Form or comment spam can be really annoying–and disappointing. You get an email from your website and you optimistically think you’ve landed a new lead, or interest from a prospective client. Opening the message you quickly realize it’s from a spammer or automated bot.
But what if it keeps happening? Once a day, or twice or even worse 50 times? What was once an inconvenience quickly becomes a chore. Your website is meant to be an asset to your business, not a nag. We’ll show you how to eliminate comment spam.
What is Comment Spam? We’ve all experienced regular email spam. The bad guys get our email address and our inboxes fill up with junk email–sometimes with dangerous or offensive links or images. Comment spam is different, and originates from your own website when the bad guys start submitting spam on your web forms, and that spam gets through to your inbox. The bad guys might start to take an interest in your web forms for several reasons.
- Because they are probing for vulnerabilities. Spammers are always looking for mail servers they can hijack to send their spam from. They may be able to exploit a poorly written web form script (often PHP scripts and WordPress or Joomla plugins).
- They think they can get their links published on your website. Many comment forms will automatically publish new comments on the web page without approval, which gets the spammer a link to their site. This helps with their search rankings and might get some of your visitors to click the links.
- They hope you’ll click on links in the message. If your form doesn’t automatically publish content to your website, it probably does send an email to someone at your organization for approval or some other kind of action. The spammer hopes you’ll click the links, or not recognize the email as spam and approve it to post on your website.
Most comment and form spam is obviously junk and you’re probably wondering, “who on earth falls for this stuff?” Well, there’s some commercial logic behind all spam:
- Many search engines rely heavily on the number of inbound links to rank web pages, so any spam that makes it onto your website—often in comments or guestbooks—may help the spammer to rank better on search engines.
- Spammers create “bots” (automated web crawlers) that seek out pages with forms and automatically submit their spam, hoping the content gets published.
But this all seems hopeless. There can’t be many websites that allow un-moderated comments to get posted on their site! And those that do must be using some kind of anti-spam filter! Well, spammers are not stupid. They use some very sophisticated and automated systems to take a shotgun approach to spamming. If their system gets just one spam messages posted out of a thousand attempts, they just won. The cost of searching for forms and posting their spam is nearly zero, but the cost to you certainly isn’t.
All this comment spam will waste your time with junk form submissions unless you take action to reduce or eliminate the spam. There are a few different ways to prevent comment spam.
Weapon 1: Field validation
It’s amazing how many forms are submitted with no field validation. Hit the submit button and the form gets sent. But adding field validation ensures that humans are submitting forms with accurate data by prompting them if they missed something on the form or made a typo. Asking for phone number but received invalid text instead? Validation will catch that and point out the problem. Asking for a name but a link to a web page is entered (like many spammers do)? Point out the problem for the visitor to fix. Fortunately, most bots can’t fix validation problems after they’ve submitted the form, so those emails never get through to your inbox.
Weapon 2: Confirmation page
Confirmation pages let visitors review their submission after they hit submit, but before it’s actually emailed to you. They can review their submission for errors and then hit a final submit button that sends you their data. Humans often appreciate the chance to double-check things, but bots often submit a form and then head off to the next one, never having the chance to confirm anything. This can really reduce your incoming spam, but sometimes visitors are put off by the extra step required to send the form, or they may think their form was submitted already. Some forms work well with confirmation pages, like online orders. Others do not.
Weapon 3: CAPTCHA
A CAPTCHA is a simple test that should be easy for a human but difficult for a computer or bot. A typical CAPTCHA contains some odd looking letters, numbers, or words that you must enter in a box before your form can be submitted. This can really help prevent spam, but it can also frustrate visitors when the CAPTCHA is difficult to read, and can present problems for disabled people using screen readers. Spammers are also getting better at breaking CAPTCHAs.
Weapon 4: Honeypot fields
Honeypot fields add additional form fields that are hidden from humans, but very visible and attractive to bots. If the form is submitted with anything in the honeypot field, the submission is spam and won’t be emailed. This is a very effective way to prevent comment spam when configured correctly on your website.
There are some other solutions that may be more difficult to pull off.
- Banning malicious IP addresses. But spammers often change their address frequently.
- Disallowing multiple consecutive submissions. But it can be difficult to reliably detect consecutive submissions.
- Block keywords. But some keywords can be used legitimately, and cause submissions to be blocked.
- Add rel=”nofollow” to submitted links. Although this helps to keep search engines from crawling the links and helping the spammers search rankings, the email will still be sent to you.
- Disallowing links. This can be part of field validation and be very effective if done correctly. If done wrong, you may block legitimate submissions from coming through.
- Response tokens. Your web server adds a unique token in a hidden form field when the form is first requested. When the form is submitted the server checks to make sure the token exists, hasn’t been used before, and isn’t an old token.
- AJAX posting. This used to work well, but many bots have adapted and can now submit forms using AJAX.