Welcome to WebmasterWorld Guest from 54.167.46.29

Forum Moderators: incrediBILL

Message Too Old, No Replies

Frustrated with Spambots Coming In through Webmail Forms

     
4:00 pm on Aug 11, 2008 (gmt 0)

Junior Member

10+ Year Member

joined:Apr 27, 2004
posts:157
votes: 0


The problem seems to be getting worse. I have set up at least 20 filters, changed the e-mail address and still they come day after day. It seems that they are getting more aggressive the more I filter them out. Am I imagining it?

I have read about options to Matt's Script Archive nms or something like that but it's too WAY complicated. Perhaps something simpler could be suggested. I just don't understand it. It says something about .php I haven't got a clue how to do that. Do I have to create a file ending in .php? How do I set that up.

10:18 pm on Aug 19, 2008 (gmt 0)

Full Member

10+ Year Member

joined:Mar 13, 2003
posts:335
votes: 0


Wow, so many brilliant ideas here. Luckily, I don't get much spam for some reason.
11:38 pm on Aug 19, 2008 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Aug 17, 2004
posts:1354
votes: 0


Check if the referrer is your domain. If not, then it's a bot randomly filling out your form from a database. Also, captcha still seems to work for me. Another option would be a basic image recognition ("is this a cat or a dog?") or solving a simple mathematics equation ("3 plus four =...?"). It's not userfriendly heaven, but I guess we are more and more being forced into this corner.
8:57 am on Aug 20, 2008 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:May 16, 2003
posts:992
votes: 0


I'm one of those humans who sends a blank referrer, so this isn't the most ideal solution. But it's also one I notice implemented more and more frequently. Not everyone will know how to deal with this, if it's their security package altering the referrer.
3:10 pm on Aug 20, 2008 (gmt 0)

Junior Member

5+ Year Member

joined:Feb 14, 2008
posts:85
votes: 0


this is a fine point, but the referrer is relatively easy to spoof anyway. I do have a referrer validation in my forms, but mostly as a vestige of olden days.
7:45 am on Aug 21, 2008 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Jan 8, 2001
posts:665
votes: 0


Sorry to be so 'green', but why do spam bots fill in forms and email junk to everyone?

Is it just mallicious or are there other reasons?

8:07 am on Aug 21, 2008 (gmt 0)

New User

5+ Year Member

joined:Oct 10, 2007
posts: 39
votes: 0


Spam bots email junk to everyone because it's cheaper to email everyone than to try to select people who would be interested in their product. Filling out web forms is often so cheap that a tiny response rate (yes, there are idiots who respond to web form spam) makes it profitable for the spammer. Also, sometimes web form submissions get posted on a website (ye olde guestbookes) giving the spammer search engine benefits as well as possible later responses.

So, make your web forms a little more expensive (multi-step forms, time delays and so on) but not so expensive that they annoy legitimate users (CAPTCHAs, JavaScripts).

8:21 am on Aug 21, 2008 (gmt 0)

Senior Member

WebmasterWorld Senior Member penders is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:July 3, 2006
posts: 3123
votes: 0


Is it just mallicious or are there other reasons?

As slef states above. But I also get quite a bit of pure 'junk'. No attempt to advertise or even attract web traffic - so I can only conclude from that that they also do it just because they can?!

10:26 am on Aug 29, 2008 (gmt 0)

Preferred Member

5+ Year Member

joined:Nov 20, 2007
posts:585
votes: 0


hermosa, looking at your code, most bots wont be running your Javascript thus completely bypassing it.

If you having lots of spam trouble I personally would remove most the form from the HTML and create and process your form using only Javascript like Lord Majestic suggests.

You can submit the form using things like Text.submit()

12:55 pm on Aug 29, 2008 (gmt 0)

New User

5+ Year Member

joined:Oct 10, 2007
posts: 39
votes: 0


People use things like NoScript.net for security, speed or energy efficiency. Making your whole form require Javascript is stupid and should not be done. However, if you do do it, at least display some "this form doesn't work without javascript" message so all users know you're only open to slow, insecure, energy-wasting browsers ;-)
8:51 am on Sept 15, 2008 (gmt 0)

Junior Member

10+ Year Member

joined:Apr 27, 2004
posts:157
votes: 0


A technician at my web hosting service spent a lot of time with me and helped me set this up. It seems to working. By posting the following code to your .htacess file you can ban certain domains and IP addresses from going anywhere near your site and sending you spam through your forms.

Here is the code:

# Denies the following IP Address(es)
deny from ###.###.###.#
deny from specificdomain.com

I just used the # sign in place of actual numbers.

I identified a whole bunch of IP addresses from my Log Manager. It was easy to do as I had left my original page with the form on my site and had it only link to itself. No other page on the site linked to it. Anything that shows up posting to that page is spam. To double check though, I matched the time the spam e-mail was sent with the log entry and got the IP address. I got the rest of the IP addresses from:

[stopforumspam.com...]

All the usual offenders are listed there. Let's keep our fingers crossed and hope that this works. Anyone else have success with this? Do you think it will work long term? I am finally get my designer to re-design my site templates and one of the things he will be doing is implementing some of the other suggestions here since I know nothing about .php.

10:24 am on Sept 15, 2008 (gmt 0)

New User

5+ Year Member

joined:Oct 10, 2007
posts: 39
votes: 0


No, banning domains and IPs isn't a long-term solution: spammers move and use botnets and things like that. That said, banning some of the worst offenders is a good idea. Warning then temporarily banning anyone who actually tries to spam your site is a good move, but trickier. Both reduce the amount of anti-spam work you do.
10:32 am on Sept 15, 2008 (gmt 0)

Senior Member

WebmasterWorld Senior Member penders is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:July 3, 2006
posts: 3123
votes: 0


By using a massive list of known bad IP's / domains you might be reasonably successful, although this may depend on how much traffic you get through your site.

However, I would have thought that blocking certain IP's was just the first step, because of the shear number of IP's spammers use. To manually block IP's when they are found to be spamming could be a very time consuming and possibly fruitless excercise.

You could automate the blocking of IP's... When your robot checks fail on your form (may be twice to be safe?) then automatically add the IP to your .htaccess?

(EDIT: I didn't see slef's reply)

3:09 pm on Sept 15, 2008 (gmt 0)

Senior Member

WebmasterWorld Senior Member penders is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:July 3, 2006
posts: 3123
votes: 0


I got the rest of the IP addresses from: .....

Just as a for instance... I've just had an example of form spam come through one of my sites. It got through my robot checks (CSS hidden field check and check to make sure the form was completed in more than a few secs). It got stopped by my offensive language filter. But the IP address was a new one - and it did not appear on the list posted above.

4:14 pm on Sept 15, 2008 (gmt 0)

Junior Member

10+ Year Member

joined:May 7, 2003
posts:153
votes: 1


If you're using Javascript to out-smart the spambots, this is a way to prevent human visitors who have Javascript disabled to post:

<body onload="document.frm.go.disabled=false;">

<form name="frm" action="" method="POST">
<input type="submit" name="go" value="Enter" disabled>
</form>

</body>

10:17 pm on Sept 15, 2008 (gmt 0)

Junior Member

10+ Year Member

joined:Apr 27, 2004
posts:157
votes: 0


I like Pender's suggestion about automating the addition of a file to .htaccess I will have my designer look in to it. I work with templates he designs and I maintain and update the whole site.
12:54 pm on Sept 18, 2008 (gmt 0)

Full Member

10+ Year Member

joined:Oct 14, 2004
posts:316
votes: 0


Another similar approach uses external css to HIDE an unneeded form input. Anytime that box is filled in, it's a spambot so you just throw the submission out

Not so hot for someone using JAWS (or similar) I would imagine. Presumably they would see their form unceremoniously rejected, too.

1:42 pm on Sept 18, 2008 (gmt 0)

Senior Member

WebmasterWorld Senior Member penders is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:July 3, 2006
posts: 3123
votes: 0


Not so hot for someone using JAWS (or similar) I would imagine. Presumably they would see their form unceremoniously rejected, too.

I have heard that JAWS understands CSS these days - is that true? But even so, the 'hidden' field should have an appropriate label, "(Do not complete this field)" for the benefit of any real user that should happen to see the field (if CSS is disabled or whatever).

3:08 pm on Sept 18, 2008 (gmt 0)

Junior Member

5+ Year Member

joined:Feb 14, 2008
posts:85
votes: 0


@penders: absolutely right... use css to hide the field (and label), but make the label something obvious like "If you're a human being, do not enter anything in this field."

the bots still haven't caught on to this one...

12:25 pm on Sept 19, 2008 (gmt 0)

Senior Member

WebmasterWorld Senior Member penders is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:July 3, 2006
posts: 3123
votes: 0


"tedster: Another similar approach uses external css to HIDE an unneeded form input. Anytime that box is filled in, it's a spambot so you just throw the submission out."

penders: Yes, I have used this approach too - very effective. However, I have recently encountered a problem which meant that a legitimate message got flagged as spam! ... I think some kind of auto-complete feature of the users browser (Google Toolbar or other plugin perhaps?) was auto filling the field and it was being sent with everything else - without the user knowing!?

I don't normally quote myself, but this has happened to me again! The hidden (by CSS) form field has been submitted with the users email address this time! The email address has also been entered correctly in the appropriate email address field - so this is duplicate info! I very much doubt that even if the user was able to 'see' the field, they would enter their email address twice, particularly when one of them states, "Do not enter anything here!"?!

This is a relatively low traffic site, so the percentage of legitimate form submissions that are failing because of this hidden CSS field are surprisingly high! A tad worrying.

The users UA includes "FunWebProducts". Ring any bells?

Does anyone know of any browser plugins / extensions / toolbars which could auto-complete form fields in this way? Normal auto-complete only offers suggestions when you start typing in that field.

1:49 pm on Sept 19, 2008 (gmt 0)

Junior Member

10+ Year Member

joined:Feb 17, 2003
posts:76
votes: 0


With regard to the Jaws queries - why not download the free trial version and have a listen to what your website sounds like - its good practise anyway to improve usability of any website.
3:38 pm on Sept 19, 2008 (gmt 0)

New User

5+ Year Member

joined:Aug 19, 2008
posts: 3
votes: 0


Penders, could the hidden field be prepopulated with a value that if changed indicate a bot?
4:28 pm on Sept 19, 2008 (gmt 0)

Senior Member

WebmasterWorld Senior Member penders is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:July 3, 2006
posts: 3123
votes: 0


Penders, could the hidden field be prepopulated with a value that if changed indicate a bot?

Yeah, I was wondering that... but do robots change values in already populated fields (or only when the field is empty)? If I was a robot I don't think I would both... I would assume the value already there was valid. (?)

This 52 message thread spans 2 pages: 52
 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

Featured Threads

Free SEO Tools

Hire Expert Members