Unfortunately, spammers have written programs that find forms on the web, and automatically fill them out with spam messages. These spam bots seem to target pretty much all forms on the world wide web indisciminantly. Their main target appears to be pages that allow them to post comments touting products and spreading links. Contact forms are caught in the cross fire. The following are techniques to help stop the spam.
Because most of the contact form spam is aimed at spreading links, any easy way to get rid of it is to disallow all links in messages. The default configuration of contact form does not allow html or bulliten board formatted links already. Additional configuration could be added that would disallow pretty much any links:
my %disallowed_text = (
"[Hh][Tt][Tt][Pp]|[Hh][Tt][Mm][Ll]|[Ww][Ww][Ww]","Please remove links from your message to continue.",
);
Requiring that users preview their message before sending can thwart many spam bots that are not able to go through the multiple step preview process. Required preview is a feature that is now enabled in Contact Form by default.
Most of the spammers that send you messages through your contact form are not targeted at your site. Their spam bots are written to work with a large number of sites across the internet. As such, they are relatively easy to fool. The best way to fool them is to add an extra question to the contact form that the user has to answer to prove that they are human. Such a question would be "What fruit that starts with the letter 'A'?". All humans should be able to answer "Apple" but the spam bots just aren't that smart.
Contact form comes with a field that is not visible to users (via CSS style) and is designed to be blank. Automated submission robots will often try to fill out all the fields. Doing so will prevent submission when they try to fill in this trap field. This field is created with a type "trap" in the contact form configuration.
Contact Form does not currently support captchas. Captchas usually present an image of some obscured letters that you have to identify. A captcha would be better at keeping out bots because the question would be different for every user. A bot targeted at your site could easily be programmed to answer your special question, but would have a harder time solving captchas. Contact Form does not implement captchas because they would introduce a library dependency and other configuration that would make the form hard to install. Additionally they are hard for some users, especially blind users, to use. Furthermore, most of the spam problems for contact forms can be solved using the previously mentioned tactics.
Copyright (C) 2002-2007 Stephen Ostermiller