likely to fill in. We use name in the normal form and then LastName for the hidden field.

    More than two years on and we haven't had any SPAM through the form.

    By Blogger Horizon Web Development, At 6:59 PM  

  • The solution worked for me also and still does! The Bots are so unadvanced, they cannot infiltrate the simple coding trick.

    One thing I would be interested to know.....Is it possible to generate an autoresponse from Formmail to the sender email and how is it possible to to do so?!

    By Blogger feelgoodagain, At 5:34 AM  

  • yeah, really good knowledge here on Spam Bots & how to prevent them with FormMail . . it is highly informative tips which has script to give your site form for permission to the spammers . . web 2.0 development company

    By Blogger Natalie, At 5:54 AM  

  • would the following code work :
    input type="text" name="Surname" class="Surname" style="visibility:

    instead of adding

    .Surname {
    visibility: hidden;

    to the stylesheet?

    By Anonymous Anonymous, At 2:37 AM  

Post a Comment


Create a Link

<< Home