Buy Now
Sign in

FAQ search

How can I stop spam from my form?

Published: Monday, 04 May 2015 13:49
Spam form submissions are a fact of life and we all have to deal with them as best we can. Unfortunately some of the most persisitent spammers are also very skilful at avoiding blocks that we put in their way and there is a continuing battle of wits.
In this article I'll look at some of the most common forms of spam and suggest ways that you can block them in ChronoForms.

Accidental submissions

These aren't too common but can be irritating. There are two common causes:

The user accidentally submits the form when it is partly completed.

The main prevention here is to use Client Side Validation - the JavaScript validation that is built into ChronoForms. This will stop most 'normal' users from submitting a form if any required fields are missing or have the 'wrong kind' of entry in them.

Client Side Validation is there to help the user complete the form correctly - it is easily by-passed by turning JavaScript off and you cannot rely on it to validate the form data that is actually submitted.

The user submits the form more than once.

This happens most often if the form submission is slow and the user can't see that anything is happening so clicks the Submit button again - just to make sure. Often this is because the form included file uploads that take time to complete.
ChronoForms has two ways to prevent this:
The FAQ "How do I show a 'loading' message when the form submits?" shows you how to give the user feedback that something is happening, and also to disable the submit button once the submission has started.
I also have a custom {rokbox title=|Anti-Flood [GH] action| size=|800 600| text=|Anti-Flood [GH] action|}{/rokbox} for CFv4, or the similar Submit Limit action in CFv5, which will block any repeated attempts to re-submit the form for a specific period - usually 60 seconds or so is enough.

Empty form submissions

If you get emails which just show the input names in curly brackets like {input_text_1} then the form is being submitted with all the inputs empty. This may be by a lazy or troublesome user but is more likely to be a spambot or robot crawling links.

If these come at regular intervals: the same time each day or week then it may be that you have some kind of 'hack scanner' set up on your site that is triggering the emails.

To block the lazy user you should add at least a simple Client Side validation check - one required input should stop this source.
This will not block spambots or robots which typically have JavaScript disabled and so will never see the Client Side Validation.
You have several choices here: ChronoForms offers three different serverside Anti-Spam protections: Captcha, ReCaptcha and Security Questions. All of these use captcha checks that are visible to the user and so can (and will) be by-passed by a human spammer or by a sophisticated spambot.

Important, if you use one of the Anti-Spam actions you *must* add an Event Loop action to the pink ON Fail event of the Check action. Without this it will do nothing!

You can also easily implement a HoneyPot spam check that is invisible to human users but effective in blocking bots.

Duplicated emails

If you are getting more than one copy of each email with only the first one having the form data please check the IP address on the later copies. In one case we saw an IP address in the block which belongs to Google and we suspect that the case was a Google+ link button on the same page as the form. In this case Serverside validation should prevent the extra submission.

Submissions from crawler bots

We've seen a small number of cases where a crawler bot with an IP address like IP owned by generates empty emails. We think that the bot finds the 'action' URLs of the forms in the page and 'clicks' on them directly. Here's the 'help' from their site:

These IPs belong to - our crawler just goes all over the internet to gather info for our analytics tools which is widely used by webmasters. We never aimed at causing any inconvenience or overload to your site. If we do, you may block our bot following instructions from

Submissions from specific IP addresses

You can block IP addresses using a Custom Code action with code like this:
$banned_ips = array(
$ip_address = JRequest::getString( 'REMOTE_ADDR', '', 'server' );
if ( in_array($ip_address, $banned_ips) ) {

Random text submissions

These submissions usually contain more or less random text string sometimes with a URL included in the middle. The same kind of Anti-Spam checks will be as effective here.

False entries

These are submissions where the content is more or less correct but for some reason or other is a 'false' or 'fake' submission. These are harder to filter and there is a risk of blocking 'good' submissions by mistake.
The solution here is to use careful Client Side (to help the client) and Server Side validation.

Malicious entries

These are submissions that are intended to damage your site in some way. Fortunately they are very rare unless your site has an high profile.
In addition to the precautions above you need to use Custom Serverside validation to validate and to sanitise all the submitted data. In particular you should use the PHP Sanitise Filters (which are mostly available as Joomla! methods) to remove any doubtful content from text inputs. These will strip out anything that looks like a MySQL query or risky HTML before the data is processed by the other ChronoForms actions.
You should also make sure that the Security Token setting is On in the Show HTML action (it is by default) and use a Check Token action - from the Security Group - in the On Submit action. This verifies that the person submitting the form is the same as the one who loade it and protexts against exploits that make use of other usres open browser sessions. See Cross Site Scripting [Wikipedia]