Spam Filter for WordPress Contact Form
A spam filter is an important feature for WordPress websites using a contact form. Without a spam filter, valuable time may be wasted for manual review and moderation of incoming contact forms to separate legitimate user content from useless or harmful spam.
Akismet Spam Filter with Contact Form 7
Many WordPress blogs and websites use the Akismet plugin as a spam filter for blog post and page comments and use the popular free plugin Contact Form 7 to receive contact form submissions. Akismet analyzes millions of websites and communities in real time to create a cloud-based spam blacklist or blocklist database.
Akismet automatically integrates with the Jetpack contact form module. It does not automatically filter spam from Contact Form 7. Users can manually add several fields to the form to enable the Akismet spam filter. Some other contact form plugins also support Akismet.
Contact Form 7 also supports a CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) challenge-response test and a simple quiz option to require a user to answer a question that blocks spambots. The Contact Form 7 Honeypot plugin adds a hidden field, unseen and ignored by users, but seen and filled in by spambots, causing spambot rejection due to a validation error.
The older CAPTCHA technology has been replaced by newer, simpler Google reCAPTCHA. See instructions for installing reCAPTHCA. Newer pattern recognition algorithms using artificial intelligence (AI) have been successful in solving CAPTCHA challenges of distorted text images.
Another spam filter strategy in Contact Form 7 is to set minlength and maxlength for text fields and min and max limits for number fields.
Since Contact Form 7 does not store incoming forms, they may be lost if they are not successfully delivered by email due to an error. The Flamingo plugin will store and report by email when new contact forms arrive on the website.
AntiSpam by CleanTalk
Another spam filter, AntiSpam by CleanTalk, is a paid premium plugin that includes options for users to enable a cloud-based spam filter on comments, contact forms and registration forms. It also protects a website from spam in plugins for bookings, orders, widgets, subscriptions and newsletters.
An optional firewall feature sends spambots to a blank page, blocking them from the web server. It also includes features for DDoS attacks and XML-RPC attacks from bad IP addresses.
Detected spam is sent automatically to the spam queue, where the moderator can sort it and move it to the inbox or trash. Users can check if they are on the CleanTalk blacklist.
Many WordPress websites use the Settings > Discussion > Comment Blacklist to block spam submitted in blog comments, forums, registration forms and contact forms. Users may add or import spam trigger words and phrases to the blacklist. If the contact form includes any words on the blacklist, the form is sent to trash.
False Positive and Victim Detection
It is not possible for a spam filter to avoid some false positives, blocking some legitimate messages. But the time-saving benefit of automatically blocking most spam outweighs the inconvenience of detecting some false positives. When possible, valid messages found in the spam folder should be added to a whitelist to route them to the inbox the next time.
A legitimate sender may be a victim and may not know that their IP address, email address or domain name is on a blacklist. They may be the victim of undetected malware that has infected or hijacked their system and is sending spam or malware from their computer, using their credentials. As a result, their internet reputation is damaged and they are detected as a spam source when submitting a contact form with no spam content.
If a contact form submitted by a legitimate user is unexpectedly sent to the spam queue, the user or tech support should investigate if they are on a reputation blacklist. Some websites for doing online blacklist checks are listed below. The blacklist may require a service request and manual intervention to remove an entry, once the problem is fixed.
1. dnsbl.info checks IP address on more than 100 DNS based blacklists
2. dnsstuff.com shows your IP address and location, DNS report runs 55 critical tests against your domain and mailservers
3. intodns.com checks health, configuration, provides DNS report and mail servers report
4. ipvoid.com/ip-blacklist-check shows service provider, location, checks IP address on more than 80 IP reputation and DNSBL services
5. mailspike.net/iplookup.html shows IP location, map, checks IP address on mailspike, Spamhaus and SpamCop blacklists
6. mxtoolbox.com/blacklists.aspx checks IP address against over 100 DNS based email blacklists
7. tcpiputils.com/dns-blackhole-list checks hostname or IP address against 60 DNS based anti-spam databases
8. ultratools.com/tools/spamDBLookup checks domain name or IP address against 80 DNS blacklists
9. whatismyipaddress.com/blacklist-check checks IP address on 80 DNS-based anti-spam databases
10. hetrixtools.com/blacklist-check/ checks domain name against 37 blacklists or IP address against 102 DNS blacklists
Reasons for Reputation Blacklist Entry
A “poor” reputation may have been caused by one or more of the following reasons:
poor or weak security DNS configuration
no reverse DNS entry (PTR-Record)
poor or incorrect mail server configuration or mx records not following best practices
open relay or open proxy
violating outbound email policy
unauthenticated ‘direct-to-mx’ email
insecure wireless network (WiFi) allowing hackers to send spam
rogue, uneducated or negligent employee violating cybersecurity policies
spam, phishing or malware history
spam generated by virus, malware, trojan, exploits, botnet or spambot infection
compromised email account
dynamic IP addresses previously used by spammers
Unsolicited Bulk Email (UBE)
sending bulk mail that violates the CAN-SPAM Act
sending spam to a spam trap
recipients incorrectly or falsely reporting valid email as spam
using or clicking on URL shorteners
using or opening malware file attachments
other types of illegitimate behavior
SQL and PHP injections
toxic domain known for abuse, spam or bot created emails
email with false/spoofed header information
Email Blacklists for Spam Filter
An email address might be classified as valid, invalid, catch-all, spam trap, possible trap, abuse, do not mail, complainer, role based, unknown, disposable, or blocked.
1. ZeroBounce.net Email Verifier checks email address for status, name and gender
2. spamcheck.postmarkapp.com paste copy of email to check SpamAssassin spam score of incoming or outgoing message
3. ultratools.com/tools/emailTest Email Server Test, checks email address or domain for valid mail server and responsiveness, provides list of valid mail server IP addresses
PHP Mail vs. SMTP Mail
By default, WordPress uses the PHP mail function to send email generated by WordPress or any contact form plugin. But, PHP mail does not work properly or reliably on many WordPress hosting platforms due to configuration problems. So, some contact forms submitted are never delivered by email to the destination Inbox, causing lost sales and frustrated customers who do not receive a reply to a registration, question or information request.
For reliable email delivery of contact form messages, a plugin supporting industry standard SMTP (Simple Mail Transfer Protocol) is valuable. The most popular plugin is WP Mail SMTP. It supports email delivery using popular email clients such a Gmail, Yahoo, Outlook, Microsoft Live and others used by bulk email marketers.
WP Mail SMTP fixes email deliverability problems by reconfiguring the wp_mail() PHP function to use an SMTP provider with proper email authentication. If incoming PHP email is not properly authenticated by the receiving Email Service Provider (ESP) the email may go to the spam folder or may not be delivered.
Spam Filter Conclusion
Take time to set up a spam filter for a contact form to properly tag and divert spam, but store and check the spam folder for false positives so legitimate messages are not lost.
[updated 2018-12-27] added another blacklist database to list