Prevent contact form spam without captcha

If you have a website, chances are, you have at least a contact form to allow visitors to send you messages. But most of us will get hit by spam bots and receive hundreds of enquiries which are time consuming to go through and identify and delete. When we launched our website(not this one), we got lots of enquiries coming as nice blog, nice post etc where it was not clearly a blog. We did not have any captcha protection as we thought captchas are not user friendly as most people don’t like to type captchas and are fed up with it. So we had to find a way to prevent these spam messages without using any sorts of captchas.

I came across a solution in a forum(can’t remember which one) and liked the idea to use hidden field to prevent spam. I am now going to explain how you could implement the solution(if you need) to prevent spam. Thus far, it worked 100% for us as we did not have any spam message since.

Step 1 : First add a text field in your form like any other text field and gave it a name using class or id. In the following case we call it spamkiller. :) You may already know that name attribute is used to get the response in the processing script.

<input type=”text” name=”spamkiller” id=”spamkiller” />

Step 2: Hide the field using CSS or Javascript or Jquery whatever you prefer but CSS are the easiest and simplest.

CSS : #spamkiller{display:none;}

Javascript: document.getElementByID(‘spamkiller’).display=’none';

Jquery: $(‘#spamkiller’).hide();

Step 3: Kill the spam. Now the processing script. I am going to explain it using PHP but it can be implemented in any server side language using the same idea. Get the field value using GET or POST method (depending which one you are using in the form ). In our case we are using POST as most form should be.

$spamkillervalue = $_POST[‘spamkiller’];

Now the killing part. Since the field is hidden, visitors of your site can’t see it and therefore the field should be empty. But spam bots are robots and they tend to fill all fields because they don’t know which one is required or not. So if the spamkillervalue is not empty, that must be a spam and just ignore it and don’t process the script any more. If it is empty, that most probably is a genuine message.




// Most probably genuine. process the script. Send you an email or log them in database. Of course you will be sanitizing the other field values.


//Ignore. Don’t do anything. You won’t know anything.


I hope you got an idea how it works. Now you can prevent spam without using any captchas and make your and your visitors life easier.

UPDATE: Some bots are getting clever enough to understand that it’s a trap and leave it alone. Better to use a name which bots are likely to fill such as email, phone etc. And make sure it is unique.