Form help to avoid spam

Forum Moderators: open

Message Too Old, No Replies

Form help to avoid spam

meeko

12:41 pm on Feb 23, 2007 (gmt 0)

My website has a simple application form on it with javascript validation to ensure that users enter the main fields. The problem is that I am now getting quite a few emails per day with each of the 'required fields' containing the correct format such as email@domain.com and the non-validated fields containing links to spam sites.

Is there any easy way of adding something to stop these people sending bots to fill out my forms with nonsense? Its driving me up the wall.

s_mk

2:17 pm on Feb 23, 2007 (gmt 0)

I'm not sure how you are submitting the form and what you are submitting it to (straight to email, or to another page), but I can bet that you don't have any validation on whatever is receiving the form. So the black hats are just skipping over your HTML page, and sending messages straight to the receiver.

If you are submitting a form straight to your email via a POST, then I'm sorry, but there are a lot of programmers snickering at your expense right now because they don't remember that they did the same thing when they started out, and a lot of spammers are drooling over such an easy target.

Either way it's best to submit a form to another page that will perform an additional validation before sending it off to where it is needed. javascript validation is only to aid you user by preventing them from making an honest mistake. You need something a little better like Perl, PHP, ASP, Coldfusion, or some other server side language to enforce your rules.

If you are doing this already, post your validation code, and I could probably help you a little further.

-Greg

meeko

10:13 am on Feb 28, 2007 (gmt 0)

Greg - The form goes to an asp page for processing (please see below) - would verification be placed in this code or would it be in the javascript of the html of the page on the site:

<%@ LANGUAGE="VBSCRIPT" %>
<%
Dim strTo, strFromName, strFromAddress, strSubject, strRedirect, strFormResults
Dim key, strname, strvalue
Dim bEmail

strTo = Request.Form("recipientemail")
strSubject = Request.Form("subject")
strRedirect = Request.Form("Redirect")
strFromName = Request.Form("yourname")
strFromAddress = Request.Form("youremail")

For Each key in Request.Form
If Not (Lcase(key) = "submit") Then
strname = key
strvalue = Request.Form(key)
strFormResults = strFormResults & strname & addspaces(Len(strname),15) & " : " & strvalue & vbCRLF & vbCRLF
End If
Next

strFormResults = "Date Submitted : " & Now() & vBCRLF & _
"-------------------------------------------------" & vBCRLF & _
strFormResults

' send email
sendmail strTo, strFromAddress, strSubject, strFormResults

' Redirect to thankyou page
Response.Redirect (strRedirect)
Response.End

Function addSpaces(intLen, intTabStop)
Dim i

For i=1 to (intTabStop - intLen)
addSpaces = addSpaces & " "
Next
End Function

Sub sendmail (strToAddress, strFromAddress, strSubject, strBody)

'Response.Write "<BR>" & strToAddress
'Response.Write "<BR>" & strFromAddress
'Response.Write "<BR>" & strSubject
'Response.Write "<BR>" & strBody

Dim objCDO
Set objCDO = Server.CreateObject("CDONTS.NewMail")

objCDO.To = strToAddress
objCDO.Cc = strCC
objCDO.From = strFromAddress
objCDO.Subject = strSubject
objCDO.Body = strBody
objCDO.Send
'Cleanup
Set objCDO = Nothing

End Sub
%>

vincevincevince

10:16 am on Feb 28, 2007 (gmt 0)

Use javascript to add a hidden field, and then check for the presence of that hidden field. Or alternatively, add javascript as an onSubmit handler which sends off the form to another URL than than in the action="" part of the form.

phranque

12:38 pm on Feb 28, 2007 (gmt 0)

meeko:
use the javascript validation as a helpful convenience for your visitors.
use the vbscript validation as protection for your server, database, etc...

consider adding captcha to the form.

s_mk

2:14 pm on Feb 28, 2007 (gmt 0)

You should do both javascript AND vbscript validation. If you fore go the server side validation, anyone can just write their own form that submits to your asp page, and bypass the javascript validation altogether.

FIRST GOLDEN RULE OF PROGRAMMING: Assume all input is tainted as badly as it could be.

test each input variable for :
1. data type
2. length or range
3. illegal characters

I usually test in that order as it moves quickest to slowest.

Looking over your code I can see that you forgot this step. Ask yourself:

1. How can I be sure that the data in the Request.From collection is in the right format.

2. What would happen if I entered the wrong kind of data.

Unfortunately, I know only a little vbscript, but not enough to give you a good validation routine. If no one helps you here, maybe try the Microsoft oriented forum here [webmasterworld.com ]

( Just a heads up, if you know JavaScript already, why not write the asp side in JScript? From what I know, its essentially the same as JavaScript )