Skip to content

Quit Spammin' Me

Contact form spam is not only annoying, it can sometimes be incredibly detrimental to your business. In these article we'll go through a few methods to combat it.

When it comes time to running your own website, one of the more annoying nuisances you can encounter is spam coming at you from your site. You’re fresh and ready for emails to start streaming in from customers eager to do business with you when you get:

"I am love you opinion on webite, could you please advise on this:
<!---insert link to black market Viagra website here --->"

Or worse still, the old:

"Your site is doing terribly and not showing up in Goolge, but we at Spammy & Spamster Web Design can fix it for you"

That last one always makes me laugh. How exactly have they found you? A Google for sites that don’t show up in Google???

What’s to be done about these spammy jerkbots?

You’ll hear some hear some mad advice about these sorts of thing, mad and/or outdated;

  • Don’t put your email address up on your site
  • Don’t have a contact form on your site
  • Use a captcha on a contact form if you must have one

Well, frankly these are some pretty lame solutions. Let's take a look at why.

Don’t put your email address up on your site???

You don’t see it as much nowadays, but every now and then you’ll still see people using myemail(at)mydomain.com as a method to thwart the spambots. Which…well, sure it may work. But you end up looking like a total amateur and completely sacrifice user experience in the process. In this day and age I’m not going to bother retyping it, I’m just moving on.

The smarter fix for this is the javascript replacement method. One of the themes we use has this built in, but you can also DIY it.

The basic idea is this:

The html shows something like myemail*mydomain.com, but the javascript fiddles it so to human eyes it looks like myemail@mydomain.com and the click on the link will also go to that address, but all the spambots will see when they try to scrape your site is myemail*mydomain.com and move quietly on its way.

Don’t have a contact form on your site???/Use a captcha on a contact form if you must have one???

To be honest if your web designer is telling you not to put a contact form on your site because they’re "magnets for spam" I’d question how current their knowledge is.

We use Contact Form 7, a hugely versatile contact form plugin for wordpress.

 

Contact Forms Used by SEO Anseo Ireland Contact Form 7 is a hugely versatile plugin with new addons being created all the time by creative people in the community

 

Out of the box it doesn’t have any spambot jedi mind tricks, but as it’s sort of the industry standard for wordpress contact forms there have been lots of addons built for it.

The one that’s saved us the most headaches? Contact Form 7 Honeypot

What this genius little plugin does is add an input field to your contact form that is invisible to humans but "visible" to spambots. Because they don’t know any better the bots assume they have to put something in that field and BOOM, give themselves away and the attempt will never make it to your inbox.

This is neat and super user-friendly alternative to the ugly as hell, outdated flow-killing captchas.
I’ve never actually abandoned a website because I had to put in a captcha, but I’ve sure though about it (tickemaster, I’m looking at you! Why do I have to put it in 20 times to compare tickets!!!)

Now Googles (relatively) new No CAPTCHA reCAPTCHA on the other had I could get behind a little more. It uses behavioural analysis, so it’s often the case that the customer can verify that they’re not a robot with one simple click.

But for the moment I’m sticking with the Honeypot solution, it’s got zero impact on the customers journey, which is exactly what you want.

The Nuclear Option

 

SEO Anseo block traffic by countries It may not suit everyone to block all traffic for a given country, but if it does it's a great time saver.

 

No method will be fool proof and every now and then something can slip through, in particular human-posted spam can’t be tackled by honeypots or captcha’s of any kind.

Here’s where you’re faced with a big choice and it’s a choice that’s not going to suit everyone, but for us it’s been effective in blocking even the human-posted spam. It’s also pretty good as a method for blocking hacking attempts.

Over the last month or so we got dribs and drabs of spam coming in despite the above blocking methods. They’d come in groups of three, which is probably an indicator of being human in origin (getting more bang for your buck from the low-paid hired spammers)

More than a little annoyed, we took to our Google Analytics to see where this crap was coming from. We needed to look at the unfiltered view to see where all those shady referrals were coming from (stay tuned for our post on setting up Analytics filters, it’s important for getting a handle on where your audience is really coming from).

Sure enough, the hits that lead to the spam were coming from some shady "SEO ranker" type sites, looking for hits back. But the hostnames were correct, so they had actually visited the site and clicked through the form, etc.

The other crucial bit of information we take from the Analytics is the country of origin. Every one of the spam hits came from Russia.

Now luckily for us in this case, we’re a local business (meeting clients for a coffee in town is way cheaper than meeting them for a coffee in Moscow) so we’ve no need to be seen by by clients in Russia.
So, knowing that, we can wholesale block all traffic from that country.

To do this we head over to The IP2 Location Visitor Blocker, select the country we want to block and paste their output into our .htaccess.

I like to use the built in .htaccess editor in Yoast’s SEO Plugin, it’s slightly less tedious than accessing it via ftp. But word to the wise; if you’re not certain about what you’re doing go by ftp and keep a back-up copy of the file, white-screening your website is a very real possibility.

Of course if you do business internationally this will be less of an option for you. You could instead pinpoint the IP addresses of the specific spam and block them one by one.

So there we have it. All the tools and tricks you need to wage war on contact form spam.
Keep up the good fight and don’t let the spammers get you down!

Any other suggestions to fight contact form spam? Any war stories? Let us know below!

Oh yeah, and don't forget...if you need to give us a shout, just scroll a little further down to the contact form!

 

Modern Solution

Nowadays Contact Form 7 has Google ReCaptcha Built in.

 

  1. Set up a Google v3 reCAPTCHA

    Go to https://www.google.com/recaptcha/ to set it up and follow the instructions

  2. Enter your site key and secret key in WPCF7's integration section

    You'll find this at YOURSITE.COM/wp-admin/admin.php?page=wpcf7-integration&service=recaptcha&action=setup

  3. That's it!

    Simple.

  4. Hide reCAPTCHA badge

    Some folks won't want that floating badge on every page of their site. You can hide it with some css
    [code].grecaptcha-badge {
    display: none;
    }[/code]
    Of course you'll have to indicate to your users that you're using reCaptcha.

You are allowed to hide the badge as long as you include the reCAPTCHA
branding visibly in the user flow. Please include the following text:
{% endraw %}

This site is protected by reCAPTCHA and the Google
<a href="https://policies.google.com/privacy">Privacy Policy</a> and
<a href="https://policies.google.com/terms">Terms of Service</a> apply.


- reCAPTCHA FAQ

Alternatively, you could allow the badge to show on your contact form page.

.page-id-YOURCONTACTPAGE-ID .grecaptcha-badge {
display: block;
}{% endraw %}

Anyway, hopefully by now you're well on your way to blocking those pesky spammers.

Have a break and listen to some Tom Petty:

https://www.youtube.com/watch?v=TCFAzPl1QmE