Welcome to WebmasterWorld Guest from 54.161.25.213

Forum Moderators: phranque

Message Too Old, No Replies

Prevent spam via contact form

     
9:42 am on Apr 26, 2007 (gmt 0)

New User

10+ Year Member

joined:Sept 7, 2006
posts:11
votes: 0


I´m getting spam via my contact form on my website. Do you know how to prevent this?
10:27 am on Apr 26, 2007 (gmt 0)

Junior Member

10+ Year Member

joined:Apr 24, 2007
posts:70
votes: 0


Google "captcha". You can add an image-based verification to your form that would stop bots from spamming you.
9:22 am on May 6, 2007 (gmt 0)

New User

10+ Year Member

joined:Sept 7, 2006
posts: 11
votes: 0


I don´t want to use that function, it doesn´t look good. Do you have another solution?
10:22 am on May 6, 2007 (gmt 0)

Preferred Member

10+ Year Member

joined:Oct 30, 2000
posts:497
votes: 0


A simple required check box with a "click this box if you are a human" message beside it will work for a while, change the value as soon as you get the first spam message. Captcha's are over kill in most situations IMO.
7:58 pm on May 6, 2007 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Mar 4, 2004
posts:877
votes: 0


To add to what the poster above suggested instead ask a question.

Ex: What's the name of my website?

Nearly impossible for a bot to get by, the reason being is it's unique to your site. Keep the question simple, for example I have paragraph with underlined word, the question is what's the uderlined word in the paragraph above? Easy for the user and accessible for the handicapped.

8:04 pm on May 6, 2007 (gmt 0)

Senior Member

WebmasterWorld Senior Member rocknbil is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Nov 28, 2004
posts:7999
votes: 0


Put hidden field in form, if it's a bot the hidden field will be populated, so server side if anything's in that field dump the process. <x thread X 1000.>
12:56 pm on May 7, 2007 (gmt 0)

Preferred Member

10+ Year Member

joined:Mar 14, 2003
posts:508
votes: 0


Put hidden field in form, if it's a bot the hidden field will be populated, so server side if anything's in that field dump the process

This really works, I set it up last Friday on a form which was getting hammered by bots.

Two days on I've not had one bot entry!

9:57 pm on May 7, 2007 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Dec 9, 2001
posts:1307
votes: 0


This is an ingenious idea, however I'm a little confused -- other than using comment tags, how does a person format a form with a hidden field, so the user will not see it?

......................

2:35 am on May 8, 2007 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Feb 21, 2005
posts: 1526
votes: 0


I just implemented it. Let's see. Our form is being hit by a Russian link spammer, so we'll see if this screws them up.

I added a field just after the "send" button like so:

<input name="to_address" type="hidden" value="" />

How do you like that name? Just too sweet to resist, eh?

In the sending PHP code, I test:

if ( $_POST['to_address'] ) { echo 'Tastes Like Spam!'; } else {...send email...}

Let's see...

3:47 am on May 8, 2007 (gmt 0)

Senior Member

WebmasterWorld Senior Member rocknbil is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Nov 28, 2004
posts:7999
votes: 0


This is an ingenious idea

Indeed it is, but I must be honest, it is not my own. It has been brought up many times on this forum.

My recommendation is to log your data as well, and cleanse your input. Ingenious though it is, a spammer may wonder why his bot is not making hits and investigate, figure out your scheme, skp that field, and you're back to square one. Insure any email addresses allow only ONE email address, and review these forums for other ideas to stop these guys.

9:32 am on May 8, 2007 (gmt 0)

Preferred Member

10+ Year Member

joined:Mar 14, 2003
posts:508
votes: 0


how does a person format a form with a hidden field

Add #hide { display: none; } to your CSS file.

And <span id="hide">url<input type="text" name="URL" value=""></span> to your form.

I use old skool asp to process my form, so the first few lines read:

If Request.Form("URL") <> "" Then
Response.Redirect "URL where you want to send 'em"
End If

If the hidden field isn't blank the bot is sent on its merry way!

1:01 pm on May 8, 2007 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Dec 9, 2001
posts:1307
votes: 0


Thanks for the tips about this. To date I've been using the approach of a question that must be answered ("how much is 2 + 2?"), but I think I like this even more!

.......................

7:33 pm on May 8, 2007 (gmt 0)

Senior Member

WebmasterWorld Senior Member rocknbil is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Nov 28, 2004
posts:7999
votes: 0


Add #hide { display: none; } to your CSS file.

Why?

<input type="hidden" name="to-address" id="to-address" value="">

7:49 pm on May 9, 2007 (gmt 0)

Preferred Member

10+ Year Member

joined:Mar 14, 2003
posts:508
votes: 0


First method which came to mind :-)

Although, eventually the bots might try to make sense of hidden fields.

I don't think they will start reading CSS files.

8:04 pm on May 9, 2007 (gmt 0)

Administrator

WebmasterWorld Administrator jatar_k is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:July 24, 2001
posts:15756
votes: 0


there are some threads in the PHP Library [webmasterworld.com] about it

try this one
Combatting Webform Hijack [webmasterworld.com]

12:20 pm on May 13, 2007 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:May 16, 2003
posts:992
votes: 0


I've found that simply using a text-based captcha is very effective. All you need is one good question that's unique to your website and changed periodically. As long as everyone uses something a little different, it works well.
1:22 pm on May 16, 2007 (gmt 0)

Junior Member

10+ Year Member

joined:Mar 20, 2007
posts:160
votes: 0


a plain check box or a panel for a code to be inserted will do the job.
3:09 pm on May 19, 2007 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Sept 1, 2002
posts:774
votes: 0


It might be a bit of overkill, but you might also want to change the name of the form script after you make the changes, and make the original script name a honey pot. Any hits on that original name is an instant ban on your site.

I also have a short routine that checks the referrer in the script... if it is not sent from the page it should be on my site referring it gets dropped. Interestingly, since I thought most of these form submissions were baddy scripts connecting direct to my form script... I actually found that there were many giving a correct referrer... maybe just a good baddy script. But I checked my logs, and they were actually hitting my form page for the submission before hitting my script. Interesting!

Also, make SURE you validate ALL input! This is what I use (for Perl):

$id =~ s/(b*cc\s*:.*¦to\s*:.*¦content\-type.*¦boundary.*¦\r.*¦\n.*¦\%0a¦\%0d)//g;
$url =~ s/(b*cc\s*:.*¦to\s*:.*¦content\-type.*¦boundary.*¦\r.*¦\n.*¦\%0a¦\%0d)//g;
$email =~ s/(b*cc\s*:.*¦to\s*:.*¦content\-type.*¦boundary.*¦\r.*¦\n.*¦\%0a¦\%0d)//g;
$descript =~ s/(b*cc\s*:.*¦to\s*:.*¦content\-type.*¦boundary.*¦\r.*¦\n.*¦\%0a¦\%0d)//g;

NOTE: This forum substitutes a broken vertical bar ("¦") for a solid vertical bar- make sure you make that change if you cut and paste!

I only allow 2 fields to be inputs to be set by the user ($email and $descript)... but I have 2 fields that are set up as hidden fields ($id and $url) for tracking. Since a baddy script COULD inject on those fields, I validate them even if they are hidden. This is an easy code to insert into my scripts.... no sense taking chances.

Good Luck!

Dave

5:55 am on June 1, 2007 (gmt 0)

New User

10+ Year Member

joined:Jan 4, 2007
posts:15
votes: 0


Sorry for the late comment here...

I have developed a custom CMS for a site with hundreds of content pages, each with a very active commenting system. In doing so, I have created about a dozen security checks to combat comment spam. With a few interesting tricks, I've virtually eliminated the once time-consuming hassle of filtering these out.

Nonetheless, I'm always interested in other approaches too. In particular, the following suggestion:


Add #hide { display: none; } to your CSS file.
And <span id="hide">url<input type="text" name="URL" value=""></span> to your form.

It works nicely, but I then I wondered how Google would judge the hidden text... there doesn't seem to be an absolute guarantee of its future safety:

[456bereastreet.com ]

So, perhaps it might be worth exercising some caution in such an approach.

1:05 am on June 2, 2007 (gmt 0)

Full Member

10+ Year Member

joined:Sept 7, 2005
posts:242
votes: 0


The only reason bots will continually hit an online form is if it's vulnerable. Instead of worrying about captcha and all that, simply use a form script or codebase that correctly filters user input and is not vulnerable to injection attacks.
2:16 pm on June 2, 2007 (gmt 0)

Junior Member

10+ Year Member

joined:May 7, 2003
posts:154
votes: 2


If possible, disallowing search engines to index your contact form page makes it harder to find, and you'll get less spam. That also rules out any chance of trouble with Google because of using CSS to hide things. But anyway, why would Google care that you hide a form field? Hiding links is much more of a problem.

Disallowing URL's in comment or contact forms rules out the entire reason for spamming them, so that might be the most effective approach possible.