Why am I getting lots of Spam?

Posted by on Oct 16, 2013 in Tips, Troubleshooting

My form is receiving lots of spam emails, what can I do about it?

The different types of spam:

Human spammers – they actually visit your form and fill it out including the CAPTCHA.

Human or Spambot probes – sometimes contain content that does not make any sense (jibberish). Humans or Spam bots will try to target any forms that they discover. They first attempt an email header injection attack to use your web form to relay spam emails. This form is to prevent relaying email to other addresses. After failing that, they simply submit the form with a spammy URL or black hat SEO text with embedded HTML, hoping someone will be phished or click the link.

Blackhat SEO spammers – looking for blog comment forms, contact forms, Wikis, etc. By using randomly generated unique “words”, they can then do a Google search to find websites where their content has been posted un-moderated. Then they can go back to these websites, identify if the links have been posted without the rel=”nofollow” attribute (which would prevent them contributing to Google’s algorithm), and if not they can post whatever spam links they like on those websites, in an effort to boost Google rankings for certain sites. Or worse, use it to post whatever content they want onto those websites, even embedded malware.

Human CAPTCHA solvers – The thing is that it’s easy and cheap for someone to hire a person to enter this spam. Usually it can be done for about $5 for 1,000 or so form submissions. The spammer gives their ’employee’ a list of sites and what to paste in and they go at it. not all of your spam (and other trash) will be computer generated – using CAPTCHA proxy or farm the bad guys can have real people spamming you. A CAPTCHA farm has many cheap laborers (India, far east, etc) solving them. CAPTCHA proxy is when they use a bot to fetch and serve your image to users of other sites, e.g. porn, games, etc. After the CAPTCHA is solved, they use a bot to post spam to your form.

How to stop it?

Enable the Secure Image CAPTCHA – (will not stop human spam or human captcha solvers) – You can enable this feature for your form on the Security tab of the form edit page.

Enable the Google reCAPTCHA (should be your best option)
01/20/2017 – I have finished a new version 4.0.46 with an option to use the free Google reCAPTCHA. The setting to enable it is on the Security tab of the form edit menu. I even got it working with multiple forms on same page. I use it on this site right now. Fast Secure Contact Form and reCAPTCHA usage

Enable honeypot spambot trap – (temporarily stop bot attacks) if the spam bot fills the hidden honepot field in, it IS SPAM and will be blocked. You can enable this feature for your form on the Security tab of the form edit page. If you use a cache plugin, do not enable this setting. It does not stop humans. Bots could be programmed to bypass it again.

Change the URL of your form: – (temporarily stop bot attacks) – This should immediately eliminate all spam sent directly to your form by bot spammers. This could only be temporary if they come back to find it again, or maybe they will not, so it is worth a try.

Filter Spam With Akismet – The Akismet plugin comes pre-installed with WordPress. First you will need to make sure that Akismet is activated using your API key. Once activated, Akismet helps to filter spam comments but it can also be used with Fast Secure Contact Form to label as “Spam” or block contact form submissions. Akismet should able to block most of or all spam that comes in. You can configure the Akismet action for your form on the Security tab of the form edit page.

Within your WordPress dashboard, hover over Plugins and click on FS Contact Form. Then, click on the Security tab and find the checkbox labeled Check this and click “Save Changes” to determine if your Akismet key is active, then click Save Changes. You should then see at the top of this page whether or not your Akismet license is active. You can even select to block or keep the messages.

Use correct mail settings for your form – Everyone should make sure to follow these instructions for mail settings on the Basic settings tab of your form setup.

Set the “Return-path address” setting to a real email address on the SAME domain as your web site. This step really is ALWAYS necessary so mail is properly identified as originating from your server

Also be sure to check this setting box: Enable when web host requires “Mail From” strictly tied to site (don’t skip this important step!). Click “Save Changes”

Use security plugins that stop bots – The Bad Behavior WordPress plugin prevents spammers from ever delivering their junk, and in many cases, from ever reading your site in the first place. There are other plugins that perform this same function, find one that is currently up to date and meets the needs of your site.

Do you need help?

Send us a Donation:

Donate to Mike Challis