Stopping form spam without using backend stuff

Forum Moderators: phranque

Message Too Old, No Replies

Stopping form spam without using backend stuff

i.e. without using PHP scripting etc

Mr Bo Jangles

9:15 pm on May 10, 2007 (gmt 0)

Hi all,
like everyone, we're now coping heaps of form spam.
I don't want to take on any backend php or the like methods to stop this - we'll just take the forms off and replace it with a graphical representation of our e-mail address, BUT, I was wondering if there was any clever in-page code, maybe with javascript or the like whereby we could implement some anti-spam method for this trouble with form spam.

MatthewHSE

9:46 pm on May 10, 2007 (gmt 0)

Nothing client-side will stop this - probably your form page is never even being requested by the spambots. They just send POST data right to the processing script, which means the script itself needs to be modified to stop this.

Mr Bo Jangles

10:04 pm on May 10, 2007 (gmt 0)

Not good news, but thanks Matt.

(what we really need are the governments of the world to spend more time and money hunting down these people - then without anesthetic, removing their 'privates')

Cheers

rocknbil

11:01 pm on May 10, 2007 (gmt 0)

... we'll just take the forms off and replace it with a graphical representation of our e-mail address....

This will only bring about a *different* form of spam, one in which someone manually farms the email address and puts it on a list. But it will stop the bot-spamming.

I don't want to take on any backend php or the like methods to stop this .... I was wondering if there was any clever in-page code, maybe with javascript or the like whereby we could implement some anti-spam method for this trouble with form spam.

As said, the problem is in the back end and your pages are only visited to get the name of the processor and form fields. After that the web page is no longer needed. But there ARE ways to slow it down or stop it.

The simplest method was brought up a few months ago by a member here and is deceptively simple.

Put a hidden field with a blank value in your form.
<input type="hidden" name="real-address" id="real-address" value="">

In your server side processor, if this key has a value, stop the script. Only a bot will populate this field.

This is very easy to program in any language and will put a big dent in spam-bots. It is not foolproof, if the spammer figures you out they will skip this field. But it will give you time to apply other fixes.

The other kind of abuse is injection for sloppy scripts that do not appropriately cleanse data. When I was first hit with this years ago, I realized I should be thankful because it showed vulerabilities in my programming - and I learned to stop them. Any field that goes directly from input to a mail header can be violated. For example, if I have an email address field, if someone sends

spam1@example.com,spam3@example.com,spam3@example.com.....

as their email address, they've just used my form to spam thousands of users. This is the simplest form of abuse, but there are other more devious methods people use that can actually create their own BCC field so they can do this undetected, or even create an entire second message.

To stop this, unfortunately you have to become really familiar with what your form processor is doing and what people are entering into it. To do that, you start by logging all input from any forms on your site. Before it gets processed or cleansed, open a file, append form input to it. Examine this log often. This will reveal details that don't show up in your access logs. Logging form input is vital IMO, it will provide insight on how to stop form abuse.

BeeDeeDubbleU

6:25 am on May 11, 2007 (gmt 0)

A few months ago I started placing a validation question on each form like, "What is 3 plus 9". Or, "What colour is the sky?" In other words a question only a human can answer. It stopped overnight.

They probably will catch up with this too but it works at the moment. I have not had a single spam submission from a bot since I did this.