Ask HN: How contact form can be protected from abusing by spammers?

1 points by whatch ↗ HN
I regularly receive a lot of spam and have noticed some pattern. Spammers seem to use publicly available contact forms on random (rather credible) websites. These forms send confirmation message to the specified email on form submission.

Is there a way to protect such publicly available forms from spammers? Is *captcha the only way to do this?

Using something like CSRF token doesn't seem to solve the problem.

3 comments

[ 3.0 ms ] story [ 20.5 ms ] thread
I have had success with a simple hack to the forms. I rename one of the fields (usually the email address) and then add a fake hidden field named "email". If the form gets submitted with something in the fake field the back-end code ignores the form submit.

  <input type="text" name="email" style="display:none;">

  <label>Your email address</label>
  <input type="text" name="fax">
The back-end looks for the real email address in the "fax" field, and silently ignores the form submit if it sees anything in the "email" field.

I don't remember where I saw this trick a few years ago, I didn't think of it myself. It has worked pretty well on multiple sites that have exposed "Contact us" forms.

Interesting solution. Unfortunately, it seems it doesn't play nice with screen readers.
I have this solution in a "contact us" form on an ADA-compliant site. A combination of title and aria-* attributes make it accessible to screen readers, a legal requirement for that web site.