Spam protection is a topic that pops up once in a while when developing imprint pages and contact forms for our customers' websites. Should we publish an email address at all? Should we offer a contact form as an alternative? How to protect our customers from spam without losing a single legitimate contact request?
Missing Best Practice for Spam Protection
There doesn't seem to be a best practice for any of those questions, and there is still a lot of spam getting sent by bots and real human beings. And I fear that it will increase with artificial "intelligence" (AI) getting smarter.
IONOS (1&1), a popular web hoster, has a quite comprehensive (German) post on the state of spam protection on websites, discussing pros and cons of every possible technique, like obfuscating email addresses (bad for accessibility and no protection against scrapers using real browsers) or using different variations of CAPTCHA challenges in contact forms (bad for accessibility and privacy and no protection against real people manually writing spam mails from regular computers or smartphones).
There are a lot of posts and tutorials about this topic, but I didn't find anything worth linking here. Sorry.
Popular Practice for WordPress Sites
A popular practice for WordPress sites as far as I found out researching tutorials, actual websites, and asking coworkers:
- do or don't show an actual email address
- use Contact Form 7 (wpcf7) to render a contact form
- use Flamingo to store incoming contact requests
- use Akismet for spam protection
- configure Contact Form 7 for Akismet integration
- use Google's reCAPTCHA for additional spam protection, unless you care about privacy
Findings
I replicated the setup described above.
Should we publish an email address at all?
I already have several actual email addresses publicly available on various websites and I don't get a lot of email spam recently. Most incoming mails are received, inspected, and filtered by GMX who do quite a good job, but there are some occasional mistakes in both directions: spam in my inbox, and legitimate messages in my junk folder.
Should we publish an email address at all? Should we offer a contact form as an alternative?
I added a contact form on a personal weblog that doesn't get a lot of traffic. I even added a disclaimer that it's a test form and submitting any message via that form might get your data submitted to anti-spam services.
Attracting Old-Fashioned Business Proposals
My contact form attracted a lot of what I would consider spam, but of a harmless kind. No malware, no harassment, no sexual or medical topics, just honest business proposals and advertisements for services and products in a traditional style like people might use when writing an actual business letter on paper.
Most spammers provide a fake email address that seems to belong to the domain hosting the contact form. None of those email addresses exists. None of those messages have been flagged as spam by Akismet yet.
Conclusion: 100% Failure
Conclusion: 100% failure, no best practice yet. So where is the technological progress everyone seems so excited about?
Top comments (3)
Another option that is also terrible for accessibility, but commonly done is to show email address as an image. Essentially the email address itself becomes the captcha.
My variation of this that I haven't seen before so I don't know if others do it too is to use an empty
<div>and use thebackground-imageCSS property to insert a Base64 encoded image of email address. Inserting with CSS keeps it out of DOM, so automated scrapers won't even know there might be an image of an email address. Obviously doesn't stop manual spammers. Horrible for accessibility though.Akismet, Contact Form 7, and Flamingo look like a practical and popular combination, but then users will have to check possible spam for false positives manually in wp-admin to be sure not to miss any legitimate inbound message. I started to code another WordPress plugin to add that missing feature.
github.com/openmindculture/wp-cont...
Here are some more details, challenges and solutions like how to ensure event role and permissions in a scheduled cron callback:
WP schedule event role and permissions
Ingo Steinke ・ Oct 4
You can use a email to link tool to hide your email address behind a captcha and stop email harvesting from your website veilmail.io