If you haven't got PHP installed on your server, I sorry that I can't help you!
The old way of stopping automated spam was to use a CAPTCHA image (Completely Automated Public Turing test to tell Computers and Humans Apart). You'll have seen these on sites where you get a distorted image of letters and digits that you have to enter to prove you are human. These are no longer needed.
Before we start, it's NOT a good idea to call your page 'Contact Me' or have those words anywhere in your page, including the title, as spammers Google for it. If you've already named it that and spammers have found you, their program will probably be sending you spam every hour 24/7 and it's driving you crazy. As you don't want your contact page to be indexed, it's a good idea to include the page in your robots.txt to stop search engines listing it.
So what is sending all this spam? It's a program run on a computer with your website contact page address entered and runs 24/7 constantly accessing sites they have listed. They will no doubt have 100's of 1000's. They aren't visiting your site themselves, it's just their computer. Once they have locked on to your site, don't think that you can just rename the page and they will go away. They won't and you'll just make them try harder. I have experienced this first hand.
Lets get going and stop this automaton in it's tracks:
<?php
if ($_POST || $_GET) {
echo "I'm sorry, your request was refused as it contained unaccepted data.";
} else {
session_start();
$_SESSION['index'] = $index = mt_rand();
$_SESSION['token'] = md5($index);
header('Location: post.php');
}
?>
Don't forget that these pages must have the file extension of .php unless you have allowed html to use php, by altering your .htaccess file. It doesn't matter if you're not familiar with php, but here's a quick explaination.
So what if they directly access your new post.php page, which they will certainly try?
You check whether the session variables have been correctly received:-
<?php
session_start();
$index = $_SESSION['index'];
$token = $_SESSION['token'];
if ($token != md5($index)) {
echo "I'm sorry, but direct access to this file is not permitted.";
exit;
}
// The rest of your Contact Page code goes here
?>
Using 2 sessions (one the index of the other) just makes it that bit harder to break. Do not underestimate these guys, as they are very intelligent. Shame they don't put it to good use. Note that no spaces or blank lines must precede the <?php tag, or sessions will not work!
So now, if contact.php is accessed with any variables included, it will give a polite message and exit. If post.php is called directly and not via the contact.php, it will also give a polite message and also exit. DO NOT annoy the spammer with a message like "Get Lost!" or they will try and bring your site down. This I know from experience.
You could also feed them a '404 Not Found' header, which I have tried. The only snag is that they will hunt all over your website looking for it (even though it's actually there) and swamp your server error logs.
If you would like to include this info on your website, feel free to do so. I link back to this site would be very nice? Copy the data, but please don't hotlink to here and drag the info off, as I have enough trouble with high bandwidth usage already. Thanks.
