Msg#: 3715752 posted 3:18 pm on Aug 5, 2008 (gmt 0)
I'm looking for a solution, hopefully fairly simple, to preventing contact form spam attacks. Contact forms are processed by PHP handler page. They don't get the email address, but they can still attack/submit the form.
I'll have to apply the solution to many sites, which is why I'm hoping to find something simple.
Msg#: 3715752 posted 9:21 pm on Aug 5, 2008 (gmt 0)
The easiest thing to do is change the names of the form variables. Spambots know what to do with the input fields 'email' or 'message', but they become disoriented and confused for the field 'ska54rjha89fja43'.
The second easiest thing to do is check for URLs. Normal people don't put dozens of web addresses into a form, spambots generally do.
Msg#: 3715752 posted 2:27 pm on Aug 6, 2008 (gmt 0)
I've started creating an extra field on my form, and then hiding it from human view with CSS. The confirm page has a little PHP code at the top such that it exits if there's anything in that hidden field.
That's been surprisingly effective. I'm sure that someone will come up with a way around it eventually, but it's working now.
Msg#: 3715752 posted 5:58 pm on Aug 6, 2008 (gmt 0)
1. Log your data directly from the script. This is the most useful tool in determining exactly what they are trying to do, and stopping it. Server logs don't tell the whole story.
2. Cleanse your data. Accept only character sets [A-Z0-9(and punctuation)]. From there, once you figure out what spammers are trying to do, it's pretty easy to stop them by filtering out their input.
3. Netmeg's hidden field is one approach. Use it. Also set a cookie, on form load, and read the cookie for a matching value on submit.
4. If the above doesn't slow them down or lead you to a way to close the door, some form of challenge/response field will help. You can use a CAPTCHA, but not only are these as hated as pop ups, they are hackable. Some members here use a simple question and answer response: "What is 4 + 7?" "What is the color of blood?"