Originally Published August 2021 | Updated March 2022
Website contact forms have always been targets for spammers, but in 2021-2022 it has gotten absolutely bonkers. The amount of spam that Cohlab and our clients receive has increased ten times over what we had in 2019 or 2020.
Unfortunately, while some of the contact form spam you receive may be illegal, there isn’t a good way to enforce it.
We’ve been experimenting with how to stop contact form spam throughout 2021-2022 on WordPress and other CMS’, and we’re here to share our best tips. We’ll start with the most complicated measures, and end up at the easiest ones to execute.
We’ll also go over some examples of recent SPAM emails we’ve been seeing more often, and how you could block those specific senders if they are emailing you directly rather than through your contact form.
Options For How To Stop Contact Form Spam
Server-Level IP Block / Region Block
I said we’d begin with the most complicated way of stopping contact form spam, and I wasn’t kidding. You’ll need to get in touch with your website administrator, IT company, or website host to ask them about implementing a server-level IP address block or regional block on your website.
If you’re receiving a lot of spam, it’s possible that it’s arriving from outside of your country’s borders. You can request that any nation where you don’t do business be blocked from viewing your website, which could cut back on spam significantly.
Be warned though – IP addresses do change, and larger server-level blocks can go wrong sometimes, so this may affect your overall site traffic in a way you don’t expect.
If you are tracking website analytics, you’ll likely see a dip in overall traffic as well – but other engagement metrics should go up overall.
CMS-Level IP Block / Region Block
Similar to the above, you can also block IP addresses or regions at the level of your content management system (CMS), like WordPress. There are plugins that you can install, or you can head into your cPanel and block IPs and regions as mentioned above with the right help.
Again, be warned that these blocks could affect legitimate traffic as well, so watch your analytics and leads/sales levels closely to make sure something wasn’t blocked that shouldn’t be.
Third-Party Spam Plugins
You’ll need to take extra precautions when installing third-party plugins on your WordPress website – some can contain malware. It’s best to ask a professional to chose and install one for you.
We have a specific plugin we’ve chosen that has a constantly updated blacklist of IP addresses and email addresses. This plugin blocks contact forms as they are sent, and for some known IP addresses, it actually refuses them access to the contact form at all.
We are using this plugin on all of our client’s websites that have an ongoing maintenance contract with us.
Email Filter For Common Terms
Whether you use G-suite or Microsoft Outlook or Yahoo, you have filter options in your email settings. If you’re seeing a lot of emails with very specific language in them that isn’t common to your real client emails, you could set up a filter for that phrase or sentence to block them before they reach your inbox.
If they are coming from a set address by chance, you could also block that domain from sending emails to you.
Depending on the CMS you use, it may be worth disabling the ability to right-click on your website. Both bot and human spammers are likely copy-pasting their script into your contact form, and by disabling right-click you can either slow them down or discourage them from putting their information in your contact form.
This isn’t an airtight solution – you can get around a disabled right-click if you’re tech-savvy enough. But, it does serve to slow the emails down.
reCAPTCHA / Custom CAPTCHA
You’ve likely seen Google’s reCAPTCHA system on website forms for a while now. They introduced reCAPTCHA to replace the old CAPTCHA system The original CAPTCHA system was used throughout the 2000s.
Starting in 2014, you likely saw more of today’s reCAPTCHA system, where you click a button to verify whether you’re human or not – if the reCAPTCHA system isn’t sure, then you’re presented with a series of images to choose from, such as identifying only the images with crosswalks or motorcycles.
Adding this to your contact form is fairly straightforward if you follow the instructions to get the API keys from Google.
A honeypot is an invisible field on your contact form that only bots can see. Humans will never fill out the honeypot field. So, if your contact form detects data in the honeypot field, it automatically assumes the message is from a bot and doesn’t let it reach your inbox. It’s a pretty ingenious method, and again while not foolproof, can help catch a majority of bots.
Honeypots are available on most CMS’ and form plugins, so it should be easy enough to implement.
Remove Excess Comment Sections/Contact Forms/Email Addresses
Lastly, reduce the number of contact points on your website.
If you have a contact form in the footer of your website, it shows up on every page and can be used by so many more bots to send you messages. It’s best to have a contact form on as few pages as possible.
If you have a comment section on your blog or run a forum of some kind, spam can be rampant. Blocking it can feel futile, so removing it might be your best option if you can.
If you are providing users with your direct email address anywhere on your website – even if you think it’s hidden – spammers will take it and use it. If you can remove email addresses or hide them, you can greatly reduce the amount of spam you receive.
Examples Of Contact Form Spam
Copyrighted Images Spam
The below emails were sent to Cohlab and our clients by the dozens. Even with the best anti-spam contact form measures, dedicated spammers can still get through. Whatever you do, never click a link in a spam email like this.
This series of emails is likely inspired by a new law passed by Congress in late 2020 allowing for legal action to be taken by copyright owners in a tribunal rather than a court. Playing on website owners’ fears of being sued, they decided to run this spam campaign to try to get some quick payouts.
You can see two common examples below, and see how they tweaked the language slightly each time to try to bypass any spam email filters which might be set up.
We’ve found the best way to block these particular spam contact forms was to key into the “firebasestorage.googleapis.com” and filter for that term in our email settings, as we know this isn’t a service we, any of our clients, or any of our clients’ clients use, so it could be safely blocked and automatically sent to our spam folder.
Hi there! My name is Lisa. Your website or a website that your organization hosts is infringing on a copyrighted images owned by me personally. Take a look at this report with the URLs to my images you utilized at xxxxxxxxx.com and my previous publications to obtain the proof of my copyrights. Download it right now and check this out for yourself: https://firebasestorage.googleapis.com/v0/b/files-xxxxxxxxxxx.com/o/shared%2Ffile-fdk3hdk39fh.html?alt=media&token=3e60f004-1eb3-442d-af14-64aa8c6adfeb&l=287520292554520926
I do believe you’ve willfully violated my rights under 17 USC Sec. 101 et seq. and could be liable for statutory damages of up to $110,000 as set-forth in Sec. 504 (c)(2) of the Digital millennium copyright act (”DMCA”) therein. This message is official notification. I seek the removal of the infringing materials referenced above.
Take note as a company, the Digital Millennium Copyright Act requires you, to remove and/or terminate access to the infringing content upon receipt of this particular letter. In case you do not cease the utilization of the aforementioned infringing content a lawsuit will be started against you. I have a strong belief that use of the copyrighted materials mentioned above as allegedly violating is not authorized by the legal copyright proprietor, its legal agent, as well as law.
I swear, under consequence of perjury, that the information in this notification is accurate and that I am the legal copyright proprietor or am authorized to act on behalf of the owner of an exclusive right that is allegedly infringed.
Best regards, Lisa XXXXXXX
Hello! My name is Jenna. Your website or a website that your organization hosts is violating the copyright protected images owned by me personally. Take a look at this report with the links to my images you utilized at xxxxxxxxxx.com and my earlier publication to obtain the proof of my copyrights. Download it right now and check this out for yourself: https://firebasestorage.googleapis.com/v0/b/files-xxxxxxxxx.com/o/shared%2Ffile-30vdfn23knvj.html?alt=media&token=9e279c80-f397-4170-a6ff-474fd938a171&f=565309404954668773
In my opinion you have intentionally infringed my legal rights under 17 USC Section 101 et seq. and can be liable for statutory damage of up to $110,000 as set-forth in Section 504 (c) (2) of the Digital Millennium Copyright Act (”DMCA”) therein. This message is official notice. I demand the removal of the infringing materials referenced above.
Please be aware as a service provider, the DMCA demands you, to remove and/or disable access to the infringing materials upon receipt of this notification letter. If you don’t cease the use of the above mentioned infringing materials a legal action can be commenced against you. I have a good self-belief that utilization of the copyrighted materials described above as presumably infringing is not permitted by the copyright proprietor, its agent, as well as laws.
I swear, under consequence of perjury, that the information in this letter is correct and that I am the legal copyright owner or am certified to act on behalf of the proprietor of an exclusive right that is presumably violated.
Sincerely, Jenna Xxxxx
Malware / DDoS Spam
The last email in this set is one commonly sent to newly created websites. The spammer pretends to be from a trusted source, letting you know your site has malware which is performing an attack against their site, and asking you to download some software to fix the problem. The software they want you to download, is, of course, actually malware.
This message was written to you in order to notify, that we are currently experiencing serious network problems and we have detected a DDoS attack on our servers coming from the your website or a website that your company hosts (xxxxxx.com). As a consequence, we are suffering financial and reputational losses.
We have strong evidence and belief that your site was hacked and your website files were modified, with the help of which the DDoS attack is currently taking place. It is strictly advised for you as a website proprietor or as a person associated with this website take immediate action to fix this issue.
To fix this issue, you should immediately clean your website from malicious files that are used to carry out the DDoS attack.
I have shared the log file with the recorded evidence that the attack is coming from xxxxx.com and also detailed guidelines on how to safely deal with, find and clean up all malicious files manually in order to eradicate the threat to our network.
Click on the link below to download DDos Attack evidence and follow the instructions to fix the issue:
Please be aware that failure to comply with the instructions above or/and if DDoS attacks associated with xxxxx.com will not stop within the next 24 hour period upon receipt of this message, we will be entitled to seek legal actions to resolve this issue.
If you will experience any difficulties trying to solve the issue, please reply immediately with your personal reference case number (included in the log report and instructions mentioned above) and I will do my best to help you resolve this problem asap.
mailchimp.com IT security team
First Page Ranking Spam
I was surfing through your site and realized that despite having a great design; it was not ranking on any of the search engines (Google Yahoo and Bing) for most of the keywords relating to your business.
I am based here locally in Flordia and our offices are located in Miami, Orlando and Tampa. We have worked with many small businesses. I would be able to quick phone call to give you feedback on what you can do to bring your digital presence to the next level.
Please provide your phone number so that I can call you and accordingly discuss further on next steps.
I look forward to hearing from you.
Business Development Executive
I was checking your website on behalf of this email firstname.lastname@example.org and see you have a good design and it looks great, but it’s not ranking on Google and other major search engines.
We can place your website on Google’s 1st page. Yahoo, Facebook, LinkedIn, YouTube, Instagram, Pinterest etc.).
If you are interested, then I will send you our SEO Packages and Price list.
Thanks & Regards,
Get your website to Google first page – SEO for your website!
Hey there, We can put your website on 1st page of Google to drive relevant traffic to your site. Let us know if you would be interested in getting detailed proposal. We can also schedule a call & will be pleased to explain our services in detail. We look forward to hearing from you soon. Thank you!
Physical Domain Spam
This postcard came in the physical mail. We include it here because it is related to your website – this scam is trying to get you to pay for a service you don’t need by tricking you. They want you to think that they are your domain authority or the U.S.A. domain authority and you need to pay them nearly $300 annually to keep your domain.
Further on in the postcard, they admit that they are a business listing service, not a domain service (we assume to avoid lawsuits). But it would be easy for someone new to owning a website to be fooled, and give away their credit card information or hundreds of dollars to this scam company.
Ready to secure your contact forms and reduce your time spent sifting through emails? Contact Cohlab today to learn more about partnering with us for your next website build or website maintenance contract.