The only true way is to constantly change the singup script.

I've used anti spambot mods for phpbb but all it does is stop the signup from being processed - you still get dozens of attempts each week and this can grow as spambots will assume they are successful.

The answer is to change the name of the signup process. Users clicking the 'register here' link on a page will always be presented with the correct page but spambots who submit to profile.php?mode=register will return 404's.

Just need to do some kind of cycling of the profile.php name or add an extra key on the url e.g. profile.php?mode=register&key=abc10a1 and change the key every hour.

[edited by: Frank_Rizzo at 1:34 pm (utc) on Aug. 4, 2006]

Lexur - that will not really stop the REAL danger.

Suppose I could send a request directly to your script without ever even visiting the form? And suppose I could somehow abuse one of the form fields that is used for a mail header, add a newline character, and add a BCC: with a comma separated list of 1000 email addresses?

You get one email. Unkonwn to you, I've sent 1000 to AOL because you can't see what's in the BCC.

Figuring out the form fields and entering require values is child's play for a spammer, it's no big deal to send a YES value for that required field.

I strongly suggest that anyone who has a web-based form processor in ANY language - perl, php, asp, you name it - IMMEDIATELY add a function to that script that logs all data sent to it. You wil be amazed at what you will find.

Server mail logs are of little use, they are often cryptic and only show what goes through MAIL, not what is sent to the form processor.

A Capchka scheme (enter the numbers in the pic) will help a little, but even these can be circumnavigated once they figure out your capchka algo.

There are automated scripts out there that repeatedly hit a form processor and figure out what form fields are available, which ones are required, and which ones are directly used for the actual mail headers. Then the games begin.

Log your form processor data so you know what's being sent to it, this is step one in putting a stop to webform abuse.

Ahh, I got confused - thread starter was on about FORM spam. I assumed forum spam.

Figuring out the form fields and entering require values is child's play for a spammer, it's no big deal to send a YES value for that required field.

Spammers are too lazy to check out every site. They have a very low email response rate and they must send billions of emails from hundred of thousands of websites, probably a big list they bought from another spammer; they never visted your site.

The problem is not that simple. An automated program hits your form processor again and again, and figures out what fields are required, what values allow those fields to process, and what fields go directly into the mail headers. I have seen this process in logs. If you use expected variable names, like $email for the to- or from-email header, they can even attack your variable names directly. The only way to know is to log all data coming to your form processor. More info here [webmasterworld.com].

Not 100% SPAMMER-proof either, but your processing page can check the HTTP_REFERRER to see if it's actually the correct referrign page. If not, abort. True, it will kick out those people who have a blank HTTP_REFERRER, but you could add some more logic to handle those cases as well.

Few spammers will bother to set up a system specifically for your form, so the method suggested is a good one.

Plus as above, change your variable names (name=aardvark, email=poncho etc.)

Plus use those number image things (read and type in the number).

Using ALL those three measures will stop all automated spam, except for that used by stalkers, and most individual spam.

But premoderation is the answer to serious human spam.

And active moderation (and total deletion of spam plus spammer) is the vital, indispensible final defense.

[edited by: Quadrille at 7:34 pm (utc) on Aug. 7, 2006]