Spammers Targeting Forms

Forum Moderators: phranque

Message Too Old, No Replies

Spammers Targeting Forms

How to stop them

Fortune Hunter

5:57 pm on Dec 28, 2007 (gmt 0)

I have several mail forms on my web site. For the first year or two spammers were too stupid to figure out how to use the forms to spam me. However they have improved their scum sucking ways and managed to dump their trash into my mail forms on my site and trigger the form to email it to me. The spamming has become quite bad over the last few weeks.

The form is just a simple PHP script that takes the content of the form and emails an HTML message to whoever is supposed to get it. I know I could create one of those image maps where you have to type the letters in before it will allow you to send the form, but that is a pretty complex task from what I have seen. I was hoping for a more simple solution. Does anyone have any ideas of how I can stop or at least slow this spamming down?

eelixduppy

5:59 pm on Dec 28, 2007 (gmt 0)

There's a nice thread in the PHP library on this that you might want to take a peek at: Combatting Webform Hijack [webmasterworld.com].

justgowithit

6:14 pm on Dec 28, 2007 (gmt 0)

I too noticed an increase in form spam these past two weeks. The problem forms for me had pretty weak validation. Once I stepped up the validation to where it should be the spam stopped completely.

With proper validation you shouldn't need a captcha.

rocknbil

6:21 pm on Dec 28, 2007 (gmt 0)

I know I could create one of those image maps where you have to type the letters in before it will allow you to send the form . . .

This is called a captcha, and the real problem is it complicates it for legitimate requests.

I've done a lot of spam-stopping, mostly by cleaning input, allowing only what's expected, etc. - this is a good approach.

But the simplest thing I found? Don't use a static form as the initial page. Dynamically generate the form from your script and set a cookie. On submit, read the cookie value and if it doesn't exist, exit.

Only a browser can read and send a cookie (that I know of.) I had some particularly persistent buggers a few weeks ago, their input never got put in an email but it was annoying nonetheless (kept filling up my log.) Once I set a cookie they stopped even trying.

Fortune Hunter

1:15 am on Dec 29, 2007 (gmt 0)

Thanks all, I have found some good leads in the thread link posted above. I read through that thread and found a few really good suggestions I am going to try and implement.