When it comes time to running your own website, one of the more annoying nuisances you can encounter is spam coming at you from your site. You’re fresh and ready for emails to start streaming in from customers eager to do business with you when you get:[info]“I am love you opinion on webite, could you please advise on this:
<!—insert link to black market Viagra website here —>”[/info]
Or worse still, the old:[info]“Your site is doing terribly and not showing up in Goolge, but we at Spammy & Spamster Web Design can fix it for you”[/info]
That last one always makes me laugh. How exactly have they found you? A Google for sites that don’t show up in Google???
What’s to be done about these spammy jerkbots?
You’ll hear some hear some mad advice about these sorts of thing, mad and/or outdated;
- Don’t put your email address up on your site
- Don’t have a contact form on your site
- Use a captcha on a contact form if you must have one
Well, frankly these are some pretty lame solutions. Let’s take a look at why.
Don’t put your email address up on your site???
You don’t see it as much nowadays, but every now and then you’ll still see people using myemail(at)mydomain.com as a method to thwart the spambots. Which…well, sure it may work. But you end up looking like a total amateur and completely sacrifice user experience in the process. In this day and age I’m not going to bother retyping it, I’m just moving on.
The basic idea is this:
Don’t have a contact form on your site???/Use a captcha on a contact form if you must have one???
To be honest if your web designer is telling you not to put a contact form on your site because they’re “magnets for spam” I’d question how current their knowledge is.
We use Contact Form 7, a hugely versatile contact form plugin for wordpress.
Out of the box it doesn’t have any spambot jedi mind tricks, but as it’s sort of the industry standard for wordpress contact forms there have been lots of addons built for it.
The one that’s saved us the most headaches? Contact Form 7 Honeypot
What this genius little plugin does is add an input field to your contact form that is invisible to humans but “visible” to spambots. Because they don’t know any better the bots assume they have to put something in that field and BOOM, give themselves away and the attempt will never make it to your inbox.
This is neat and super user-friendly alternative to the ugly as hell, outdated flow-killing captchas.
I’ve never actually abandoned a website because I had to put in a captcha, but I’ve sure though about it (tickemaster, I’m looking at you! Why do I have to put it in 20 times to compare tickets!!!)
Now Googles (relatively) new No CAPTCHA reCAPTCHA on the other had I could get behind a little more. It uses behavioural analysis, so it’s often the case that the customer can verify that they’re not a robot with one simple click.
But for the moment I’m sticking with the Honeypot solution, it’s got zero impact on the customers journey, which is exactly what you want.
The Nuclear Option
No method will be fool proof and every now and then something can slip through, in particular human-posted spam can’t be tackled by honeypots or captcha’s of any kind.
Here’s where you’re faced with a big choice and it’s a choice that’s not going to suit everyone, but for us it’s been effective in blocking even the human-posted spam. It’s also pretty good as a method for blocking hacking attempts.
Over the last month or so we got dribs and drabs of spam coming in despite the above blocking methods. They’d come in groups of three, which is probably an indicator of being human in origin (getting more bang for your buck from the low-paid hired spammers)
More than a little annoyed, we took to our Google Analytics to see where this crap was coming from. We needed to look at the unfiltered view to see where all those shady referrals were coming from (stay tuned for our post on setting up Analytics filters, it’s important for getting a handle on where your audience is really coming from).
Sure enough, the hits that lead to the spam were coming from some shady “SEO ranker” type sites, looking for hits back. But the hostnames were correct, so they had actually visited the site and clicked through the form, etc.
The other crucial bit of information we take from the Analytics is the country of origin. Every one of the spam hits came from Russia.
Now luckily for us in this case, we’re a local business (meeting clients for a coffee in town is way cheaper than meeting them for a coffee in Moscow) so we’ve no need to be seen by by clients in Russia.
So, knowing that, we can wholesale block all traffic from that country.
To do this we head over to The IP2 Location Visitor Blocker, select the country we want to block and paste their output into our .htaccess.
I like to use the built in .htaccess editor in Yoast’s SEO Plugin, it’s slightly less tedious than accessing it via ftp. But word to the wise; if you’re not certain about what you’re doing go by ftp and keep a back-up copy of the file, white-screening your website is a very real possibility.
Of course if you do business internationally this will be less of an option for you. You could instead pinpoint the IP addresses of the specific spam and block them one by one.
So there we have it. All the tools and tricks you need to wage war on contact form spam.
Keep up the good fight and don’t let the spammers get you down!
Any other suggestions to fight contact form spam? Any war stories? Let us know below!
Oh yeah, and don’t forget…if you need to give us a shout, just scroll a little further down to the contact form!