Welcome aboard AlphaDog! Have you seen this thread [webmasterworld.com]?

It seems everyone's got their idea of what works for them. A few highlights:

1. Log form input. Server logs don't tell the whole story. The only way to gain insight on who's doing what with your forms is treat it like the poison it is. The first thing your programs should do when receiving input is open a file in a private location, print the IP address and timestamp to it, and print all form input to the file. Examine it often.

2. The simple "hidden field" works for many (at least for now.) You have a hidden field that has a blank value. If it gets populated (by a robot) poof, it's outta there. They can get wise to this though, and modify their 'bots to ignore that field.

3. Changing form field names, script names, even dynamically outputting them has (surprisingly) worked for some. I've seen them wise up in a matter of days, so it's unreliable and probably not going to help a lot.

4. A method that trims off about 70% of the spammers for me is to generate the form itself dynamically, and at that time set a session cookie. When submitted, if the session cookie doesn't match some value server-side, poof. This generally requires a browser but can be spoofed and circumnavigated. But if it's one thing I know about spammers, they don't like to work that hard at it. :-)

5. An additional 20% or so that might get through are motivated only by links. Links in the form of a regular href or the BB-style code [ (no space) url=]. Although it's a bad idea to filter "bad" data (because you never know what that will be,) you can knock off a bunch more by filtering links in your input. Even in a a link exchange request form, there's no real reason for anyone to submit full url with html or BB code tags. In fact, you can filter /http\:\/\/i for anything that does NOT expect a full URL.

5a. You can filter certain words. Not a great approach, but will contribute.

6. Desperate measure #1: filter IP addresses using .htaccess. If you don't care that countries other than your own are denied, you can filter a lot of them out at the server level. This is recommended if most of your spam comes from other countries, but again is only a partial defense.

7. Desperate measure #2: The captcha, or a variation of it. These are generally effective most of the time but can be circumnavigated. The reason I try to avoid these is simple, people hate them and the last thing you want to do is avoid annoying your visitors, even in their best interest. One favorite mentioned often here is a more simple approach to challenge and response, a dynamically generated question and answer: "what is 3 + 7?" or "What color is the sky?"

I personally consider #1 mandatory. All user input is a potential hack, so it should be logged in a format you can understand (which server logs often are not.) Other than that, see the closing statement in #4 - you will probably want to use some of these in combination, as any one of them is not perfect. But if you can implement some of them, or all of them, it's going to get you to 98%, fast.

And the log in #1 will show you what's working and what's not. :-)

[edited by: rocknbil at 9:47 pm (utc) on Sep. 25, 2008]

[edited by: jatar_k at 4:47 pm (utc) on Sep. 26, 2008]
[edit reason] fixed link [/edit]

Fantastic advice Rocknbil. I'll look closer at each and every suggestion. Joining here seems to be worth it. I'll most likely be participating actively in the forums. Any hints on cool threads to check out? I am an IT Manager at the company I work for and any security related discussions are always of interest.

welcome to WebmasterWorld [webmasterworld.com], AlphaDog!

A few options to consider.

Have two hidden fields each being the http referrer then in the script, tell it the fields must match.

Another option is getting the host domain in a hidden field and that it must match the form.

A third idea is have the submitted enter their email address twice and tell the form the two fields must match. But don't name the second field email_2 or something like that.

Set the form handler script to only accept submissions from a specific referrer, specifically the page the contact form is on.

These are just a few simple options that I have found work well as long as you can modify the form handler script.

Marshall

Thank you Marshall and phranque.

I am curious about the hidden field option. I found a couple of threads here about it but I am wondering if there are any code examples for the server side.
I get the setup with the hidden part but I still need to figure out what code to put on the asp code.
In relation to this: one of the threads show a redirect to whereeveriwant. Well, I could redirect to nothing but it would be more fun to have some clever place to send the spam. Unfortunately I don't know of any clever places to redirect to... Any suggestions?

No you don't want to get clever with spammers. They are vicious if taunted. :-)

My ASP is too rusty for example code, but the PHP/perl-y way to do it is a simple if. If the "if" doesn't return true, the program continues on as normal.

<input type="hidden" name="here-phishy-phishy" value="">

&dont_forget_to_log_input;

if ($input_data{'here-phishy-phishy'} != '') { &go_to_exit; }

Where the function or subroutine "go_to_exit" can either be a simple denied message or make it "look" like it was successfully sent.

The problem I have with making it look like it successfully sent is that they will keep their bots pointed at you because they think it's working. I just output a simple obscure message:

"Malicious input detected. No email was sent."

I do this without a page template or even a valid HTML document. Just the one line of text, if their bot responds to them in some way, this is all it gets. You don't even need to redirect them anywhere. Just output the message and exit the program. A legitimate visitor or search engine will never see this.