Here's what I've found to be very effective (and dead simple):

  1. Put a hidden field on your form. Give it a name like "phone" or something similar/common and put in a default junk value.

  2. Put another regular text input field on your form, but hide it with CSS. Make that one empty. Again, give it a "real" sounding name (first_name, phone_number, whatever).

  3. When the form is posted, verify that the hidden field still has the default value and the field you hid with CSS is still empty.

You're basicly taking advantage of the fact that most spam bots will simply fill in every field in the form in order to avoid failing any required field validation checks. Some might be smart enough to ignore hidden fields, but I've never seen one that was smart enough to ignore fields hidden with CSS.

ETA: To address some comments - Is this a truly "secure" system? no, it certainly isn't. It would be trivially broken by anybody who wanted to specifically target your site. That said, it is still remarkably effective against the automated form spamming bots that most "low value" sites will see.

If you want to stop a determined attacker, you'll need something a bit more invasive. Another poster mentioned Akismet, which is a good option. Re-Captcha would be another. Stopping determined, targeted spammers is hard though. Even Yahoo and Google have a hard time with it.

  • 40
Reply Report
      • 1
    • This is the best solution I've found, but it doesn't protect against "Mechanical Turk" spam where people are paid a few cents for every message they post on a blog article
      • 1
    • +1 Great idea. It would prevent spam from general bots, but would do nothing for someone who wants to specifically spam you. For example, if you have a registration form and don't want auto-generated registrations, this won't help you. Someone just needs to sniff the http traffic through firebug or something similar.
      • 2
    • @The Rook: Security by obscurity isn't bad per se. It can be a useful layer to add a bit more work to an attack, and for low-value applications it may be all that's needed. What's wrong with it is that its effect is very easily overestimated, particularly by the incompetent.
    • @The Rook: The system will take only moments to break, if somebody actually decides to break it. If this is form spam that's just scattered to any website it can find, it's likely to be foiled by this, at least for a while. If anybody looks at the site and thinks "I want to spam this one," this approach is useless.

This kind of validator is cute and quick!


Obviously, you will want to display one of a many possible animal images, and the list should be randomized as well.

I understand it will only work X% of the time, but adding more options to the list will help reduce spam.

  • 12
Reply Report

I have already worked something similar.

  1. When you open a form generate one md5() string and put it in session (for example $_SESSION['captha'])
  2. Your form sould have one hidden field and when you open this form write this data from $_SESSION['captha'] into this hidden field
  3. When you receive this post request compare value in session and value which come with this hidden field. If it is same everithing is ok and vice versa. Of course, after you handle this request just delete variable $_SESSION['captha'].

This work for me.

  • 2
Reply Report

If all you are doing is avoiding spam bots (automated programs that seek <form> tags, fill in all <input> fields, then submit the form), then a simple solution is to do as Paolo said: use JavaScript to add a hidden field. The disadvantage is for people who disable JavaScript.

Feel free to use this:

<form method="post" action="contact.php" id="commentForm">
  <label for="name">Name</label>
  <input type="text" name="name" id="name" maxlength="64" /><br />

  <label for="email">Email</label>
  <input type="text" name="email" id="email" maxlength="320" /><br />

  <label for="message">Message</label>
  <textarea name="message" rows="10" cols="40" id="Message"></textarea><br />

  <label for="human">40 + 2 =</label>
  <input type="text" name="human" id="human" size="10" maxlength="3" /><br />

  <p align="center">
  <input type="submit" name="submit" value="Send" class="submit-button" />

Then place the following as "contact.php" in the same directory:

require_once 'lib/swift_required.php';

// Reason for not contacting.
$reason = 'default';

error_reporting( 0 );
ini_set( 'display_errors', 0 );

function not_contacted() {
  global $reason;

  header( 'Location: error.html' );

function wms_error_handler($errno, $errstr, $errfile, $errline) {
  return true;

function wms_shutdown() {
  if( is_null( $e = error_get_last() ) === false ) {

set_error_handler( "wms_error_handler" );
register_shutdown_function( 'wms_shutdown' );

$name = trim( $_POST["name"] );
$email = trim( $_POST["email"] );
$message = trim( $_POST["message"] );
$human = trim( $_POST["human"] );
$subject = 'FormSpam';
$contacted = false;

if( is_null( $name ) || empty( $name ) ) {
  $reason = 'name';
  $human = false;
else if( is_null( $email ) || empty( $email ) ) {
  $reason = 'email';
  $human = false;
else if( is_null( $message ) || empty( $message ) ) {
  $reason = 'message';
  $human = false;
else if( is_null( $human ) || empty( $human ) || $human !== '42' ) {
  $reason = 'computer';
  $human = false;

if( $human === '42' ) {
  $subject = 'YourCustomSubject - '.$name;

  $transport = Swift_SmtpTransport::newInstance( 'localhost', 25 );
  $mailer = Swift_Mailer::newInstance( $transport );

  $message = stripslashes( $message );

  $message = Swift_Message::newInstance()
    ->setSubject( $subject )
    ->setFrom( array( $email => $name ) )
    ->setTo( array( 'YourEmailAddress' => 'Your Name' ) )
    ->setPriority( 1 )
    ->setBody( $message )

  if( $mailer->send( $message ) ) {
    header( 'Location: contacted.html' );
    $contacted = true;

if( $contacted === false ) {

Should prevent 99% of spam.

I have not added constants, but I'm sure you can figure out where to change the script. I've removed the part where it redirects to different pages depending on what was (or was not) entered by the user (e.g., missing full name, e-mail address, message, and such). If you want a full version of the script, let me know and I'll fix the code to be more new-developer-friendly.

Note the Swift Mailer dependency.

  • 1
Reply Report
      • 1
    • -1 security though obscurity. What exactly are you trying to defend against? You have to better understand the threats you face.
      • 2
    • @Rook. The original post said "getting too much spam". This is a practical solution to spam. Yes, it is trivial to break, but I doubt spammers will waste their time trying to codify a hack to submit information against this site's form. Also, if you would like to suggest some other solutions, in addition to voting everyone down, that would be great.

Yes, I invented and developed a method many years ago called nocaptcha.

I tested employed it in my sites for a year then noticed google also using it.

I released it for Joomla (see http://shop.ekerner.com/index.php/shop/joomla-nocaptcha-detail ) and since it has been copied by many platforms (see https://www.google.com.au/search?q=nocaptcha ).

I believe the git hosted version via the above link can be deployed to any site, and if you cant find a version for your site then perhaps ask my dev team for a custom solution (see: http://www.ekerner.com/ ).

  • 1
Reply Report

Math questions are interesting alternative. You can even write your own simple math checker by using random numbers.

Here are couple of plugins:



  • 0
Reply Report
      • 1
    • Good links, but the kind of math questions that a human can solve, but a computer can't, is very limited to ivory tower maths IMO.
    • Sure but spam bots are not expecting to solve math questions, which is the idea behind. Also about a simple contact form this is enough to restrict the most popular spam bots, since noone will put effort and processing time in spamming small website. Also I liked the idea of showing pictures of animals shown below with the KittenAuth
      • 2
    • Math problems are a temporary solution, since people do improve spambots to defeat common defenses. Also, any system that shows ten animals and asks which is the kitten will be penetrated one-tenth of the time by random chance, and any botnet will have no problem making ten times the probes on a given website.
      • 2
    • @David if you are securing the Pentagon indeed. If you are securing Mr Noone's contact form I don't think so. Solutions are context based.

Depends on the type of form spam, general bots made for spamming any form it finds can easily be foiled by a lot less obstructive measures (like "what is the name of this site?"), but if someone has made a bot targeting your site specifically you will need captchas or something equally annoying.

  • 0
Reply Report

If cutting down spam is the immediate need, putting the form in an iframe has been effective for me.

<iframe src="contactform.php" scrolling="no" height="*"  width="*"></iframe>

Set the frame's height and width a little bigger than your form's width and height. Use CSS to make the frame border 0 so users won't notice they're looking at the form within frame.

  • 0
Reply Report

Warm tip !!!

This article is reproduced from Stack Exchange / Stack Overflow, please click

Trending Tags

Related Questions