Spam Prevention Techniques

This page contains HTML and JavaScript code for preventing email address from being harvested from your website, and PHP code to block form spam.

Email spam is a major problem for enterprises and individuals because it can lead to fraud, identity theft, computer viruses, and wasted time. In addition, misconceived efforts to block spam with overly aggressive filtering can inconvenience legitimate email contacts.

This simple Javascript function will fool virtually all email address harvesting programs:

<script type="text/javascript">

//generate an email address

function contact(domain, user, tld) {

  document.write('<a href=\"mailto:' + user + '@' + domain + '.' + tld + '\">');

  document.write(user + '@' + domain + '.' + tld + '</' + 'a>');




The following code (adapted from a post at HighRankings, and previously circulated on the web since time immemorable) can greatly reduce the amount of form spam. The idea is to place a CSS-hidden field on your form, and then test if it contains input. Spambots generally place input in every field. A human user will not fill out a hidden field. For added security you can label the hidden field “Leave Blank”.

// Change 'email' to the name of the field where your user should 
// enter their own email address.
if (empty($_POST) || !isset($_POST['email'])) {
    header("Location: /");

// Your form should have a CSS-hidden field 'pooh' that is left blank by human users
if (!isset($_POST['pooh']) || $_POST['pooh']!="") {
    sleep(rand(2, 5)); // delay spammers a bit
    header("HTTP/1.0 403 Forbidden");
$crlf = "\r\n";

// Insert into PHP scripts before mail()

// Check $_GET if your contact form uses GET method.

$badStrings = array("Content-Type:",

function all_ascii( $stringIn ){
    $final = '';
    $search = array("\r","\n");
    $replace = array(" "," ");
    $hold = str_replace($search[0],$replace[0],$stringIn);
    $hold = str_replace($search[1],$replace[1],$hold);
        function str_split($string,$split_length=1){
            $count = strlen($string);
            if($split_length < 1){
                return false;
                } elseif($split_length > $count){
                return array($string);
                } else {
                $num = (int)ceil($count/$split_length);
                $ret = array();
                for($i=0;$i < $num;$i++){
                    $ret[] = substr($string,$i*$split_length,$split_length);
                return $ret;
    $holdarr = str_split($hold);
    foreach ($holdarr as $val) {
        if (ord($val) < 128) $final .= $val;
    return $final;
// Loop through each POST'ed value and test if it contains
// one of the $badStrings:
foreach($_POST as $k => $v){
    foreach($badStrings as $v2){
        if(strpos(all_ascii($v), $v2) !== false){
            sleep(rand(2, 5)); // delay spammers a bit
            header("HTTP/1.0 403 Forbidden");
// Continue onward to mail()

About the Author

After graduating from Yale with two degrees in Computer Science, Jonathan Hochman set up his own consulting company in 1990. He has been an Internet marketer since 1994.

For additional information, please contact Hochman Consultants.