Instead of publishing your email address to a web page, where it can be harvested by spammers, provide a contact form. Filling out the form sends you email without showing your email address to the site visitor (or spammer). To block automated programs from filling out the form, add a CAPTCHA challenge to detect human visitors. Site visitors will still be able to contact you, but spammers will be blocked.
Table of Contents
This article is part of a series on Effective methods to protect email addresses from spammers that compares and tests 50 ways to protect email addresses used by a web site.
How to use a contact form
Spammers use email harvesters (“spam robots” or “spambots”) to scan your web site looking for your email address. The other articles in this series discuss ways to stop harvesters by protecting email addresses published on your site‘s pages. But a problem with all of these methods is that the address is published and visible in some way to site visitors. If it is visible to a legitimate visitor, it is also visible to a spammer. Stopping spammer’s email harvesters will stop a lot of spam, but any human spammer can defeat all of the other address protection schemes by simply reading your address and typing it into a mailing list by hand.
The best way to protect an email address from spammers is to not publish it. To enable visitors to contact you anyway, use a contact form. A web page contact form collects a visitor’s message and email address, and passes these back to the web server. The server itself emails you the message. At no point is your email address visible to the site visitor — or to a spammer or their email harvesters.
Here’s a typical contact form:
If you do not use a content management system, you’ll need to build the HTML form yourself and add a server script (in PHP, ASP, etc.) to respond to the form and send the email message. A web search will find lots of free utilities and sample scripts to create and manage contact forms.
Add a CAPTCHA image challenge
Unfortunately, there are programs used by spammers that can automatically fill out a contact form. To block these programs, but let legitimate visitors through, you can present a challenge that only a human can answer. Called a “CAPTCHA” (Completely Automated Public Turing test to tell Computers and Humans Apart), one type of challenge asks a visitor to read jumbled letters in an image like this:
CAPTCHA’s were invented by Carnegie Mellon University in their CAPTCHA Project. There are lots of free utilities available to create CAPTCHA image challenges. In each case, a script on the web server generates a random image and adds it to the contact form. The visitor fills out the form and types in the letters from the image. When the form is submitted, a script on the server checks that the visitor typed in the right answer. If so, the server sends the email message. If not, the “visitor” might be a spammer program, and the contact form is rejected.
Content management systems, such as Drupal, have free modules to do CAPTCHA challenges. Here's the Drupal contact form with a CAPTCHA image challenge added to the bottom by the Captcha and TextImage modules:
Add a CAPTCHA math challenge
While CAPTCHA images are common, a CAPTCHA can be any challenge that only a human can answer. Another method is a CAPTCHA math challenge in which the visitor is asked to answer a simple math problem. Spammer programs can’t read the math question, so they can’t answer the challenge.
Here’s the Drupal contact form with a CAPTCHA math challenge added to the bottom by the Captcha module:
Unlike in the other articles of this series, these methods were not tested against a set of email harvesters. There are too many ways to create different contact forms and CAPTCHA challenges to create a single meaningful test. Where one contact form may fail, another may succeed in stopping spammers.
Contact forms are widely praised as the solution for protecting email addresses from email harvesters. And they do stop harvesters, but they don’t stop spammers. Spammers can use automated software to enter a contact form message and press the “Send” button. When they do this for a blog or forum comment form, the spammer’s message shows up in the blog or forum as blog spam. But with a contact form, the spammer’s message gets emailed. Worse, it gets emailed by your own web server. Contact forms don’t stop spam, they just shift the way in which it is delivered.
There is software that you can use to scan a contact form’s message and block it from being sent if it looks like spam. See the Akismet service or Bad Behavior, for instance. Many content management systems have modules that use services like these to detect and stop spam messages. I use the Akismet module for Drupal. But no spam filter is perfect. Some spam will still get through.
Adding a CAPTCHA challenge is widely used to stop spammers from posting to web forms. There are many variations on the CAPTCHA method and some may be more effective than others. An image CAPTCHA presumes that an email harvester cannot use optical character recognition (OCR) software to read the image’s characters. The more jumbled the characters, the more likely that this is true. But even jumbled character images can be read with sufficiently clever software and a fast computer (see Breaking a Visual CAPTCHA and PWNtcha - CAPTCHA decoder). A CAPTCHA is probably not effective for protecting a valuable resource, such as a bank account. But for a contact form, it is unlikely that spammers will bother doing OCR just to spam you with one message in a contact form. CAPTCHA methods are a good way to protect contact forms from spammers.
However, contact forms have poor usability. They force the visitor to use a web form to send you email instead of using their familiar email program. Form email doesn’t use their standard email editor and it doesn’t get added to their sent-mail folder. Some visitors will be offended that the contact form asks for the visitor’s email address but won’t show your address. Visitors also may be wary of providing their address to a web site, worrying that they’ll get spam.
CAPTCHA challenges have poor usability as well. The visitor’s intent is to send email to you, not get quizzed. Some visitors will be offended or annoyed. CAPTCHA math challenges also may block kids and adults that don’t have the needed math skills.
CAPTCHA image challenges have poor accessibility too. For the visually impaired, a CAPTCHA image is unreadable. If they can’t enter its jumbled letters into the contact form, they can’t contact you.
Contact forms are complex to set up. Even when a content management system provides built-in modules to generate and validate the form, the web server still has to be configured to send email. For companies and hosting services with IT departments, this is no problem. But for home web sites, this isn’t easy and it may not be possible. The ISPs that serve home users over cable modems or DSL may have usage policies that prevent home email servers, or they may block the network ports used to send email to stop spammers using home computers as email zombies. Also, many email servers use spammer blacklists to block email sent to them from suspicious computers, and many of those blacklists automatically include all home computers. So, even if you set up a home email server and can send email past your ISP’s port blocking, the destination email server may reject the message because it thinks that you are a spammer.
Recommendation: a contact form is an awkward solution that is a bit too paranoid. While it does stop email harvesters, it can also block or offend legitimate visitors. A better balance is needed that maintains reasonable, if not perfect, security for you while also making it easy for your visitors to contact you. The other articles in this series present several effective ways of protecting a published email address from most email harvesters.