Prevent spam via contact form

Forum Moderators: phranque

Message Too Old, No Replies

Prevent spam via contact form

John_Melin

9:42 am on Apr 26, 2007 (gmt 0)

I´m getting spam via my contact form on my website. Do you know how to prevent this?

Shimrit

10:27 am on Apr 26, 2007 (gmt 0)

Google "captcha". You can add an image-based verification to your form that would stop bots from spamming you.

John_Melin

9:22 am on May 6, 2007 (gmt 0)

I don´t want to use that function, it doesn´t look good. Do you have another solution?

maccas

10:22 am on May 6, 2007 (gmt 0)

A simple required check box with a "click this box if you are a human" message beside it will work for a while, change the value as soon as you get the first spam message. Captcha's are over kill in most situations IMO.

thecoalman

7:58 pm on May 6, 2007 (gmt 0)

To add to what the poster above suggested instead ask a question.

Ex: What's the name of my website?

Nearly impossible for a bot to get by, the reason being is it's unique to your site. Keep the question simple, for example I have paragraph with underlined word, the question is what's the uderlined word in the paragraph above? Easy for the user and accessible for the handicapped.

rocknbil

8:04 pm on May 6, 2007 (gmt 0)

Put hidden field in form, if it's a bot the hidden field will be populated, so server side if anything's in that field dump the process. <x thread X 1000.>

steve

12:56 pm on May 7, 2007 (gmt 0)

Put hidden field in form, if it's a bot the hidden field will be populated, so server side if anything's in that field dump the process

This really works, I set it up last Friday on a form which was getting hammered by bots.

Two days on I've not had one bot entry!

Reno

9:57 pm on May 7, 2007 (gmt 0)

This is an ingenious idea, however I'm a little confused -- other than using comment tags, how does a person format a form with a hidden field, so the user will not see it?

......................

cmarshall

2:35 am on May 8, 2007 (gmt 0)

I just implemented it. Let's see. Our form is being hit by a Russian link spammer, so we'll see if this screws them up.

I added a field just after the "send" button like so:

<input name="to_address" type="hidden" value="" />

How do you like that name? Just too sweet to resist, eh?

In the sending PHP code, I test:

if ( $_POST['to_address'] ) { echo 'Tastes Like Spam!'; } else {...send email...}

Let's see...

rocknbil

3:47 am on May 8, 2007 (gmt 0)

This is an ingenious idea

Indeed it is, but I must be honest, it is not my own. It has been brought up many times on this forum.

My recommendation is to log your data as well, and cleanse your input. Ingenious though it is, a spammer may wonder why his bot is not making hits and investigate, figure out your scheme, skp that field, and you're back to square one. Insure any email addresses allow only ONE email address, and review these forums for other ideas to stop these guys.

steve

9:32 am on May 8, 2007 (gmt 0)

how does a person format a form with a hidden field

Add #hide { display: none; } to your CSS file.

And <span id="hide">url<input type="text" name="URL" value=""></span> to your form.

I use old skool asp to process my form, so the first few lines read:

If Request.Form("URL") <> "" Then
Response.Redirect "URL where you want to send 'em"
End If

If the hidden field isn't blank the bot is sent on its merry way!

Reno

1:01 pm on May 8, 2007 (gmt 0)

Thanks for the tips about this. To date I've been using the approach of a question that must be answered ("how much is 2 + 2?"), but I think I like this even more!

.......................

rocknbil

7:33 pm on May 8, 2007 (gmt 0)

Add #hide { display: none; } to your CSS file.

Why?

steve

7:49 pm on May 9, 2007 (gmt 0)

First method which came to mind :-)

Although, eventually the bots might try to make sense of hidden fields.

I don't think they will start reading CSS files.

jatar_k

8:04 pm on May 9, 2007 (gmt 0)

there are some threads in the PHP Library [webmasterworld.com] about it

try this one
Combatting Webform Hijack [webmasterworld.com]

Rosalind

12:20 pm on May 13, 2007 (gmt 0)

I've found that simply using a text-based captcha is very effective. All you need is one good question that's unique to your website and changed periodically. As long as everyone uses something a little different, it works well.

dragsterboy

1:22 pm on May 16, 2007 (gmt 0)

a plain check box or a panel for a code to be inserted will do the job.

carfac

3:09 pm on May 19, 2007 (gmt 0)

It might be a bit of overkill, but you might also want to change the name of the form script after you make the changes, and make the original script name a honey pot. Any hits on that original name is an instant ban on your site.

I also have a short routine that checks the referrer in the script... if it is not sent from the page it should be on my site referring it gets dropped. Interestingly, since I thought most of these form submissions were baddy scripts connecting direct to my form script... I actually found that there were many giving a correct referrer... maybe just a good baddy script. But I checked my logs, and they were actually hitting my form page for the submission before hitting my script. Interesting!

Also, make SURE you validate ALL input! This is what I use (for Perl):

$id =~ s/(b*cc\s*:.*¦to\s*:.*¦content\-type.*¦boundary.*¦\r.*¦\n.*¦\%0a¦\%0d)//g;
$url =~ s/(b*cc\s*:.*¦to\s*:.*¦content\-type.*¦boundary.*¦\r.*¦\n.*¦\%0a¦\%0d)//g;
$email =~ s/(b*cc\s*:.*¦to\s*:.*¦content\-type.*¦boundary.*¦\r.*¦\n.*¦\%0a¦\%0d)//g;
$descript =~ s/(b*cc\s*:.*¦to\s*:.*¦content\-type.*¦boundary.*¦\r.*¦\n.*¦\%0a¦\%0d)//g;

NOTE: This forum substitutes a broken vertical bar ("¦") for a solid vertical bar- make sure you make that change if you cut and paste!

I only allow 2 fields to be inputs to be set by the user ($email and $descript)... but I have 2 fields that are set up as hidden fields ($id and $url) for tracking. Since a baddy script COULD inject on those fields, I validate them even if they are hidden. This is an easy code to insert into my scripts.... no sense taking chances.

Good Luck!

Dave

micron

5:55 am on Jun 1, 2007 (gmt 0)

Sorry for the late comment here...

I have developed a custom CMS for a site with hundreds of content pages, each with a very active commenting system. In doing so, I have created about a dozen security checks to combat comment spam. With a few interesting tricks, I've virtually eliminated the once time-consuming hassle of filtering these out.

Nonetheless, I'm always interested in other approaches too. In particular, the following suggestion:

Add #hide { display: none; } to your CSS file.
And <span id="hide">url<input type="text" name="URL" value=""></span> to your form.

It works nicely, but I then I wondered how Google would judge the hidden text... there doesn't seem to be an absolute guarantee of its future safety:

[456bereastreet.com ]

So, perhaps it might be worth exercising some caution in such an approach.

BananaFish

1:05 am on Jun 2, 2007 (gmt 0)

The only reason bots will continually hit an online form is if it's vulnerable. Instead of worrying about captcha and all that, simply use a form script or codebase that correctly filters user input and is not vulnerable to injection attacks.

Solution1

2:16 pm on Jun 2, 2007 (gmt 0)

If possible, disallowing search engines to index your contact form page makes it harder to find, and you'll get less spam. That also rules out any chance of trouble with Google because of using CSS to hide things. But anyway, why would Google care that you hide a form field? Hiding links is much more of a problem.

Disallowing URL's in comment or contact forms rules out the entire reason for spamming them, so that might be the most effective approach possible.