Contact Form with Professional Spam Protection!


Our contact form has the ability to effectively block spam. By default, the visible spam protection function (security code or question) is deactivated. However, it can be activated at any time. Alternatively, we also offer you 7 other anti-spam functions to effectively ward off unwanted emails.

On this page, you can learn about all the options. (Bad Word Filter / Blacklist, Time-out, Click check, Honeypot, No links (or only x links) allowed, Captcha - Security Code, Captcha - Security Question, DDoS protection through rate limiting, Well-thought-out IP block)

Under Downloads, you will find an overview of the available contact form HTML templates.



  These spam protection options are available:




  1. Bad word filter / blacklist (on/off)

With the bad word filter, you can easily filter out unwanted words, symbols, and numbers. If a user inadvertently types a bad word, a message will warn that a suspicious word has been used. As a standard, you can exclude five word combinations (sex%; pussy%, porn%, %.ru, %.ru/%).

This is how the bad word filter works:
badword
Matches when the message contains the bad word
badword%
Matches when the message includes the bad word AND when a word begins with the bad word
%badword
Matches when message includes the bad word AND when a word ends with the bad word
%badword%
Matches when message includes the bad word AND when a word contains the bad word

If we take the word combinations listed above as an example, it is quite easy to understand: For example, the expression sex% not only excludes the word sex, but also the words sexy or sexuality. (That is, every word that begins with sex). The same applies to pussy%, which would also exclude pussycat. %.ru excludes all domains (or words) that end with .ru. And %.ru/% excludes not only all domains that end with .ru, but also any possible directories.

In conclusion: With these filter tools, you do not have to waste time and effort creating a long list of individual words.

  2. Time-out (on/off)

Spam bots are designed to send email by the bucketloads. The misuse of forms to send such unwanted emails usually happens in a matter of milliseconds. With the time-out option, you can define that the message will only be sent after x seconds. You can set the time (seconds) yourself. The time-out mechanism is a good anti-spam measure, as it prevents unwanted emails from being sent.



  3. Click check (on/off)

Click check has been adapted to the currently available Internet technologies, as browsers are now able to simulate a button click. That means that it is not possible to know whether the browser simulated the click or whether a person actually clicked on a button. Therefore, click check now does not interpret a "click" as a "human action", but a "rollover" with the mouse or tapping the button with the finger on devices with touch screens. That means that as soon as a button is tapped or rolled over, the script knows: This is a person!



  4. Honeypot (on/off)

A honeypot basically is a hidden input field that acts as a spam trap. How it works: Spambots tend to fill out all fields in a form and therefore fall into this trap. As soon as they fill out this field - invisible to the human eye - an error message appears. Even though the honeypot field is invisible, screen readers read it out to people with visual impairments. To ensure accessibility, the form includes a warning note ("Do not enter anything in this field").



The purpose of spambots is to deliver links to dubious websites (gambling, pornography, etc.) With this option, you can forbid "the user" from including links/URLs in the message. You can determine how many links you want to allow.



  6. Captcha - security code (on/off)

The security code is a captcha that generates a combination of four random characters (letters and numbers). However, nowadays there are computer programs able to identify these characters. Still, this form of anti-spam protection has proven to be effective in past years. As with all of the other options, you can deactivate or activate the security code as you prefer.



  7. Captcha - security question (on/off)

The security question is an effective spam protection method as it allows you to ask any question you like. To do so, just AntiSpam.php in an editor (we recommend using Notepad2) and overwrite the default questions and answers. Your answers can also be individual words. Just take care not to make the questions too difficult. The answers should ideally be words with lowercase letters, as the script is case sensitive. Examples of security questions can be found on the FAQ page under the question I am receiving spam through the contact form!?.



  8. DDoS protection through rate limiting (on/off)

With this option, you can limit the number of contact form views per IP address. Typically, 50 views serve as an effective measure to avoid restricting legitimate users.

Why this option is so important: With the help of malicious bots, it is possible to send thousands of requests through a web form. Sending mass emails can, in turn, indirectly lead to a Denial-of-Service (DoS) attack. Once the server is overwhelmed by an email flood, your hosting provider will most likely take your website offline for a while. This potential nightmare scenario can be avoided from the outset with our DDoS protection.

Through a custom-developed login area (rate_limiting/login.php), you can clear the log file at any time via your browser. Alternatively, the log file can be automatically cleared using a cron job. Please contact your hosting provider for assistance with this.

Note: This option should only be used if storing IP addresses is permitted in your country.



  9. Well-thought-out IP block

With our IP blocking, you can permanently exclude spammers!

The IP blocking feature allows for the targeted blocking of the first 3 IP blocks, preventing the attacker from abusing the contact form in the future—even with a changing IP. Of course, this assumes that the spammer repeatedly uses the same IP block. Since spammers typically use the same servers from the Far East repeatedly for sending spam, it is highly likely that the same (or a similar) IP will be used.

If the spammer uses a completely new IP in the future, you can also block the corresponding IP blocks for that IP.



The sender's IP address is displayed in the recipient's email. This makes the IP address immediately visible in case of any spam emails. However, please remember to activate the privacy policy. This ensures that the ordinary user agrees to the transmission of their IP.



This is how IP blocking works:



1. Insert this code into the contact.php file before <!DOCTYPE html>:

<?php $ip = $_SERVER['REMOTE_ADDR']; ?>


Additionally, insert the following code into the contact.php file before "<textarea" (found in the HTML section):

<input type='hidden' name='IPblocking' value="<?php echo $ip; ?>" />

(This input field is invisible.)



2. Add the following word after "message" in the file config.php at "$cfg['Badwordfields']": IPblocking

So it should look like this if you are using the advanced version of the corresponding template:

$cfg['Badwordfields'] = 'title, first_name, name, company, telephone, email, subject, message, IPblocking';


From now on, you can also enter IP addresses into the list of bad words in the file config.php (see: $cfg['Badwordfilter'] = ' ';).

It should look like this if you want to block the fictional IP address 80.456.78.23:

$cfg['Badwordfilter'] = 'sex%, pussy%, porn%, %.ru, %.ru/%, 80.456.78.%';

In this example, all IP addresses starting with 80.456.78. are excluded. The percent sign (%) ensures that any possible digit in the fourth block is considered in the blocklist.