Contact Us Forms being used for Spams

[ajpaulus65]

Hi All

We have been getting spammed with numerous emails via our online forms. Is there a way to avoid these spammers using our forms?


Audrey Paulus

[wige]

Input validation, and using a captcha are probably the best ways to prevent bots from successfully sending these forms.

[computergenius]

I have a PHP system which uses 2 pages, the form, and the page2 page, which actually sends the data

I use a timecheck - the time between entering the form, and posting, must be reasonable.

Also, I create a random value, which is passed via session AND post, and if the two don't match, then the email gets sent to a different address, for checking when I can be bothered. It has only dropped one email into the trash in error, and that is because I had a form on the site that I had forgotten about.

Personally, I find captcha annoying to use, so I don't want to inflict it on my visitors.

[ajpaulus65]

If I use the captcha, do I need a php or asp system?

[Tech Manager]

Quote:

Originally Posted by ajpaulus65

If I use the captcha, do I need a php or asp system?

If you use captcha you could rely on a javascript solution, instead of using a Server Side language. But, relying on client-side solutions to filter data and prevent spam is never a good idea.

If you are using mail forms on your website the chances are high that you are already using a Server Side language like PHP, ASP, etc.

The key to good form processing is to never, ever, ever, under any circumstances, trust user data input. Filter the data for acceptable content and to prevent the form from being hijacked to send spam to other people. If you follow some sound security priciples the odds are you will likely be ok. CAPTCHA is only one tool and it can be circumvented using a variety of methods.

[carbonize]

A client of mine was getting spammed via the online contact us form but simply adding captcha stopped it. Quite a lot of spam is just spider like programs crawling the net and posting their rubbish in any input or textarea they find and submitting it. I have seen cases in my forum logs where they have posted spam in the search box :-/

the contact form I wrote for them is a single PHP file with javascript and serverside input validation and uses captcha along with sessions.

[Tech Manager]

Captcha helps but it is not perfect. It really should be used in combination with some additional server side strategies.

[carbonize]

I should of also added that they have to wait 10 seconds before the form is accepted and the form has a limited lifespan of seven minutes in which it must be submitted or a new form requested. Most of which I just lifted from Lazarus Guestbook except it doesn't use sessions.

[Tech Manager]

Sounds like you are n the right track.

[carbonize]

I should hope so as I've been working on Lazarus for three years now and anti spam is one of the main objectives. To my knowledge Lazarus users receive 0 spam except that which is manually posted and there's little you can do about idiots like that.

Off topic I know but just giving some background information about me.

[Tech Manager]

I've been working on improved anti-spam methods for years (a never ending battle). My web forms get zero automated spam...Manually added spam is difficult to control, but, all in all, not a big problem.

Now what I would like to see is the ISP's getting more proactive in dealing with spammers on their networks.

[carbonize]

Tell me about it. Occasionally I go through my logs and report attempted spamming to either the isp or the host since a lot of automated spam comes from abused servers and not home PCs. Same thing applies to a sudden no stop attempt at running exploits against my site. The main problem comes from companies like Layeredtech which own a huge range of IP addresses and dont care what their customers do with their servers. I have blocked all layeredtech IP addresses and about 50-70% of my error log is the server denying them access.




And what's with WPW not sending me notification emails x-(

[MrGamm]

The majority of your spam posts will be an attempt to post urls on your pages... preg_match or strpos the incoming information...

look for phpBB code and html anchor tags...

That will drop your spma posts significantly without having to resort to captcha... if you go with captcha... be aware that you should design your own or at the very least go with a good one... people are determined to break the captcha mechanism... look at how much harder Google captcha's have recently become...

be aware that blocking ips and proxies will essentially at one point or another block access to legitimate users...


Breaking a Visual CAPTCHA