Many TYPO3 websites use contact forms to receive messages from their users, offer customer support, accept orders or similar. There is currently a new challenge to avoid so-called form spam.
Unfortunately, not only humans fill out contact forms. So-called bots, which are basically more or less intelligent scripts, can also find contact forms and fill them out automatically. Until now, this could be defended against quite well by simple spam protection mechanisms. First and foremost, the so-called honeypot spam protection was often used to avoid form spam. A form contains an input field that is invisible to the normal user (the honey pot). If this field is filled in when the form is submitted, it can be assumed that the form was not filled in by a human but by an automated spam script and no mail will then go out of the form. Honeypot spam protection is the standard spam protection method for all forms created with the TYPO3 form framework EXT:form. The form extension Powermail (EXT:powermail) also uses a honeypot, but has additional methods to detect spam entries. However, if you switch off these additional methods, you are also in danger of form spam.
Unfortunately, spam bots have become more intelligent in the meantime and recognise this honeypot technology and no longer fill in the invisible field. As a result, one can receive spam messages to one's e-mail address via the contact forms on the website. But the whole thing can get even worse if the contact forms also send a copy of the messages to the person filling out the form, for example. Then a spam bot can not only send spam messages to the recipient of the form, but also to any other e-mail address by triggering the form en masse with many different e-mail address entries. In the worst case, this can lead to your own mail server being blocked by the web hosting provider due to the repeated sending of spam, or being put on spam blacklists and e-mails in the company then no longer being able to be received or sent at all.
We therefore recommend proactively implementing better spam protection in your contact forms. What spam protection methods are there? Here are a few examples:
This method requires the user to read characters from an image and type them in before the form can be sent. This method does not require external services and is privacy-friendly, but may frustrate some users.
Both Google and hCaptcha (if you don't want to use Google services) have a form spam protection that tries to detect whether the current form filler is a human or a spam bot. In case of doubt, the human must prove that he or she is not a bot. This is done, for example, by recognising objects in pictures. These services are usually free, but not entirely privacy-friendly. The methodology can also frustrate some users.
This service is a bit more intelligent and usually the user does not have to do anything else here, because it is automatically determined whether it is a human or a spam bot. After only a short moment, the contact form can already be sent. Although this is very user-friendly, it is not completely data-protection-friendly and is also no longer free from a low level of use.
We will be happy to advise you on this topic. Avoid spam today and secure the function of your email inboxes!
