Contact form with Captcha being Spammed


Not sure if anyone knows a simple answer to this, but a website I look after for a customer has a Quick Contact PHP form on the home page that the customer wanted, just in case people were too busy to go to the proper contact page and fill out the full request/estimate form.

Spammers have found a way to bypass the Captcha code and are sending emails about buying Viagra, etc as per the norm. I know there is reCaptcha, but I’d like to stick with the current system, as besides the spam issue, customers like it and it works.

I’ve tried changing the text box validation to reject any message over 76 characters, but I’ve got one come through that was only 64 characters long. Can anyone else think of a way of adding say a checkbox and having it validated using PHP at all, as apparently this is something that might stop BOTS? Or any other suggestions as a way around this at all?



I’m not a PHP person, but I did a google search for similar queries. The one in the link below covered a bunch of ideas that you might be able to benefit from.


Thanks for that Tom. It needs a bit of reading, but the gist of it makes some sense. Cheers!


in very simple terms, if a computer creates it, another computer can crack it given the desire to do so

It’s a balance of user experience, make it so a computer can’t automate it, becomes horrendous for the user. Suck it up, ensure that the email being received has a specific line such as “Form from front page” and set Outlook rules on it.


I was thinking about just having drop down menus instead of a text box, so a user would have to choose a subject to be called back on, but even that would be a simple process of by-passing I would guess.

I would still like to try the checkbox/validation test, but I don’t have the coding skills to sort it yet. I will plod on regardless.


my coding skilz non existant now days, but i always liked the idea of a randomised timer where your prompted to click a button to finalise your message then press a 2nd button between a countdown of a randomised number
i.e. when the countdown timer is between 13551 and 13355 press submit or when the flashing bar turns yellow from randomised colours.

I think it quite common serving up web page captures anomalously to other sites for real users to answer then feed it back into your own site.

Your goal is to flummox the bot with something it can’t answer properly from anything you display as a capture but a normal human can comprehend and answer and having the server side understand the reply without it being a displayed word that could be picked from a list.

List of words still have that possibility of a bot getting it randomly right same with any check box or anything selectable on screen.


Looking at a list of dropdown boxes instead of a text box, so that they can’t actually type anything in. If you can’t type, you can’t :spam: but it does limit the customer’s options.