Unfortunately, spammers have written programs that find forms on the web, and automatically fill them out with spam messages. These spam bots seem to target pretty much all forms on the world wide web indisciminantly. Their main target appears to be pages that allow them to post comments touting products and spreading links. Contact forms are caught in the cross fire. The following are techniques to help stop the spam.
Because most of the contact form spam is aimed at spreading links, any easy way to get rid of it is to disallow all links in messages. The default configuration of contact form does not allow html or bulliten board formatted links already. Additional configuration could be added that would disallow pretty much any links:
$disallowed_text = ( "[Hh][Tt][Tt][Pp]|[Hh][Tt][Mm][Ll]|[Ww][Ww][Ww]","Please remove links from your message to continue.", );
Requiring that users preview their message before sending can thwart many spam bots that are not able to go through the multiple step preview process. Required preview is a feature that is now enabled in Contact Form by default.
Most of the spammers that send you messages through your contact form are not targeted at your site. Their spam bots are written to work with a large number of sites across the internet. As such, they are relatively easy to fool. The best way to fool them is to add an extra question to the contact form that the user has to answer to prove that they are human. Such a question would be "What fruit that starts with the letter 'A'?". All humans should be able to answer "Apple" but the spam bots just aren't that smart.
Contact form comes with a field that is not visible to users (via CSS style) and is designed to be blank. Automated submission robots will often try to fill out all the fields. Doing so will prevent submission when they try to fill in this trap field. This field is created with a type "trap" in the contact form configuration.
Contact Form supports captchas from reCAPTCHA. To use captchas with the contact form: sign up for an account on reCAPTCHA; generate a public and private reCAPTCHA key for your domain; put the keys in the contact form configuration.
Copyright (C) 2002-2020 Stephen Ostermiller