web developers, we have all been there. You hear from a client that they have received many messages from their website form with random letters that have no meaning to them. You inform your client that those messages are spam and that you will look into it. Unfortunately, it takes a few spam messages in an inbox to get spam blocking applications in place, thus taking a reactive approach. Your first few forms will be the hardest because you are learning what spammers are capable of and what they can do. You must keep a close watch on these forms in particular since they could be easy targets for spammers. As you update these forms to fight spam, you will begin to notice that filtering spam is a constant and long term battle, putting your human mind against that of the spammer. Since there is no end-all, be-all automatic algorithm or program that fights spam now and into the future, you must come up with methods to fight spam.

One popular method you could implement would be the use a CAPTCHA, which is an image generator that has a combination of numbers and letters that are somewhat obscured. The spam bots can’t read these images, but the user can. The user types these letters and numbers in an input box and clicks Submit. The form processor compares the entry to a variable. If they match, the form gets sent, otherwise the process stops and data is lost. This method has brought about some limitations as of late. Text readers on browsers that vision-impaired persons use can’t read the characters because they simply aren’t there. Sometimes the obscuring is so severe that it doesn’t help the design of the site. An alternative to the CAPTCHA is to use a hidden Captcha. This is an input box that is hidden by CSS. Human users won’t see this. This works on the idea the spam bots love to fill all fields on a form. Human users won’t see this box, but a spam bot will. So, in the form processor, you check to see to if this field has a value—if it does, lose all the data and exit the processor.

Other methods to utilize are using uncommon field names and disallowing the use of links in text areas. By now, spam bots are programmed to look for input boxes that have names like email, phone, name, zip code, and address in forms that are on files called contactus.html. Develop a naming convention for your input boxes that only you know and can decipher. For example, instead of “email”, use “tr5geil4z”. The more characters you use for the names, the more difficult it will be for the spam bots to figure out. It is becoming more and more common for spammers to put links to unwanted sites in text areas. In your form processor, place a check for URLs, or links, on the text area field name. If there are links in it, lose all the form data and exit the form processor.