Welcome to WebmasterWorld Guest from

Forum Moderators: coopster & jatar k

Message Too Old, No Replies

Pondering feasibility of form mail security idea

form mail security idea

3:32 pm on Nov 30, 2013 (gmt 0)

New User

joined:Nov 17, 2013
votes: 0

I'm about 1/2 a step above knowing nothing.
So this idea may be totally stupid, I apologize if so.

I am interested in implimenting a PHP based for mail.
Thus, I've been reading various post on here.
Most are well dated but seem to have MOSTLY good advice and examples.

In reading them, they gave me a idea. One that I haven't seen mentioned.
That in turn made me wonder if it's even feasible.

So I decided to ask, and maybe even spark interest that leads to increased spam/exploits security...

How about implimenting a dual/tri purpose timer?
set it with a minimum time, crashes if bots submit it to early
maximum time, does a preliminary time out if
TAKING (not taken) to long, so perhaps does a contact form refresh, or throws a security question, MUST BE ANSWERED, NOT CLOSED, then if answered correctly, restarts a additional time alottment to finish the msg.
IF ANSWERED WRONG, commits a die command to the mail script

PERHAPS EVEN, pull redirect to badbot trap

I imagine it is all possible.
BUT, feasible?

6:37 pm on Nov 30, 2013 (gmt 0)

Senior Member

WebmasterWorld Senior Member 5+ Year Member

joined:Dec 13, 2009
votes: 0

Very feasible if you use sessions to keep track of page request times.

I would suggest that a bot would typically take significantly less time than a human to use a mail form.


Bots these days are getting so sophisticated that it would not surprise me if delaying as long as a human would can and has been coded into some of them. I mean, people have got them rendering javascript and reading the post execution rendering, so a little sleep command seems well within reasonable bounds.
11:38 pm on Dec 2, 2013 (gmt 0)

Senior Member

WebmasterWorld Senior Member penders is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:July 3, 2006
posts: 3123
votes: 0

Very feasible if you use sessions to keep track of page request times.

A bot might not even set a session (cookie, etc.) - so there you have another trap.

I would be wary about trapping "too long" requests, as you might annoy a slow user!

I have implemented a similar technique on several forms before... if the form is submitted too quickly (ie. within a few seconds). However, it has never caught anything! Maybe I got the timing wrong?! Or, more probable I suspect, my other spam traps have caught it first.
10:20 am on Dec 3, 2013 (gmt 0)

Senior Member

WebmasterWorld Senior Member swa66 is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Aug 7, 2003
votes: 0

It's an arms race with the spammers, they'll figure it out soon enough. You're not going to (help to) exhaust their resources so while it might put you a bit in front it's for sure nothing they cannot beat if they care to.

Moreover not all spammers are automated, quite a few run on sweatshops in 3rd world countries - most likely exploiting kids used as slaves.

It's better to make your script smarter and silent about it's refusal: don't give feedback on success/failure to the spammer. That way they'll never know they were too fast for you and you just discarded their message completely. Either based on content, keywords you don;t want to see, excessive amounts of URLs, email address they gave you, fields that are hidden with CSS that they did fill in anyway, browser strings that are off, source IP address of a (cheap) hosting provider, ... But if you give hem feedback that it was refused, they'll figure out why and figure out a way around your defences.

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

Featured Threads

Free SEO Tools

Hire Expert Members