Contact Form Honeypots

On my portfolio page I have a form to send me an email—not exactly a new thing to do on the Internet. I’m sure many of you have built a similar form at some point in your life.

If you have ever had one of these contact forms you’ve probably also realized that they are a very convenient tool for spammers to reach your inbox. Within a few hours of adding my contact form I was already getting some unsolicited messages about cheap pharmaceuticals; and since the messages were being sent from an SMTP server I had configured myself they went right past my spam filter.

Since I’d rather keep these messages from getting to my inbox, I decided to brainstorm some ways to stop the spam.

In order to provide some kind of effective defense we will have to make a few assumptions:

Assumption 1: A spammer is likely using automated tools to fill in and submit our form.

Given this, the first defense mechanism that comes to mind is a CAPCHA. These are the de facto tool to determine if someone on your site is a human or a robot, so this would surely work.

But, as anyone who has used the Internet in the last 10 years can tell you, CAPCHAs are a real pain in the butt for those human users. Aside from the fact that they can be extremely annoying to read, they are also a total eye sore.

I think we can do better.