Help, I created a website with a contact form and started receiving 100s of spam emails

The contact form calls a PHP script to send the emails using PHPMailer. I tried reCAPTCHA, honeypot with no luck. I finally figured out that they were targeting the PHP file directly so I changed the name of the form and the spam stopped. I checked my logs and see they are now targeting the renamed PHP file. What can I do to stop the spam?

Edit: I tried posting the code but half of it posted as code and the other half had jumbled formatting. The form is just a simple and the PHP file is just a simple script using PHPMailer.

Generate a token when you load the page the form is on, then send that token with your form data when the form is submitted.

If the submitted form data is missing the token or the token doesn’t match what was generated when the page loaded, then you can treat it as spam.

@Zinn
Interesting, I think this may work for me. Thank you, I will try it.

Dru said:
@Zinn
Interesting, I think this may work for me. Thank you, I will try it.

This plus a honeypot field is good enough to stop anything that’s not a dedicated attack.

Dru said:
@Zinn
Interesting, I think this may work for me. Thank you, I will try it.

Search for “Cross-site Request Forgery” (CSRF) for further info about this. Many frameworks have it built in.

@Zinn
Bots would just get the page, scrape the input, and submit to backend. Only real way to fix is to verify captcha result, which isn’t happening here.

Sounds like you’re not really checking the captcha result if people can just bypass the form and call your endpoint directly…?

Nico said:
Sounds like you’re not really checking the captcha result if people can just bypass the form and call your endpoint directly…?

How can I check the captcha results? I am using Google reCAPTCHA v3 and then tried v2.

@Dru
You need to verify it on the server. Como verificar a resposta do usuário  |  reCAPTCHA  |  Google for Developers

Bela said:
@Dru
You need to verify it on the server. Como verificar a resposta do usuário  |  reCAPTCHA  |  Google for Developers

Ok, I will look into it.

Leave the PHP code here to see what we can modify to help you (don’t forget that in the part where your email is, delete it and clarify “my email here”).

Add an empty hidden form field, if it’s not empty when the form is submitted you know it’s spam.

Hollis said:
Add an empty hidden form field, if it’s not empty when the form is submitted you know it’s spam.

I tried this, and I call it a honeypot. I tested it, it detected spam when I tested it but the spam went through when it was live again.

I’ve found that adding some form of cryptographic signature of the data submitted does surprisingly well. Heck… Even submitting with a hash generated from the fields pretty much does it. Obviously that’s easy enough to circumvent, but the average scam submission doesn’t bother with the effort.

I maintain like 18 sites, some of them actually getting decent traffic. Think I got like 2 scam submissions via contact the entire last year… And I think those may actually have been human scammers filling out the forms too.

Look… I know this is trivial to circumvent if you’re actually being targeted, but I just throw in a JWT that contains the origin in the payload. And that in the contact form as some data-* attribute, and add it to the submitted data (header or in body or whatever). On the receiving end, just do the typical token validation on it and reject if it’s missing.

Also, and IDK if this makes any difference, but I’ve switched to contact forms being sent via Slack instead of email. I just think it is more convenient.