There’s no easy answer. You have a web site with a contact us form, and someone out there uses it for spam. If you’re using Formmail.pl or a similar script you should make sure that the recipient’s email is not passed through http. In other words, hard code the recipient email in the script.
I was using the server’s cgiemail script for some web sites I was managing and all of a sudden, several servers were spamming us big time. I tried blocking their IP addresses in the .htaccess file, but because cgiemail was in the server’s cgi folder and not under my domain, the blocking didn’t work. The solution for me is not full proof, but here’s what I did to cut down the spam by about 99%.
First, I used very obscure names for my form fields. Name, email, subject, etc. are just too obvious. We’ll use these obvious names for the bogus forms to confuse the bots, but use obscure names for the real form.
I created several bogus forms with hidden fields above and below my actual form. This confuses the bots and keeps my inbox spam free. Here’s an example of a bogus form.
<FORM METHOD=”POST” ACTION=”/cgi-bin/cgiemail/bogus.txt”>
<INPUT TYPE=”hidden” NAME=”success” VALUE=”http://www.yourdomain.com/sent.html”>
<input type=”text” name=”realname” style=”display: none;”>
<input type=”text” name=”email” style=”display: none;”>
<input type=”text” name=”subject” style=”display: none;”>
What makes the form bogus? I give a path to bogus.txt but that file doesn’t exist. The bots will not be able to send spam through this form. Also, by using obvious names like realname, email, and subject the bots will likely try to fill out this form and then not look ahead for the real form. Some bots can find more than one form so I put 5 of these before my real form, and 2 after. This confuses the bots and cuts down the spam big time.
By using the style=”display: none;” tag, these forms appear invisible to the user but visible to the bots.
Give it a try! It’s not full proof, but since implementing this plan I’ve received only 1 spam through the forms.