If you haven't got PHP installed on your server, I sorry that I can't help you!
The old way of stopping automated spam was to use a CAPTCHA image (Completely Automated Public Turing test to tell Computers and Humans Apart). You'll have seen these on sites where you get a distorted image of letters and digits that you have to enter to prove you are human. These are no longer needed.
Before we start, it's NOT a good idea to call your page 'Contact Me' or have those words anywhere in your page, including the title, as spammers Google for it. If you've already named it that and spammers have found you, their program will probably be sending you spam every hour 24/7 and it's driving you crazy. As you don't want your contact page to be indexed, it's a good idea to include the page in your robots.txt to stop search engines listing it.
So what's sending all this spam? It's a program run on a computer with your website contact page address entered and runs 24/7 constantly accessing sites they have listed. They will no doubt have 100's of 1000's. They aren't visiting your site themselves, it's just their computer. Once they have locked on to your site, don't think that you can just rename the page and they will go away. They won't and you'll just make them try harder. I have experienced this first hand.
Lets get going and stop this automaton in it's tracks:
<?php
error_reporting(0);
if ($_POST || $_GET) {
echo "I'm sorry, your request was refused as it contained unaccepted data.";
} else {
session_start();
$_SESSION['index'] = $index = mt_rand();
$_SESSION['token'] = md5($index * 24);
header('Location: post.php');
}
?>
Don't forget that these pages must have the file extension of .php unless you have allowed html to use php, by altering your .htaccess file. It doesn't matter if you're not familiar with php, but here's a quick explanation.
So what if they directly access your new post.php page, which they will certainly try?
You check whether the session variables have been correctly received:-
<?php
error_reporting(0);
session_start();
$index = $_SESSION['index'];
$token = $_SESSION['token'];
if ($token != md5($index * 24)) {
echo "I'm sorry, but direct access to this file is not permitted.";
exit;
}
// The rest of your Contact Page code goes here
// Destroy session after message is sent
session_unset();
session_destroy();
?>
Note the multiple * 24 is important. Otherwise someone could send 2 sessions as $_SESSION['index'] = $_SESSION['token']. Now, they have to figure out what you've done. Use any number you want, providing it's the same in both cases. You could also add a number if you wanted. Another method would be to use strrev(); which would be good. Using 2 sessions (one the md5 index of the other) just makes it that bit harder to break. Do not underestimate these guys as they are very intelligent. Note that no blank lines or spaces must precede the <?php tag, or sessions won't work!
Important: Don't use the same variable session names as in my example. If someone created an exact session page, and sent the form variables you were using, they would be able to bypass this protection.
Note: Since writing this article, there is a new bred of automated spam that enters your site through the correct link. Immediately following, it enters the 2nd link with all your post variables set, therefore bypassing your protection. Checking the referer value used to stop this, but most browsers (including the new beta IE8) allow you to stop sending this value. There is a solution (which I have developed to stop this) but it's too large a subject to include here.
