How OSpam-a-not Protects Your Joomla Forms From Spambots

ospam a not

In 2014 here at, we decided to stop the flood of spambots sending spam via forms on our site.

We tried one particular unobtrusive technique on some of our forms. (PS. We’re big fans of Shack Forms here at OSTraining).

This method worked out much better than we could have expected. So, we decided to turn this into a Joomla plugin. This is how OSpam-a-not was born.

So, how does OSPam-a-not work? OSpam-a-not looks for forms on your Joomla page when the visitor is not logged in. Unless the form has only one text field with no submit button, the plugin will add two fields at the very end of the form.

PS. If you’re new to Joomla, I would recommend reading “How to create a Joomla contact form” before attempting this tutorial.

Time Gate

The first field is a hidden timestamp. It records the time the field was created and added. If the form was submitted more quickly than humanly possible, OSpam-a-not blocks the submission.

This interval to use will depend on many unpredictable factors. Obviously, it could potentially create too many false positives. We suggest you turn this feature off when you just install the plugin. But the field is still added to the form.

Similar to the form token Joomla uses to prevent CSRF attempts, the field name is a hashed value we can identify in a protected form when it is submitted.

<input type="hidden" name="4dae3556796029138fbec8655162f36b" value="1421891860.0"/>

Honey Pot

We implemented this technique at OSTraining with a stunning success. You just add a text field to the form and make it hidden. Simply add a style tag at the end of the document headtag.

It isn’t visible to a human user, but a spambot doesn’t see that and fills in the field anyway. If you find anything at all in that field when the form is submitted, we’ve caught a spambot in the honey pot! And the form is blocked.

<style type="text/css">input[name=my_name] {display: none;}</style>
<input type="text" name="my_name" value=""/>

It seems entirely possible that if a spambot saw a text field named 304777dc6667acf98dd it might get suspicious and avoid filling it in.

Something like my_name is much sweeter sounding. So we choose from a list of reasonable sounding field names adding the one that we’re sure isn’t already on the form.

Click here to try OSpam-a-not today.

Finally, if you want to see a wide range of Joomla forms extensions, check out this guide: The 5 Best Joomla Forms Extensions.


  • Alex Smirnov

    Born from Ukrainian mother and Russian father, Alex migrated to the United Kingdom in 1999. He is a self-taught Microsoft Certified Professional. He enjoys learning content management systems and helping web site developers make the most of them.

0 0 votes
Article Rating
Notify of

Inline Feedbacks
View all comments
Would love your thoughts, please comment.x