Spam protection for Powermail forms

Spam protection for Powermail forms

Since 07.12.2023, the spam protection "Friendly Captcha" has been activated for all forms. It no longer needs to be explicitly activated as a separate field in each form. "Friendly Captcha" is data protection-compliant and has been agreed and officially approved together with the Data Protection and Information Security Unit(Data Protection and Information Security Unit). It is a highly recommended method of spam protection for forms in terms of data protection, user-friendliness and accessibility.

If forms are publicly available on the Internet, it can happen that they are automatically filled in and sent by spambots. This can lead to a high volume of emails within a very short time due to unwanted registrations. In this respect, good spam protection for (public) forms is strongly recommended.

Powermail already offers in-built spam protection (including a "honeypot"), but unfortunately this does not catch everything.

Possible solutions

The solutions mentioned below can be combined with each other. Since the use of "Friendly Captcha" for all forms, no additional spam protection is generally required.

Recommendation

  1. "Friendly Captcha" - is now automatically used in all forms. The captcha is displayed directly above the "Submit" button.
  2. If the target group is internal to the university: The page type "Intranet" can be selected as additional protection.
  3. If it makes sense and is possible: Configure validation for individual fields.

In general, the page on which the form is located should include a contact option that can be used in the event of problems with the form.

Option 1: "Friendly Captcha"

The captcha is automatically displayed in the form. As a rule, verification takes place automatically as soon as the form is completed; in individual cases, a further click in the field is required.

Option 2: Restrict access to the page

Edit page properties: Type: Intranet page
  • If the group of participants is open to the university, the page can be made available as an "intranet" page. The site is accessible in the university network and can be accessed by employees and students with a central login.
  • Page with self-selected access protection: This is somewhat more complex, as a separate user group and user access must be created in TYPO3, as well as a page for the login. However, it is then also accessible to users outside the university (with the user data).

The disadvantage of these solutions is that the site cannot be found in external search engines. It is recommended to create a superordinate, public page for this purpose, which can serve as an entry page and can be found by search engines.

Option 3: Validate fields

Validation can be configured for certain fields (e.g. student ID number, email address, telephone number, German postcode) so that only certain values are permitted and/or the field is a mandatory field.

Without a combination of other means, this is generally not sufficient protection against spam bots, but it does protect against manually (even unintentionally) incorrectly completed forms.

It also makes sense to use mandatory fields and validation, as this also helps the person filling in the form to provide correct information and protects against incorrect entries. However, it is important here to make it easy for users, e.g. by entering a placeholder or additional information on the page.

Example: Email (mandatory field, will be validated for a valid email address)
Further selection options
Example: Entering a valid German postcode (mandatory field, placeholder and regular expression)

Regular printouts

Some restrictions - as in the example above for the postcode - can unfortunately only be realised using cryptic "regular expressions" (regex).

Here, "Field validation" "Pattern (RegEx)" must be selected and the regular expression entered in "Validation configuration".

Examples:

^[0-9]{5}$ German postcode, the text must consist of a 5-digit number
@(uni-oldenburg.de|uol.de)$ Uni email address must be used

Regex101 can be used to check regular expressions.

Option 4: Double opt-in

Select "Double opt-in" (email must be confirmed)

Double opt-in" can be activated in the Powermail content element. This means that an email is first sent after a form has been completed. Only when the confirmation link in the email is clicked is the form sent in full.

Misuse by spam bots can also lead to an increased volume of emails to the confirmation email, so this method is not recommended (as the only solution) for spam protection, but can be used in combination with a spam protection method. As we now always use "Friendly Captcha" (except in exceptional cases on the intranet site), this method can be used, and is particularly helpful for checking whether the email address entered is valid.

Internetkoordinator (Changed: 11 Feb 2026)  Kurz-URL:Shortlink: https://uol.de/p97070en
Zum Seitananfang scrollen Scroll to the top of the page

This page contains automatically translated content.