A customer called me saying that they were getting emails from the contact form on their website regularly, and all of them were spam. The messages were like this:
Reference: 65011
Name and surname: Loree
Company: oupJboHYzHQPLIawhe
Phone: 1286843212349
Email:fairplay@vidc.org
Message:?Hey, youÂ’re the goto expert. Tahkns for hanging out here.
The first thing i wonder is, what is the interest to do this? Spamming a person that they do not know who he is. Anyway, the point is that the form had field validation and captcha, but that did not stop the spambot, which continued to send emails through this form.
Since this type of attack is usually done indiscriminately, that is, the spammer is not looking if you put some measure of security to modify his attack script, it can be solved easily.
There are several things that usually work:
- Using hidden fields with CSS: The spambot autofills the fields, and it will try to put the right data depending on the field name (if the field is called "email", writes an email, calling it phone / fax, it writes numbers) to avoid the validation, but if you put a real field hidden by CSS and you check that the field has been filled in, it only could be filled by a spambot.
- As stated above, do not call form fields with common names, by example call the email field as "terminator", and the spambot will not know what type of data use for filling it, so the validation will stop it.
- Write an "human question". You can put one at the end of the form, like "How much is 2 + 2?" and check before sending.
- You can use the Akismet API, which allows you to check if the message to be sent by email is spam or not. As a plugin is very popular among the users of Wordpress, to avoid spam especially in the comments of the posts.
There are many other methods, but the spambots are not so smart.