captcha image code and i just want to make the code more effective. as i get more than 100 spam entries a day
Then your CAPTCHA proves something I've always believed, they are little more than a patch for an underlying problem. Fear not, the big dogs suffer as well, I've **seen** the vBulletin CAPTCHA's beaten by bots. All a CAPTCHA does, really, is present one more barrier to your users.
Another thing to keep in mind is that spammers visit your form once.
after that the processor is accessed via direct input from a command line using their robots. Anything you do in the form itself is likely to get circumnavigated. The problem is in the input.
The hidden field trick is a good one, but even that is temporary, spammers can figure out that the hidden field is the one they need to ignore. Another approach is setting session variables for field names and making them unique every time the page loads.
These may give you relief, it may stop completely, or it may stop only temporarily. One of the tactics is to hammer a site only once or twice a month then go away for two months, making you think whatever you did worked.
Here is the fix, and it's a relatively permanent one: what is their motivation?
Understand this, and your site will become too much trouble and they will move on to greener pastures, which is the best we can hope for.
You didn't say whether your script is a blog, message board, or contact form, so I'll use contact forms as an example. There are several motivations:
1. Inject data in such a way as to use YOUR server to send spam. Two common examples are a comma separated list in the email input field, or input data in such a way as to create their own BCC header
, or inject a multipart content so that there is a "second email" attached to the input. In these two cases, you'll get one email, AOL or whatever gets 1000. You get blacklisted when they're done with you.
2. Submit the form only for the purpose of getting at your "real address" to add you to a spam list.
3. Spam links.
There are more, but simple solutions to these:
1. Filter your input. Accept what you want, throw everything else away. This will effectively break injection attempts. Pay special attention to any data going into the mail headers: to, subject.
2. Make all your responses come FROM a no-reply address. Make everything sent to this no reply address REJECT emails sent to it, do not set it up with an auto responder or that will get abused too.
3. Before doing regular filtering of input, check all input data for particular patterns that reveal their motivation. Spam links from bots come in very predictable patterns: [a href . . . . [url=.... . . .<a href . . . . etc. You can even filter for http, unless it's a link contact form, there's no real reason for a link to be dropped in a contact form. When the patterns are found, exit the program with a curt message: "no email was sent." Don't get snarky, you do NOT want to p*** off spammers. :-)
And the #1 thing you need to do, above and beyond all else, log all data input from your forms.
In a private location, open a file, append to it, when it gets to a certain size, have your script overwrite it. I can't express how valuable this is, access logs don't cut it when it comes to spam input. Log input data, review it regularly, see what they are up to. This will reveal their motivation, and that's the key. More ideas here [webmasterworld.com],
and many more threads on this board, it is well discussed. Try some of them, try all of them, but never assume there is any single no-spam solution, there isn't. It's usually a combination of three or four things that will make you too much trouble to spam.