How are people getting past this? - JavaScript and AJAX forum at WebmasterWorld - WebmasterWorld

Forum Moderators: open

Message Too Old, No Replies

How are people getting past this?

use of javascript to stop spammers

AKat

3:28 pm on Sep 14, 2007 (gmt 0)

10+ Year Member

I have a bulletin board that is constantly attacked by spammers. I do my best to stop them before the actually get their messages posted. The modifications I made to my board's Perl script stops most of it, but I've been trying to prevent it from even getting that far by using a javascript function to check for certain words and show an alert if any of the words occur in their post.

The code seems to work fine and it stops me from getting in when I try, but somehow or other the spammers are getting past the javascript. Analysis of the failed posts I have my Perl script log for me show that very few (less than 1%) are accessing the Perl directly. Most are going in through the main page form and the javascript should stop them, but it isn't.

How are they getting past this and is there anything I could change to make sure it stops them?

Here's the javascript functions:

<SCRIPT type="text/javascript" >
function stopspam(thisform)
{
with (thisform)
{
if (tcheck(body,/cialis/gi,"Spam is not permitted here!")==false) {body.focus(); return false;};
if (tcheck(body,/viagra/gi,"Spam is not permitted here!")==false) {body.focus(); return false;};
.
.
(several other similar checks)
.
}
}

function tcheck(entered, theword, alertbox)
{
with (entered)
{
inThere = entered.value.match(theword);
if (inThere)
{if (alertbox!="") {alert(alertbox);} return false;}
}
}
</SCRIPT>

And here is the form declaration and the call to the javascript function and the board's Perl script:

<form method="post" onSubmit ="return stopspam(this)" action="http://www.example.com/cgi-bin/myboardscript.pl">

Thanks for any help you can give me.....

Gibble

3:34 pm on Sep 14, 2007 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

The bots don't run javascript.

Turn javascript off in your browser and try it. :)

What you can do though, add a hidden field, name it what your current textbox element is named, create a new textbox element with a new name.

Then in your Perl script, if ANYTHING is posted in that hidden field, it's a bot. As a human wouldn't see it, nor be able to populate it, but a bot can and likely will.

HTH,
-C

[edited by: Gibble at 3:34 pm (utc) on Sep. 14, 2007]

AKat

3:36 pm on Sep 14, 2007 (gmt 0)

10+ Year Member

Ah...thank you, Gibble. That sounds reasonable. I'm a fairly experienced coder, but I don't know that much about bots and their behavior. I learn something new every day! Thanks, again.

Gibble

3:37 pm on Sep 14, 2007 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

No problem, let me know how it works out for you :)

Fotiman

12:22 pm on Sep 17, 2007 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

I think the method Gibble is describing is the "Honeypot" method. Try searching for that to get more info as well.

Dabrowski

12:35 pm on Sep 18, 2007 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Also, you could try using the hidden input box, but use the javascript on your page to fill it in. That way you could ensure they are using the JavaScript validation you have.

AKat

10:58 am on Sep 19, 2007 (gmt 0)

10+ Year Member

Dabrowski, I think I will probably not use the javascript at all since it is so easy to bypass. Instead of changing the names of the textboxes though, I am going to try to comment some out, so regular users won't see them, but the spammers should. I'll see how that works for a while.

Also, since my board seems to be on a list of boards that the spammers pick up somehow, I might rename it, rename all the form elements and move it to another page with just a small notice telling people where to go. That won't hide it forever, but may buy me some time from them anyway.

topr8

11:15 am on Sep 19, 2007 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

you could write one of the form fields to the page using a js function,

that way if you can't read js (you're a bot) then you don't see the form field

Fotiman

1:59 pm on Sep 19, 2007 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

that way if you can't read js (you're a bot) then you don't see the form field

That is a very foolish idea. Not all browsers with JavaScript disabled are bots. Some people simply don't want to enable JavaScript (to each their own).

The general rule with JavaScript should be to treat it as an "enhancement", not a "requirement". The form should work whether the user has JavaScript enabled or not.

topr8

11:40 pm on Sep 19, 2007 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

That is a very foolish idea. Not all browsers with JavaScript disabled are bots.

well i beg to differ, while many people do surf with js disabled they tend to be savvy users, you can also give a warning that js is required to post in the forum, if they know how to turn it off, they know how to turn it on too.

in my experience, outside of any techie niche, js use (eg enabled in the browser) is virtually 100%

Gibble

2:20 pm on Sep 20, 2007 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Hassle to the user though, they may know how to turn it on. But unless you have something they can't get elsewhere, they likely won't bother. At least not for repeat visits.

Anything that uses js, css, flash etc and isn't plain html should degrade gracefully...nine times out of ten. There's an exception to every rule :p

Fotiman

2:51 pm on Sep 20, 2007 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

Well put Gibble.