Web Forms being Spammed

Forum Moderators: mack

Message Too Old, No Replies

Web Forms being Spammed

How can I stop my form being spammed

Janet_H

9:15 am on Apr 8, 2009 (gmt 0)

Hi,
Bit complicated - I paid someone to build me a website which allows visitors to the site to fill in a form which then comes to me in the form of an email and to an 'admin' area of my site for me to check and upload on to the site if OK. Moved to another company to help me run the site (long story)and he has redesigned the site a bit at my request. Now my forms are being attacked daily by spammers. They somehow manage to bypass the CAPTCHA we've put in place. It's v.v. annoying and so time consuming to just delete each one from the system. My guy is scratching his head - he didn't build the form and thought the CAPTCHA would stop it. If I said MYSQL and PHP I think I'd be right, but should I be looking at investing in some heavy-duty security (if there is such a thing!) or what? Any help much appreciated.
Frustrated non-techie.

anallawalla

9:35 am on Apr 8, 2009 (gmt 0)

There are a couple of problems. Some forms are filled by humans to test your defences, so they will pass through the captcha.

Your developer will find a lot of discussion online about how captchas can be bypassed, then he can write code to prevent some of it. Even Gmail's captcha has been bypassed, so don't expect a foolproof method.

BeeDeeDubbleU

12:05 pm on Apr 8, 2009 (gmt 0)

Sometimes the simpler captchas work well. I just ask a question only answerable by a human such as "is rain wet or dry"? This stops all but the most determined. I still get one or two of these each day submitted by the infamous "Margana" but as Anallawalla says these are submitted by humans (if you could %$^&*^$ call them that!)

Lord Majestic

12:26 pm on Apr 8, 2009 (gmt 0)

Captchas are highly irritating in my view.

Use JavaScript execution to add some unique value to form that your script will check - most of bots can't handle those. If it human with disabled JavaScript then you can show polite message to enable it for the purpose of submitting this form.

rocknbil

3:00 pm on Apr 8, 2009 (gmt 0)

"Front end" approaches are "duct tape" to the core problem, and this post reaffirms the issue with captchas. They can be circumnavigated by anyone truly determined.

It's not just manual entry. I have experienced robots breeze right past them on one VBulletin install.

Some of these "front end" approaches - the hidden blank field, BBW's "trivia question" approach, and anything that affects the front end form - will slow down and sometimes even stop the attacks, giving you the impression that the problem is solved.

I assure you, it's not. If they are determined, they will get around all those, or even resort to manual entry just to annoy you. The fix for this is to attack the root of the problem. Fix the script that is processing your form. Cleanse the data, and apply filtering if required. If you don't know how, contract someone to do it (and make them prove they can do it by supplying data to the revised form from spam you've received.) Don't make it your visitor's problem by asking them to fill out a captcha or other extra step they they may not understand.

In very extreme cases - and almost always this is limited to extreme cases - you can begin banning IP classes via the script or at the server level. The reasoning is if they are attacking your form, you don't want them poking around any of your site, period.

There are a variety of "duct tape" approaches and some of them will work for you, but may come back to haunt you after you think it was fixed. Fix the processor and be done with it.

This is discussed in deep detail in this thread [webmasterworld.com].

If link doesn't work, try this one [webmasterworld.com]

BeeDeeDubbleU

3:38 pm on Apr 8, 2009 (gmt 0)

Rocknbil I agree that captchas are a PITA but so is making the effort (or paying someone) to try to stop this by applying filters, etc. I have someone who spams one of my forms about once or twice a day and each time one arrives it is stamped with a different IP address. Do you know of any way to filter this out?

Personally I can live with it since I have my spam filter (Spambayes) trained to send these submissions straight into my spam folder.

Janet_H

4:33 pm on Apr 8, 2009 (gmt 0)

Thank you ALL of you for taking the time to the reply and being kind enough to share your knowledge. The info you have given me is me really useful and I will run it past my web-guy, who is as determined to get to the bottom of this as I - aren't SPAMMERS just the biggest PITA!
Thanks,
J

rocknbil

9:33 pm on Apr 8, 2009 (gmt 0)

I have someone who spams one of my forms about once or twice a day and each time one arrives it is stamped with a different IP address. Do you know of any way to filter this out?

The trivia question on your site appears to work for you, so if it works, roll with it. My comments are for general usage, and a precursory warning that front-end approaches alone won't solve everything.

To directly answer the question, without seeing what your processor is doing or the nature of what they are spamming you with, NO. Given a review of the actual script processing your form and a log of this spammer's input, I would say, 95% probability, yes.

However, if they are hitting you every day, you should be able to determine one of two things: either it's an automated 'bot, in which case you should be able to determine a pattern and plug it, or it's someone with a grudge and they are manually annoying you, in which case your method is probably the only thing that will thwart them. The latter is really an extreme case, which is why I say, if your processor is "fixed," it will stop most of these guys/gals/subhumans. :-)

BeeDeeDubbleU

6:58 am on Apr 9, 2009 (gmt 0)

It's definitely not someone with a grudge. My type of business does not generate grudges. :)
It just seems to be someone submitting links to pawrn and spam websites.

There are actually some common factors in these submissions and anyone good at scripting could no doubt filter them out but I am afraid that I don't do this type of scripting.

Digmen1

8:19 pm on Jun 5, 2009 (gmt 0)

Why do they bother spamming my web form ?

We are a small manufacturer with an online store.

We have a simple Captcha on our contact us and order forms.

(I hate the Captchas that you have to try about 3 times because they are so hard to read)

Yet about once or twice a week some clown breaks into our form and spams us with a message taking them to a website which tries to sell diet pills.

Do they really believe that I would go to their web site to buy some diet pills when they have spammed me ?

But to me it is a real PITA as we do not get many sales so when we see Form2Mail in our email we get all excited !

Why do they bother ?

They must have to crack thousands of captchas to get one visit or sale !

rocknbil

9:58 pm on Jun 5, 2009 (gmt 0)

Why do they bother spamming my web form ?

Because they can.

Yet about once or twice a week some clown breaks into our form and spams us with a message taking them to a website which tries to sell diet pills.

These are all automated, and most of them have 6 or 8 easily identifiable patterns. Remove the capchka, filter the data on input, and if it's found, immediately exit with a "no email was sent" response. Many say this is unworthy; just proceed as if the email was sent. But the problem with this is they think it worked so they, and more, will keep trying. The above approach has proven (in my experience) that after a time, they give up. Take away the candy and the malcontents will stop trying to steal it. :-)

However, I can offer no help in getting a stock script to do this for you, it will require some custom programming.

Do they really believe that I would go to their web site to buy some diet pills when they have spammed me ?

There's only one reason spam continues: it works. So if not you, someone else.

They must have to crack thousands of captchas to get one visit or sale !

Try millions . . . this is the whole deal, it's a game of numbers. P****ing off 2000 users is worth it if you get one sale, this is their philosophy. Generally they only have to find one "brand" of captcha, crack it, then seek out any sites that use that "brand." It's the same thing with forum or shopping cart vulnerabilities.

piatkow

1:57 pm on Jun 6, 2009 (gmt 0)

I found a discussion with stats (not here) a long time ago about various techniques for keeping spammers out of forms and mailto links. I can't remember much about it except for two things:
1. A combination of techniques is usually better than relying on a single one
2. (at that time) framing the page containing the form was an effective secondary technique.