Last Updated: March 02, 2016
· evgenykolyakov

Stop spam emails from bots (without captcha)

A common problem many developers run into when creating a form that sends an email from a website while the form doesn't have a Captcha, is that the recipient usually receives a lot of spam emails from advertising bots.

An easy workaround for this issue consists of three parts:

  1. Add a hidden input in your form

    <form id="your_form" action="some_action_if any">
       <input type="hidden"  id="some_unique_id" name="some_pretty_normal_name" value="value_to_remove" />
  2. When submitting the form, empty that hidden input

    /* This example is given with jQuery, though it can be implemented however you like. */
    $(document).ready(function() {
         $("#your_form").submit(function() {
  3. On the server side, send the email only if that hidden input is empty

    if (!isset($_REQUEST['some_pretty_normal_name']) || empty($_REQUEST['some_pretty_normal_name'])) {
        mail($to, subject, $body, $headers);

And that's it !

This methods was checked on after it was spammed by arbitrary ads and now they receive emails from real human beings :)

2 Responses
Add your response

I think you also have to make sure the user will submit the form only once. If a mistake is made, you'll have o reset the identifier, right?

over 1 year ago ·

That depends on how you implement the submission itself...

I personally also add a time-stamp in the user's session, for a real person not to send too many mails and check if that time-stamp is "older" than 5-15 minutes, otherwise I return a relevant message via the AJAX and display it using JS.

This post is pretty generic :)

over 1 year ago ·