Tuesday, July 10, 2007

How to stop spam bots with FormMail and CSS

Most people who run their own websites have some kind of online form for getting information from a potential client or site visitor, unfortunately there is little to stop spammers or spam bots from using these forms too. Which means you'll receive an endless stream of information about cheap holidays, medication and porn sites, rather than the enquiries about your products and services that you hoped you'd get.

The more popular and better ranked your site is, the more of these spammers use your contact form, if you're lucky it could just be 20-30 a day, if not it will be upwards of 100 a day. One of the major causes for so much spam coming through your online form, is the form itself. Most people use a ready made form, and why not? Why pay someone else, or spend the time writing thousands of lines of code for a script youself, when you can download one for free? Not to mention that custom written scripts, particularly those that will be the target of countless spammers, have to be very secure. With the free scripts available on line you are assured that thousands, if not millions of people are testing that script and any holes are quickly discovered.


The most popular on line form script is FormMail from Matt's Script Archive. Many web hosts offer this free with their hosting packages, some web designers offer this too and it is available to download in countless locations. The reason for the huge popularity (the site has a PageRank of 7/10) of this script is that it is free, it has been around since 1995 so almost everyone in the industry has heard of it, and it is very simple to use, even for those with little or no knowledge of HTML or Perl.

What isn't generally known is that the script was written by Matt when he was about 16 and still a high school student studying Perl (the programming language that the script is written in), so unfortunately the script was (and still is) full of holes. In fact even though it is still one of the most widely used form to email scripts the general consensus within the webmaster community is 'Don't Use It!'

A better and easier to use script was made by the nms project. This is generally regarded as a far more secure script by the webmaster community but works in a similar way, so no need to change all of your online forms. This is the script that is generally used by Horizon Web Development in their online forms but even though it is quite secure, it still isn't perfect, spammers can still get through by simply filling in your form or by creating an automated 'robot' or spam bot to do it for them.

This is very difficult to guard against as there is no real way for the form to be able to tell a spam bot from a real person, or is there?

The CSS trick

There is a trick to fool spam bots into filling the form out in a particular way so that they give themselves away, without annoying or asking for extra input from potential clients, as a word verification test would do.

It is actually amazingly simple, just add an extra text field and name it something that a spam bot would mostly likely be programmed to fill in automatically, such as 'Surname' or 'First Name' or some other variation of it that you haven't used in your real form and assign it to the class 'Surname'. Then in your Stylesheet simply add the following bit of code:

Surname {

visibility: hidden;


The 'Surname' field will then be hidden from legitimate users, so they can't accidentally fill it in, but not from spam bots who will see it as merely another field to fill in on your form and mostly likely just another space to insert countless porn links.

So simple and yet brilliant, except that that is as far as I managed to get. As I mentioned our web forms use nms FormMail, but unfortunately there aren't any Perl programmers in the Horizon Web Development Team. We tried and failed to guess at how to edit the FormMail script so that it would verify the 'Surname' field and automatically reject any forms that had that field filled in, our knowledge of HTML, CSS and PHP not really coming in handy.

Many, many hours were spent trawling the internet for a solution, but amazingly none of us were able to find one. Even though it is the most widely used FormMail script, there was no solution to be found for Matt's FormMail script either. It was as if the users of these scripts had never needed to verify fields in their forms.

NMS FormMail

Then I struck gold! This site:- http://codingforums.com/showthread.php?t=113863 in which 'rwedge' had revealed the answer. Again it was amazingly simple, using the nms FormMail script (and I advise anyone that is using Matt's Script to change to this one as it is far easier to set up and much more secure), add this piece of code into the user customisation section:

# --------------------------
# Place any custom code here

use CGI;
sub spam {
my $q = new CGI;
my $spamcheck = $q->param('Surname') || '';
if ($spamcheck ne '') {
print "Location: http://www.farfaraway.com\n\n";

Then find the section below and comment it out by adding a # to the first line.

# use CGI;
use POSIX qw(locale_h strftime);
use CGI::NMS::Charset;

Surname of course being the name of the trick field that you want the spam bots to fill in and location where you want them to be directed after your FormMail script rejects them.

It was all so simple and yet amazingly effective. I felt that I had no choice but to write something about it so that anyone else searching for a solution won't have to devote hours and hours like we did to find the answer.

No more spam

Since adding that field to our forms and adding the above code to our script we've not had a single spam email via the contact form. If only all other spam could be dealt with so effectively.

Update: This article was written over a year ago and, as yet, still no spam via the contact form!

Labels: , , , ,