welcome to WebmasterWorld, KTFandC!
have you considered implementing some form of CAPTCHA?
depending on your situation it could be as simple as having a form field that asks "what is 3 plus 2?" or "what color is the sky?"
the techniques can get increasingly sophisticated from there as required.
however there are many that hate CAPTCHA and it can have accessibility issues.
CAPTCHA Rant - New To Web Development forum:
you might also consider alternatives to CAPTCHA.
this might give you some ideas.
Spam filtering: now with 100% less CAPTCHA - Webmaster General forum:
If it's the same IP ...but I doubt it, you could also ban their IP
I use a simple question for a Captcha and it is very effective without creating many accessibility issues.
Thank you for your help guys.
I tried adding another field to the form with the question "What is 5 + 2?" but when I tested it on a single page the form was submitted regardless of the answer filled in.
Is this because I also need to edit the .CSS as well as individual page HTML ?
You need to add validation to the form field.
I think I am having a complete mind-block or am just making a blinding error. I usually work with Joomla or WordPress so I am a bit rusty on the Static HTML site I am tweaking.
Basically the Contact Form is as follows:
<div class="quick-section-head-txt"><img src="images/quick-contact.jpg" alt="Quick Contact" title="Quick Contact" /></div>
<div class="small-error">all fields required</div>
<form action="thankyou.aspx" method="post" name="form1" id="form1">
<div class="contact-form-box"> <span>Name:</span>
<input id="name" class="input" type="text" name="name" />
<div class="contact-form-box"> <span>Email:</span>
<input id="email" class="input" type="text" name="email" />
<div class="contact-form-box"> <span>Phone:</span>
<input id="phone" class="input" type="text" name="phone" />
<textarea id="feedback" class="message" cols="" rows="" name="feedback"></textarea>
I added the following underneath "Phone"
<div class="contact-form-box"> <span>5 + 2 = ?:</span>
<input id="question" class="input" type="text" name="question" />
This shows up correctly on the form, however the box can remain blank and you can still submit. All other boxes require content otherwise a pop-up tells you to fill the form in.
How do I set it so that the form will only submit IF the content in the question box is a specific number?
Thank you for your help, appreciated.
As the bots typically fill all fields I did once consider having a field with the label "do not enter anything in this field" but considering typical user behaviour I thought that wasn't a good idea.
I have two forms on one of my sites. One dates back to my early days with "free" hosting that didn't support PHP and uses a third party service, the other uses a PHP script on my server. The third party service doesn't let through any spam but my own script gets one or two a week. The spamers' scripts generally drop the same text into multiple fields so I have filters to catch the most regular combinations. Its not enough to warrent inconveniencing customers with a captcha.
|This shows up correctly on the form, however the box can remain blank and you can still submit. All other boxes require content otherwise a pop-up tells you to fill the form in. |
static html is about as smart as a box of rocks.
Add a hidden input box and automatically ban anyone adding text into it. Humans will never see it but bots will occasionally step into it. Give it a nice juicy name too, such as 'web url', or give it the name of one of your real input boxes and give the real one a false name and adjust the script to only accept the false named box content. That way you get the bots which target specific contact form types too.
With my forms I have two protection methods:
The first is an ".htaccess" file that ensures that nobody can access the form unless they access it directly from a page in the same domain (i.e., the browser has to present a specific referer). Sure it may keep the odd real user out whose browser is set to not send a referer, but I have decided that I can live with that.
The second is a URL trap and a note in large letters to the effect that users should not post any URLs, since messages containing URLs will not be delivered.
Result: No spam coming in. :)
And the log files tell me that no real users are being turned away...
@OP - is the original stuff link spam or is it attempted SQL injection? The poison null looks deceptively innocent..
I've been running one of the firewall extensions for joomla. That seems to stop a lot of the sql injection attempts on the forms. THey now have a 'basic' setting that reduces false positives but still stops a lot of the garbage.
I use a combination of methods that are doing a great job:
- My form doesn't include email addresses, just the fields, the script will send the data to the corresponding email
- The script receiving the form data validates a referrer. It won't accept any submissions if the user is not coming from another valid website page.
- The submitted data is checked against a set of hot words like you know what, including url, link, etc.
- Perhaps the most important part of my approach is: the script will always show you the "thank you" page even if you submitted spam. There are no errors reported, it will just let users or bots think the data was sent while it simply was ignored. So, any valid submission will turn into a valid email but that's just between me and the webserver.
I'm also using a cookie tracking to find out what pages the user has been visiting before sending the data. Perhaps in the future I will look into more validation using this but so far what I described keeps my inbox very, very clean.
There is something else when you run dynamic pages or sever side includes, you could get a time stamp directly from your server and verify this against another time stamp when the data is sent. Any normal form data will take about X seconds before being sent, otherwise is just copy paste or a bot. But that's going to far, perhaps.
Add a hidden input box and automatically ban anyone adding text into it.
Tried that, the bots were clever enough to see that it was hidden and ignored it.
|Add a hidden input box and automatically ban anyone adding text into it. |
|Tried that, the bots were clever enough to see that it was hidden and ignored it. |
How did you do that? <input type="hidden"> or enclose the box in a <div style="display: none;"> The latter works better.
Still receiving high volumes of spam. The thing that is frustrating is these "entity's" are not even entering the site. For instance a form was submitted on August 26th at 00:17, 03:37 & 07:05. When I checked website stats/analysis there were 0 visitors to the site between 00:00 to 11:00 so I can't even see where they are coming from.
you can try checking the referrer. if it isnt a page from your site, or its blank, then block access. that way only visitors to your site will be able to use it. no one will be able to visit the URL directly
i posted my script for a contact form a few years ago, with a load of spam stopping things in it, and im still using it okay. no spam
you can check it out on this thread. maybe you can fiddle with it and use it as a basis for your own form -- [webmasterworld.com ]