homepage Welcome to WebmasterWorld Guest from 54.198.139.141
register, free tools, login, search, subscribe, help, library, announcements, recent posts, open posts,
Subscribe and Support WebmasterWorld
Visit PubCon.com
Home / Forums Index / WebmasterWorld / Webmaster General
Forum Library, Charter, Moderators: phranque & physics

Webmaster General Forum

    
Bogus web form postings?!
Annoying posts require constant cleaning
deanjg




msg:3717974
 9:12 pm on Aug 7, 2008 (gmt 0)

We have a typical "Contact Us" web form on our site that has several fields for customers to fill in when they want to contact us. We have been bombarded for months now with bogus postings in this form, sometimes 10-15 per day.

Is there a robot somewhere that posts these? Has anyone else had this trouble? What possible benefit does the poster hope for by doing this? How can we stop it?

We have to continually remove the bogus records from our database and that take time each day. What a waste. Any comments?

Thanks.

[edited by: phranque at 10:58 pm (utc) on Aug. 7, 2008]
[edit reason] No urls, please. See TOS [webmasterworld.com] [/edit]

 

Lord Majestic




msg:3717987
 9:19 pm on Aug 7, 2008 (gmt 0)

Most certainly bots do it. Easy way to beat them is to use JavaScript that would have to execute to create some extra part of HTML form that you check for in your scripts - if its not set then you reject the posting (perhaps mail customer back with explanation). Just make sure you don't make that HTML in JavaScript obvious - split it into a few strings so that bots parser won't find it easily.

I had same situation with our forum until I added this JS protection - cut down spam to 0%.

pinterface




msg:3718067
 10:57 pm on Aug 7, 2008 (gmt 0)

Never, ever, under any circumstances should submitting a form require JavaScript (or cookies). Blocking humans is very frustrating for the human (especially if you don't mention the cookie/scripting requirement).

Rather than repeat things which have already been said, I'll just point you to this recent thread [webmasterworld.com] which discusses the same problem.

Okay, I will repeat, because the first half of rocknbil's advice is pretty good:

  1. Log -- Log every single submit to a form. You'll start to notice patterns in how spammers send data.
  2. Clean -- You know your data better than the average spambot. Pick what you're willing to accept, and reject everything else. (Not many humans are going to put multiple lines into a single-line text field, for instance.)

I've found merely changing field names to be highly effective, but there are plenty of other options available.
<form-post remote-addr='...' junk='yes' date='2008.08.07 ...'>
<name><![CDATA[FOKsLtyPvGIb]]></name>
<email><![CDATA[SMMYZypqeRNGUl]]></email>
...
</form-post>
<form-post remote-addr='...' junk='yes' date='2008.08.07...'>
<name><![CDATA[RVCZsGDp]]></name>
<email><![CDATA[okYFFFJqh]]></email>
...
</form-post>
<form-post remote-addr='...' junk='yes' date='2008.08.07...'>
<name><![CDATA[ZwaODioA]]></name>
<email><![CDATA[bVrZbnls]]></email>
</form-post>
Confused bots ahoy!

Lord Majestic




msg:3718734
 6:16 pm on Aug 8, 2008 (gmt 0)

Never, ever, under any circumstances should submitting a form require JavaScript (or cookies).

You can always mention in some plain text that JavaScript should be enabled to submit this form - I use it on our forum and it works fine in 99% cases, very rarely someone without JavaScript enabled will be blocked (they get message to contact us): 100% of spammer bots were blocked, its well worth it in my view.

The Contractor




msg:3718767
 6:53 pm on Aug 8, 2008 (gmt 0)

You can always mention in some plain text that JavaScript should be enabled to submit this form - I use it on our forum and it works fine in 99% cases, very rarely someone without JavaScript enabled will be blocked (they get message to contact us): 100% of spammer bots were blocked, its well worth it in my view.

Completely agree. If the user doesn't have JavaScript enabled...they already know their limits on the web and will not be surprised at all about finding "You must enable JavaScript to use this form". JavaScript encoding works very well at blocking bots.

Lord Majestic




msg:3718780
 7:09 pm on Aug 8, 2008 (gmt 0)

they already know their limits on the web

I use noscript plug in for my Firefox - by default it disabled JavaScript and other things for all sites unless I enable it explicitly - I know that it brings limits in some cases and if site is worth it I will enable it, it seems like a reasonable behavior.

rocknbil




msg:3718803
 7:42 pm on Aug 8, 2008 (gmt 0)

Is there a robot somewhere that posts these?

Thousands. Millions. Billions? And every one of them will be a ghost to chase by IP, they are most likely all working from compromised computers/servers.

Has anyone else had this trouble? ... How can we stop it?

Since forms started accepting input. :-)

Recent discussion [webmasterworld.com]
Older, with more discussion/solutions [webmasterworld.com]

What possible benefit does the poster hope for by doing this?

The spam philosophy relies on two things: 1. It cost nothing, so we'll never stop. 2. If we get 1 sale/lead and p*** off a million others, we don't care about the million - only the one. I always visualize spammers as #*$!ly faced teens brimming with angst, to which p***ing people off is a bonus . . . . but that's just me. :-)

From what I can see, the most common goal of these spammers is LINKS. They get paid on delivery. It starts like this:

From: dsfsfsdf@fdgsadfsa.ru
To: your_email@yourdomain.com
Subject: sdafsdfs
Message: ssdf sdfsdf

They're just feeling you up, figuring out required fields, etc. When it really gets going, these messages will (almost) always contain links. There should be no valid reason for users to enter a link into a form (and if this is your case, you have to take another approach.) So filter the links, you will filter a good portion of the spam.

There is another attack that doesn't involve links at all, but is catered to a really sloppy form processor that doesn't adequately filter data. A normal mail header does something like you see above. But what if I could do this?

$from = "dsfsfsdf@fdgsadfsa.ru\nBCC:once@aol.com,two@aol.com,three@aol.com . . . "

Note the newline. Also instead of three emails to AOL, imagine 1000.

"But wait. My form doesn't have a BCC field." Well, they just created one. Using the example above, you get this:

From: dsfsfsdf@fdgsadfsa.ru
BCC:once@aol.com,two@aol.com,three@aol.com . . .
To: your_email@yourdomain.com
Subject: sdafsdfs
Message: ssdf sdfsdf

So you get one email. AOL gets 1000, they keep using you until you get blacklisted. The same approach applies to sending a multipart message in the input, and many other hacks. A BIG one to watch out for, since you mentioned database: if your email form enters data into a databaase and they discover that it does, they can submit data that abuses your database fields:

SQL injection discussion [webmasterworld.com]

I know you're probably looking for a one-off easy solution. That solution is only this: remove the form and form processor. Otherwise you have to learn a little bit about what they are doing and how they are doing it. The two links above present many approaches by many members here; consider and implement as many as you can without presenting additional challenges to legitimate users..

I've found merely changing field names to be highly effective

Every time I've tried this, they get back up to speed within a few days. :-( Never worked for me.

[edited by: phranque at 11:02 pm (utc) on Aug. 8, 2008]
[edit reason] disabled smileys ;) [/edit]

pinterface




msg:3718840
 8:24 pm on Aug 8, 2008 (gmt 0)

You can always mention in some plain text that JavaScript should be enabled to submit this form

While I'm sure everyone here would include such a note, it's amazing how many websites do not. But yes, if you're going to require JavaScript, mentioning as such is very much appreciated.


I've found merely changing field names to be highly effective

Every time I've tried this, they get back up to speed within a few days. :-( Never worked for me.

I have the good fortune of having smaller sites which don't get bots written specifically for them, so simple techniques work wonders. The technique wouldn't work well for a bigger site like youtube.

(In my case, the field name change isn't a one-time thing: the field names get randomly chosen on page generation (plus a hidden field which provides a cryptographically-signed mapping from junk name to real name). I can think of several ways to defeat it--one of which doesn't require knowing the field names at all--but you'd have to target my sites specifically, which thankfully nobody has bothered to do.)

deanjg, listen to rocknbil. He's providing you with a wealth of very useful information. :)

rogoff




msg:3722793
 8:59 am on Aug 14, 2008 (gmt 0)

If you're using PHP, there is a very effective method of stopping form spam that I posted here:
[webmasterworld.com...]

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / WebmasterWorld / Webmaster General
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About
© Webmaster World 1996-2014 all rights reserved