Blocking Contact Form SEO Spam when Honeypots Won’t Work

In Advertising, Advertising Agency, Cincinnati Advertising Agency, Cincinnati Marketing, Cincinnati Marketing Agencies, Cincinnati Web Design Agency, Cincinnati Website Design, Design Agency, Email Marketing and Advertising, Featured, SEO - search engine optimization, web development by Myke Amend

Since the beginning of online forms, one question we have needed to answer from time to time, one that we have even had to ask ourselves often is this:

Why are so many spam submissions coming in through our contact form?

One might also ask:

Who are these people?
Why are they saying they found crucial SEO errors on my website?
Are there actually serious issues with my site?
I have Captcha and Honeypots to stop spam form submissions, so where are these coming from?
How can we just make them all go away?

We feel you there. We’re a website design company and we still get at least several of those junk emails a day from some unknown SEO company, trying to sell us SEO or web design services.

We’ll try to answer those questions for you here, and will point you to some good, non-affiliated, resources and references here and there as well, research we found useful.

Question 1: Who are these people? Are they people at all? Are the SEO companies behind this legitimate?

We often wondered how many of these submissions were actually bots, and how many were less than skilled workers whose 9-5 job is filling out online forms all day long. I always thought at least a few had to be human, because as similar as these letters are in content, some do come with a smidgen of observation in their copy… not much… just enough to show they looked for a second to know where they were.

The copy/paste nature of these are glaringly evident when they are proposing to increase our PageSpeed score (which is 100 out of 100 for desktop and a not-too-shabby 82 for mobile), pointing out SEO errors that are just not there.  In best cases issues written about seem to be false positives – the product of someone just running scans all day long but not understanding the information, not having time to actually check the results. Maybe there is a bot or an unskilled worker running low quality scans all day in some cases, but in most cases the information given seems to have nothing to do with the site at all, and we can be pretty sure everyone is receiving the same letter with the same amount and degree of “errors found”.

Listing problems that don’t exist to us, for our own sites, is annoying yet somewhat entertaining… but when these spammers are bothering clients of ours with this nonsense, time can be spent explaining to clients the junk nature of these submissions – pointing out that no business name is given, they have no website of their own, they have no portfolio, no success stories to share. These companies don’t even have their own domain email, all of them are yahoo, hotmail, or other junk gmail addresses. All they seem to offer is fear, much like all these auto-dialers pretending to represent Google, Godaddy, and others, urging people to take action before they lose search engine position, or placement altogether.

For as long as free email services are around, there will be email scraping, email lists for sale, spamming, and bots and workers crawling the net for contact forms to spam. The problems and solutions tend to change and this is an ongoing war.

I have Captcha and Honeypots to stop spam form submissions, so where are these coming from?

Having experimented with Captchas, honeypots, mathematical question fields, firewalls, and all manners of bot prevention, I have come to the conclusion that there is more manual activity involved in these recent spam campaigns. I suppose if you copy/paste 3,000 “We found problems with your website’s SEO” emails a week, you’ll get at least a few panicked business owners to take the bait ( at the risk of being pfished or otherwise scammed, paying for services undelivered, or receiving the sort of services one should expect from a ‘fast food’ SEO company ).

Conclusion: The peskiest ones are copy/pasting form letters into contact forms and monitoring their fake email addresses for bites.

Question 2: How serious are these letters? Should I be worried?

Though fixing valid and glaring issues can definitely improve a site’s chances to compete, and in some cases remove penalties, we know from experience that building good SEO takes a lot more work and a lot more thought than just coding fixes and information restructuring. We also know it can be very hard to recover from bad SEO, which is pretty much any SEO where the user experience comes second or where attempts to fool search engines are being made. I think anyone offering fast and amazing results, or anyone running scare tactics is not on the level.

… That said, we do actually find a lot of sites can use a little bit of inexpensive help that might go a long way – these are basic things such as setting up SSL, fixing themes/templates to not have multiple h1 tags, to be mobile-friendly, to include open graph and other social media tags, to include and manage canonical URLs, we’ve even found some internally-developed templates lacking the ability to choose stubs or to assign meta descriptions and titles. These are all very basic things that could hurt a site, and all very easy to fix on most sites and platforms.

But for actually achieving a good rank, this is not by any means easy, quick, or “one time and done”. Though a lot of people say SEO is an uphill battle, I’d say it is more like swimming – you might sink if you stop, or you might float, but you are definitely not getting ahead. It is also a lot like swimming because panicking is something you do not want to do. This sort of work takes a well-thought-out strategy, and dedication. It pays off gradually, but steadily. Don’t trust anyone who promises they’ll have you at the top of the searches in days, weeks, or even months – sure, it is possible to do, but is not likely to happen for a few hundred bucks, and certainly not immediately.

Conclusion: SEO is important, but these people probably have no idea whether you have an actual SEO problem. They might take a look after you contact them. With the need for data and site security being so incredibly important these days, the last thing anyone should do is give the keys to their site to someone they don’t even know, someone who doesn’t even have a valid email address.

Question 3: Are there actually serious issues with my site?

If your site has major issue, there are a lot of free scans online that can detect these. The most obvious ones are often server or structure related. Keep in mind that these free scans are often looking to sell you their services, and “free” often means in exchange for your email address. Also keep in mind that some of them do make mistakes – automated is by no means perfect. For the technical aspects you can use the Hubspot Site Grader, you can even leave off your email address (though they make it appear necessary). PageSpeed insights will tell you if you site is running slow and how to fix it (but don’t obsess over getting a perfect score, being above 80 is a good place), Pingdom.com tests for the same thing, but will give you some different information to work from. One service I used to use a lot before we found our paid services of choice is Nibbler – It gives you a nice mix of information, and I as free scans go I am very impressed by SiteAudit.

Pingdom and Site Audit Screen Captures

Since these emails say that you are being penalized, you might want to connect your site to Google Search Console (You should always want to connect your site to Search Console) and see for yourself. Keep in mind that not all penalties are ones you’ll be alerted about.

There are a ton of articles on the web about avoiding and detecting search penalties. Here are two that are actually very good and not bad:

One that outlines some good ways to know if you have been penalized, and ways to fix that:
50 Reasons Your Website Deserves to Be Penalized By Google

A shorter list, but with its own very useful insights on SEO.
14 Reasons Your WordPress Site Isn’t Ranking High In Google (So You Never Have To Ask Another SEO Again)

Conclusion: Before you go panicking, use one or several of these site scanners to see if there are any major issues, and even still consider that these scores do not make or break any site. You can score fantastically on all of these and still get only 10 clicks a week, especially if your content strategy isn’t as good for humans as it is for scanners. I’ve seen horribly-constructed sites enjoying better placement than sites that considered every last technical detail. Consider that content and engaging your audience are incredibly important, and that over-optimizing can hurt more than help.

Question 4: How can we just make them all go away?

Sometimes, when I am looking for solutions to problems, I can get overly complicated. I am always looking for the tough solutions and need to remind myself to look for the simple solutions first. We decided it would be good to frustrate and waste the energy of these spammers, make them try and fail every time they submitted a form with keywords or keyphrases that would indicate spam.

I didn’t want to have to program hooks into plugins, and was hoping to find an actual plugin that could do this.

The obvious choice, Akismet, is mainly for comment spam, and great for it, but is not really made for contact forms. Contact Form 7, a WordPress plugin, actually does offer a way to use Akismet for contact forms as well. Other contact form plugins had honeypots, reCaptcha, and questions as spam prevention, measures that are not much good for this sort of spamming.

We will probably end up using Contact Form 7 more often as a result. Contact form 7 is free, and Akismet is free to bloggers and individuals (only $5 per month for businesses). If you are using WordPress, not at a web design or marketing company, or just not interested in other solutions you can probably stop right there.

Conclusion: Akismet and Contact Form 7 if your site is WordPress and your site is not for a Web Design, Advertising, SEO, SEM, or other Marketing Company.

Bonus Question: What if my company is a web design, SEO, or other Marketing Company?

Because we are in the web development business, and expect that our prospective clients might write us with words or phrases that would trigger our defenses, packaged solutions with packaged sets of keywords would just not do for us. It is bad enough that we can’t click “spam” in our email clients for these messages, worse still that even without this we get legitimate emails hung up inn the spam filter all of the time because of the nature of our business. Stopping these emails before the are sent is a legitimate marketing need.

We wanted a plugin that could use keywords and key phrases of our choosing to stop user-submitted spam.

For the WordPress sites, the solution is Contact Form 7 again. If you use Contact Form 7, you can go to your WordPress Settings:: Discussion :: Comment Blacklist, contact form submissions will also use this list to determine if a message is spam and block it if it is. You can enter keywords and key phrases as you think of them or as they become a problem, or you can start off with an already assembled, regularly updated list of over 28,000 key phrases that has been shown to produce zero false positives when compared to Akismet. The benefit is being able to remove key phrases according to your company’s needs (for casinos, pharmacists, marketers, etc.). That list can be found here: WordPress Comment Blacklist. Another great thing about the ContactForm7 plugin is that you can customize all alert and error messages on a per-form basis – so, just in case, you can put instructions on how to contact you in the message that says the form was rejected.

It took me a few hours to pick through a list of 28,000 known spam phrases (using find/replace to reduce the workload significantly), and I weeded the list to prevent false positives wherever I saw a risk for them. I don’t want to do this every time there is an update, so next time around I think I will save a list of the keywords removed, and find a way for our site to pull the master list automatically, and re-apply our edits. I think that work will probably start here with the Blacklist Plugin Updater. It is 3 years out of date, but probably because it is pretty simple, writing a few hooks to filter that data on the way in shouldn’t be too hard.

Conclusion: If you are involved in marketing, advertising, or design – Customize the list and use Contact Form 7.

Last Question: What if my site is not a WordPress Site?

We also wanted to be able to implement this solution on sites that are not WordPress, because we have clients who came to us using a variety of platforms, even their own proprietary ones. The WordPress Comment Blacklist is a great start to any such project, whatever your platform. I have found that with most all of the old standard CMSs honeypots, security questions, and recaptcha are about the only thing offered. If you are just working with good old HTML, Javascript, PHP and/or other basic and straight-forward pagemaking without a CMS, applying this list, even importing it on a regular basis, should be pretty simple.

Myke is a full-stack web developer for The Industrial Web Development Team at Lohre & Associates, Inc.. He is also a fine-art painter and engraver, best known for his steampunk fantasy illustrations, and his “Infernal Device” project at Artprize.