Contact Forms and Spam

24 Mar 2015
sell TechnologyWebsites
Contact Forms and Spam

Most of us have got into the habit of checking our emails at least once a day. It's become ubiquitous as a convenient and simple, fast method of communication, and a staple part of many businesses. One of the most annoying things to come along with emails, though, is spam. Generally, for a personal email address, the amount of spam you receive can be mitigated by taking care to never post it publicly, and avoiding using it in connection with websites that you don't trust. But what about business addresses displayed on your company site? And why is simply posting your email address on a publicly visible website inviting spam?

The reason that any publicly visible address will sooner or later end up on a spam list is a type of program called a bot. Bots (short for 'robots', though these are simply programs) aren't inherently bad - google uses them all the time (theirs are referred to as spiders, traversing the 'web') in order to create their search catalogue. But there are lots of malicious kinds of bots, and some are dedicated to harvesting email addresses.

These bots can be entirely automated, finding sites and traversing their source code and harvesting anything that matches the basic pattern of an email address (specifically looking for @ and . symbols). They can also look specifically for links that open an email (when you hover over a link and it begins with 'mailto'), and collect the target email, so even using a link that says "Click here to email" is not safe. These harvested addresses are then added to a spam list, and the spam will begin to arrive. 

So what can you do about it? The simplest option is to put a contact form on your site, and not display your email address anywhere. You'll see this on quite a few sites, and because the email address is stored on the server, it's not available to bots. This isn't the most user-friendly option, though; some people just prefer to use their emails. You can also use the words [at] and [dot] instead of the actual symbols, but this just becomes annoying to your users, who will need to copy and paste the link into their mail program and add the symbols themselves. Many bots also look for this sort of simple disguise. A slightly better method of disguising is to use a site like, which will turn your email address into something that looks more normal.

The user will then be able to see a perfectly normal link to a perfectly normal email address, but bots, being often quite simple, won't decode this string. A few bots may, though, and in the future, more will be capable of decoding this string, so it's not the best option. 

Another option is to display the email address in an image, since bots aren't nearly complex enough to read text from an image. However, this is even more frustrating than using [at] and [dot], because the user won't be able to copy even part of the address. The best option for concealing an email address is to add it after the page has loaded with javascript, since bots go straight to the source code without executing javascript. This can even be combined with the above html entities protected link for an added level of concealment. Make sure you also include a contact form with this method, though, for users who do not have javascript enabled, as they will not be able to see this address.

So what about spam received directly from your contact form? There are also bots designed to seek out the <form> html element, and fill it in with a spam message. The most common way of avoiding this is usually to have a captcha - a little image of confused text that is meant to be legible to a human eye, but unreadable by an image-reading bot. There are many variations on this - some require you to answer a simple question, some play a sound - but most of them simply add another step, and can sometimes be quite difficult for human readers to discern as well.

A possible alternative to these is to add a hidden field to the form which won't be seen by a human user, but will still be visible to a bot. The bot then fills in this field automatically (as they generally do with all forms, in case a field is required), where a human will leave it blank. All you need to do is only forward messages to the email address if this field has remained blank, and you'll filter out the majority of automatic bots.

So those are just a few ways to avoid bots without inconveniencing your visitors. The reality is, though, that bot creators will continue to develop new bots to get around these measures, and we'll continue to find new ways to prevent them. Spam is something that is unlikely to go away as along as we have the internet, but there are certainly steps we can take to minimise its impact without having too much impact on our users' experience.