homepage Welcome to WebmasterWorld Guest from 54.204.127.191
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member

Visit PubCon.com
Home / Forums Index / Code, Content, and Presentation / HTML
Forum Library, Charter, Moderators: incrediBILL

HTML Forum

This 52 message thread spans 2 pages: < < 52 ( 1 [2]     
Frustrated with Spambots Coming In through Webmail Forms
hermosa




msg:3720389
 4:00 pm on Aug 11, 2008 (gmt 0)

The problem seems to be getting worse. I have set up at least 20 filters, changed the e-mail address and still they come day after day. It seems that they are getting more aggressive the more I filter them out. Am I imagining it?

I have read about options to Matt's Script Archive nms or something like that but it's too WAY complicated. Perhaps something simpler could be suggested. I just don't understand it. It says something about .php I haven't got a clue how to do that. Do I have to create a file ending in .php? How do I set that up.

 

Small Website Guy




msg:3726655
 10:18 pm on Aug 19, 2008 (gmt 0)

Wow, so many brilliant ideas here. Luckily, I don't get much spam for some reason.

johnnie




msg:3726680
 11:38 pm on Aug 19, 2008 (gmt 0)

Check if the referrer is your domain. If not, then it's a bot randomly filling out your form from a database. Also, captcha still seems to work for me. Another option would be a basic image recognition ("is this a cat or a dog?") or solving a simple mathematics equation ("3 plus four =...?"). It's not userfriendly heaven, but I guess we are more and more being forced into this corner.

Rosalind




msg:3726941
 8:57 am on Aug 20, 2008 (gmt 0)

I'm one of those humans who sends a blank referrer, so this isn't the most ideal solution. But it's also one I notice implemented more and more frequently. Not everyone will know how to deal with this, if it's their security package altering the referrer.

Trav




msg:3727237
 3:10 pm on Aug 20, 2008 (gmt 0)

this is a fine point, but the referrer is relatively easy to spoof anyway. I do have a referrer validation in my forms, but mostly as a vestige of olden days.

markd




msg:3727904
 7:45 am on Aug 21, 2008 (gmt 0)

Sorry to be so 'green', but why do spam bots fill in forms and email junk to everyone?

Is it just mallicious or are there other reasons?

slef




msg:3727912
 8:07 am on Aug 21, 2008 (gmt 0)

Spam bots email junk to everyone because it's cheaper to email everyone than to try to select people who would be interested in their product. Filling out web forms is often so cheap that a tiny response rate (yes, there are idiots who respond to web form spam) makes it profitable for the spammer. Also, sometimes web form submissions get posted on a website (ye olde guestbookes) giving the spammer search engine benefits as well as possible later responses.

So, make your web forms a little more expensive (multi-step forms, time delays and so on) but not so expensive that they annoy legitimate users (CAPTCHAs, JavaScripts).

penders




msg:3727915
 8:21 am on Aug 21, 2008 (gmt 0)

Is it just mallicious or are there other reasons?

As slef states above. But I also get quite a bit of pure 'junk'. No attempt to advertise or even attract web traffic - so I can only conclude from that that they also do it just because they can?!

Seb7




msg:3734224
 10:26 am on Aug 29, 2008 (gmt 0)

hermosa, looking at your code, most bots wont be running your Javascript thus completely bypassing it.

If you having lots of spam trouble I personally would remove most the form from the HTML and create and process your form using only Javascript like Lord Majestic suggests.

You can submit the form using things like Text.submit()

slef




msg:3734282
 12:55 pm on Aug 29, 2008 (gmt 0)

People use things like NoScript.net for security, speed or energy efficiency. Making your whole form require Javascript is stupid and should not be done. However, if you do do it, at least display some "this form doesn't work without javascript" message so all users know you're only open to slow, insecure, energy-wasting browsers ;-)

hermosa




msg:3744904
 8:51 am on Sep 15, 2008 (gmt 0)

A technician at my web hosting service spent a lot of time with me and helped me set this up. It seems to working. By posting the following code to your .htacess file you can ban certain domains and IP addresses from going anywhere near your site and sending you spam through your forms.

Here is the code:

# Denies the following IP Address(es)
deny from ###.###.###.#
deny from specificdomain.com

I just used the # sign in place of actual numbers.

I identified a whole bunch of IP addresses from my Log Manager. It was easy to do as I had left my original page with the form on my site and had it only link to itself. No other page on the site linked to it. Anything that shows up posting to that page is spam. To double check though, I matched the time the spam e-mail was sent with the log entry and got the IP address. I got the rest of the IP addresses from:

[stopforumspam.com...]

All the usual offenders are listed there. Let's keep our fingers crossed and hope that this works. Anyone else have success with this? Do you think it will work long term? I am finally get my designer to re-design my site templates and one of the things he will be doing is implementing some of the other suggestions here since I know nothing about .php.

slef




msg:3744925
 10:24 am on Sep 15, 2008 (gmt 0)

No, banning domains and IPs isn't a long-term solution: spammers move and use botnets and things like that. That said, banning some of the worst offenders is a good idea. Warning then temporarily banning anyone who actually tries to spam your site is a good move, but trickier. Both reduce the amount of anti-spam work you do.

penders




msg:3744927
 10:32 am on Sep 15, 2008 (gmt 0)

By using a massive list of known bad IP's / domains you might be reasonably successful, although this may depend on how much traffic you get through your site.

However, I would have thought that blocking certain IP's was just the first step, because of the shear number of IP's spammers use. To manually block IP's when they are found to be spamming could be a very time consuming and possibly fruitless excercise.

You could automate the blocking of IP's... When your robot checks fail on your form (may be twice to be safe?) then automatically add the IP to your .htaccess?

(EDIT: I didn't see slef's reply)

penders




msg:3745051
 3:09 pm on Sep 15, 2008 (gmt 0)

I got the rest of the IP addresses from: .....

Just as a for instance... I've just had an example of form spam come through one of my sites. It got through my robot checks (CSS hidden field check and check to make sure the form was completed in more than a few secs). It got stopped by my offensive language filter. But the IP address was a new one - and it did not appear on the list posted above.

Solution1




msg:3745101
 4:14 pm on Sep 15, 2008 (gmt 0)

If you're using Javascript to out-smart the spambots, this is a way to prevent human visitors who have Javascript disabled to post:

<body onload="document.frm.go.disabled=false;">

<form name="frm" action="" method="POST">
<input type="submit" name="go" value="Enter" disabled>
</form>

</body>

hermosa




msg:3745315
 10:17 pm on Sep 15, 2008 (gmt 0)

I like Pender's suggestion about automating the addition of a file to .htaccess I will have my designer look in to it. I work with templates he designs and I maintain and update the whole site.

kiwibrit




msg:3747039
 12:54 pm on Sep 18, 2008 (gmt 0)

Another similar approach uses external css to HIDE an unneeded form input. Anytime that box is filled in, it's a spambot so you just throw the submission out

Not so hot for someone using JAWS (or similar) I would imagine. Presumably they would see their form unceremoniously rejected, too.

penders




msg:3747080
 1:42 pm on Sep 18, 2008 (gmt 0)

Not so hot for someone using JAWS (or similar) I would imagine. Presumably they would see their form unceremoniously rejected, too.

I have heard that JAWS understands CSS these days - is that true? But even so, the 'hidden' field should have an appropriate label, "(Do not complete this field)" for the benefit of any real user that should happen to see the field (if CSS is disabled or whatever).

Trav




msg:3747171
 3:08 pm on Sep 18, 2008 (gmt 0)

@penders: absolutely right... use css to hide the field (and label), but make the label something obvious like "If you're a human being, do not enter anything in this field."

the bots still haven't caught on to this one...

penders




msg:3747829
 12:25 pm on Sep 19, 2008 (gmt 0)

"tedster: Another similar approach uses external css to HIDE an unneeded form input. Anytime that box is filled in, it's a spambot so you just throw the submission out."

penders: Yes, I have used this approach too - very effective. However, I have recently encountered a problem which meant that a legitimate message got flagged as spam! ... I think some kind of auto-complete feature of the users browser (Google Toolbar or other plugin perhaps?) was auto filling the field and it was being sent with everything else - without the user knowing!?

I don't normally quote myself, but this has happened to me again! The hidden (by CSS) form field has been submitted with the users email address this time! The email address has also been entered correctly in the appropriate email address field - so this is duplicate info! I very much doubt that even if the user was able to 'see' the field, they would enter their email address twice, particularly when one of them states, "Do not enter anything here!"?!

This is a relatively low traffic site, so the percentage of legitimate form submissions that are failing because of this hidden CSS field are surprisingly high! A tad worrying.

The users UA includes "FunWebProducts". Ring any bells?

Does anyone know of any browser plugins / extensions / toolbars which could auto-complete form fields in this way? Normal auto-complete only offers suggestions when you start typing in that field.

cazgh




msg:3747880
 1:49 pm on Sep 19, 2008 (gmt 0)

With regard to the Jaws queries - why not download the free trial version and have a listen to what your website sounds like - its good practise anyway to improve usability of any website.

drkrueger




msg:3747976
 3:38 pm on Sep 19, 2008 (gmt 0)

Penders, could the hidden field be prepopulated with a value that if changed indicate a bot?

penders




msg:3748022
 4:28 pm on Sep 19, 2008 (gmt 0)

Penders, could the hidden field be prepopulated with a value that if changed indicate a bot?

Yeah, I was wondering that... but do robots change values in already populated fields (or only when the field is empty)? If I was a robot I don't think I would both... I would assume the value already there was valid. (?)

This 52 message thread spans 2 pages: < < 52 ( 1 [2]
Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / HTML
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved