Forum Moderators: coopster
I assume that this automated submissions work by filling in the fields "email", "name", "message" automatically by a software in certain intervalls. So i thought I could perhaps randomize the field names so that the software does not know how to fill in the fields correctly any more.
I thought about something like this:
1. Create a random field name for each field when the contact form is loaded, for example: $random_number_email = rand()
2. Store it in a session variable: $_SESSION['email'] = $random_number_email
3. Alter the input fields: <input type="text" name="<? echo $random_number_email?>" (...)
4. After form submission retrieve the variable in this way: $email = $_POST[$_SESSION['email']]
Of course this only works when the bots or software those spammers use really identify the fields by their names and not for example by order of appearance. Is my assumption correct that this programs work that way?
Of course I could also randomize the order of the form fields if this is the case or add some hidden bogus fields in addition.
Has anybody tried this approach before on his contact form or forum software and does it work? Are there any disadvantages I am not aware off?
if you get any submissions with that field included, you just throw them out
the random field idea seems like a lot of hassle for you and anti spam techniques should be as easy for us as possible
If this is the case, randomizing fields or using unique numbers or ID's will not help.
It would need to be combined with a hit on a database that stores the unique value, if the value is already there don't send the email.
Remember, always let the spammers think that they have successfully sent there spam. If you give an error to them, they will try and find a method around it.
Also, after you have changed your script, change the name of the page the form is on. That way the spam bots will not quickly re hit it.
It was easier to do than I had thought:
$_SESSION['email'] = sha1(uniqid (rand()));
$_SESSION['name'] = sha1(uniqid (rand()));
<input type="text" name="<?php echo $_SESSION['email'];?>" ></input>
<input type="text" name="<?php echo $_SESSION['name'];?>" ></input>
And when receiving the contact form only little changes were necessary, too:
$email = $_POST[$_SESSION['email']];
$name = $_POST[$_SESSION['name']];
The rest could stay the same.
Only drawback is that when an error occurs (for example invalid email address) the fields are not prefilled anymore. That's why I only randomized the name and email field names, so at least the message stays.
I think I'll wait another week and see how it turns out. If it works I'll randomize my phpBB forum since the captchas don't seem to work anymore.
I would look very carefully at this and maybe log everything that happens on the form, failed attempts etc
my gut says switch it back but I don't know how many emails you normally get
I have virtually eliminated feedback form spam by scanning the input for certain phrases and blocking the message if one is found. I look for the following:
'MIME-Version:'
'@example.co.uk' <- my domain
'<a href='
'[url='
Now I can't remember the last time I got any spam. But I do get a few emails with the subject line of "thanks" and a message about how great my site is, all supposedly originating from generic AOL email addresses. No links, just a few complimentary sentences. What's that all about?
