Hidden field spam trap for PHPFormMail

If you have a form mail script on your website you may find that you reguarly recieve automated spam to your email account. Even worse it is possible that spammers may use your form mail script to send spam to other people.

One well known method of significantly reducing (or even stopping) spam without having any impact on your website visitor is to add a hidden field to your form. Real human visitors will not see this field and leave it blank. Automated spam scripts will fill it in. You can therefore easily tag or reject any emails that have this hidden field filled in. This method of stopping spam has been talked about on many other blogs – for example on modernblue, and horizonweb.

I’m not going to explain the technique in depth – you can read about it on the above links. I’m just going to show you how to apply this form of spam protection if you are using the PHPFormMail script.

You will need to add an entry to your style sheet to hide the spam trapping field. I use two fields with similar names – one to display a field as normal and one to hide a field. I suggest you use different names to me to make it less likely that spam scripts will work around this trap.

div#formstyle1 { display: inline; }
div#formstyle2 { display: none; visibility: hidden; }

In blue you can see where I have added the spam trap field next to the usual message field.

<td><font face="arial">Message</font></td>
<div id="formstyle1">
  <textarea name="message" rows="10" cols="40"></textarea>
<div id="formstyle2">
  <p>Please leave the following field blank: </p><input type="text" name="spamtrap">

There are two things I can do in the PHPFormMail script if spam is detected (i.e. if the spamtrap field is not empty). I can either tag the email with a [spam?] tag, or I can reject it.

I have commented out the ’email rejection’ lines so the below modification will tag the email. If you want to enable the ’email rejection’ then you can simply uncomment the relevant two lines.

function send_mail()
	global $form, $invis_array, $valid_env, $fieldname_lookup, $errors;

	$email_replace_array = "r|n|to:|cc:|bcc:";

	### Anti-spam: start - reject email ###
	#if (($form['spamtrap']) != '')
	#	return true;
	### Anti-spam: end                  ###
	if (!isset($form['subject']))
			$form['subject'] = 'WWW Form Submission';
	if (isset($form['subject_prefix']))
			$form['subject'] = $form['subject_prefix'] . $form['subject'];

	if (!isset($form['email']))
			$form['email'] = 'email@example.com';
	### Anti-spam: start - tag email ###
	if (($form['spamtrap']) !='' )
			$form['subject'] = '[SPAM?]: ' . $form['subject'];
	### Anti-spam: end               ###
	switch ($form['mail_newline']) {
		case 2:		$mail_newline = "r";
		case 3:		$mail_newline = "rn";

Since applying these changes to my various sites, the script has caught all the formmail spam that I was previously getting.

If you do decide to adopt these changes then make sure you test them carefully – first try testing with the spam trap field visible, before making it invisible. I’d also suggest that you adjust the field and style sheet names to make it harder for spammers to bypass.

One Comment on “Hidden field spam trap for PHPFormMail”

  1. I use an asp formmail through Godaddy. I set up a hidden text field but have failed to find a script for that yet.
    Do you have a script to reject a hidden field for the gdform?

Leave a Reply

Your email address will not be published. Required fields are marked *

Do NOT fill this !