There are a number of free PHP (and ASP) contact forms and captchas for preventing spam submissions through your contact forms, but what if you don’t have PHP? Or, you just want to stop the spam and not make your human visitors jump through hoops?

The solution I found is to use this anti-spam solution using fake form fields and combined it with the FormMail CGI script from Matt’s Script Archive. (CGI is available on even the most basic hosting package).

In the HTML contact form, add a fake textarea field with an obvious name such as ‘comments’ or ‘message’. Rename the genuine field to something less obvious or completely irrelevant, for example ‘wibble’.

Create a CSS class with the rule ‘display: none;’ and apply it to the fake field. This will make it invisible to human users and they won’t be able to enter text into the fake field. However, the spam bots will spider the code, ignore the styles and fill the fake field with the usual links to crappy websites.

All that remains is to test for content in the fake field in the FormMail CGI script to decide if a submitted form is spam and if so, not send it.

To do this, open the FormMail.cgi file in a text editor and find the send_mail function. The whole function needs to be enclosed in an if statement that checks whether the fake ‘comments’ field is empty. The code to accomplish this is:

sub send_mail {

# Only send email if spam trapping field is empty #
if ($Form{'comments'} eq '') {

# ....rest of send_mail function.... #

# closing bracket for spam if statement #
}

}

Taking it further

It needn’t just be the comments textarea field that is faked, you can fake any other field in a form and add additional tests to the CGI script to see if they are spammed.

One potential problem is what happens if the normal human user has disabled stylesheets, is using an old browser that doesn’t support them or is using an alternative stylesheet for accessibility reasons? They could see the fake fields, fill them in and find their mail is not sent. The answer is to put a note next to the field explaining that it is to there detect spam and that it shouldn’t be filled in. (Or you could set the default text in the field to something similar). Give the text the same class as the fake field and it will disappear when viewed using your default stylesheet.

(You can also make the default size of the fake fields as small as possible to discourage users from filling them in).

Another problem is that the spammers may learn to recognise display: none; and realise that they are filling in hidden fields. However, there is no sign of this yet and if it is found out, there are alternative ways of hiding fields such as large negative indents, which could extend the usefulness of the technique.