How to Stamp out SPAM on your site with our 5 step plan
320 BILLION SPAM EMAILS ARE SENT EVERY DAY! WHEN SPAM CAUSES A DATA BREACH, IT TAKES ON AVERAGE 287 DAYS TO DETECT IT
If you’re a website owner that gets unwanted emails from contact forms on your site and struggle to know what to do, then your not alone. The fact is that every site owner reports unwanted marketing emails, suspicious emails and other forms of SPAM that make it to you through contact forms causing major annoyance and a level of insecurity about opening emails or viewing attachments. In some cases, hosting providers will also get on your case and threaten service suspension until action is taken.
The question is, can anything be done without breaking the bank? to which the answer is yes, with a little time and effort, you can make a real difference and in these next 5 steps, I’ll show you how.
Tip 1: Google Re-Capcha
Many contact forms will have this feature enabled already, but did you know that there are different versions of Google ReCapcha up to version 3. Google v2 is still installed on many site forms and has been increasingly defeated by clever Spammers using AI. Google ReCapcha version 3 has significant improvments and works very much behind the scenes in looking for suspicious spam-like behaviour. It’s important to use the latest version on your contact form as a 1st line of defence against spammers.
Tip 2: Anti-Spam Plugin
All Anti-Spam plugins are not the same. One that comes highly recommended is from Cleantalk which is cloud based and compatible with many form types such as contact form 7, gravity forms, formidable forms and more. For $8 a year it’s well worth the investment. There’s not much configuration out of the box with these plugins, but they are effective.
Tip 3: Geo Location Blocking
It will come as no suprise that the reputation of countries like Russia and China for hacking is less that great. Many site owners see no valid reason for allowing visitors to use the contact form outside of their home country. So how do you block countries? Well theres the free way with a bit of work and then there’s the paid way for about $50. The free way is editing the .htaccess file (usually via an FTP program) on your webserver.
.htaccess File: If you have access to the .htaccess file on your webserver you can add a few commands to the start of the file and save it. In the code below, all visitor will be block from accessing the contact-us page except visitor from the UK and Ireland. You can use a service like GeoTargetly to verify that the rule works. Note that you will need to verify with your hosting provider that a geo database is installed with your hosting plan as not all do.
Geo Blocking Plugin There are a number of plugins like IP2Location which will also do the above for you using up to date databases and advanced features such as city level geolocation.
Whichever method you choose, this is a highly effective method of stopping those spammers as all they will see is ‘page forbidden’ when they try to land on your contact page. Of course advanced attackers who go as far as to change their country by VPN wont be stopped by this method.
Tip 4: DNS Security
Over 50% of spammers are hunting for ways to use your domain to send spam from in order to defeat email filters. This means that if you dont control or at least your email provider doesnt control DNS, then your at risk. Every website has a DNS record with a link to mail servers which handle email from your organisation. Many hosting services will implement a service called SPF or (Sender Protection Framework) on your behalf where a DNS record like
would appear. Your SPF record can be checked using a tool like dmaranalyzer.com to validate that the SPF filter is in place.
SPF above is complimented by other DNS SPAM prevention techniques like DKIM and DMARC. Google goes into details about these in their article Help prevent spoofing and spam with DKIM DKIM: Adds a digital signature to every outgoing message, which lets receiving servers verify the message actually came from your organization while DMARC: Lets you tell receiving servers what to do with outgoing messages from your organization that don’t pass SPF or DKIM. Its best practice to setup SPF, DKIM and DMARC particurlary if you’ve a chronic problem with SPAM as locking down your DNS can really make a difference.
Tip 5: Limit posting your real email address
Spammers live an breath automated collection of email addresses from websites and more particularly contact-us pages and blogs. If you have to use real email addresses then dont make it easy for the spammers. Put spaces in between email addresses like “Enquiries @ CarltonDesign.ie”, and prevent real email addresses from appearing on the meta data of blogs. Technical controls are great, but human behaviour such as stopping to think before clicking on a link or posting personal email addresses can make the most impact on stopping the spammers.
Need help with your website? Contact us for more information.