Form Spamming

[pagetta]

Hi I hope this is the right place for this:
We have one form on our website that keeps getting filled out with links to pron, viagra and cheap CDs. Its no other forms just one specific one - which is made in exactly the same way using asp as the others.

What is the purpose of spamming these forms with all this rubbish, and is it any threat th us other than being a bit of a pain? or is it something we need to stop and if so how? we get about 3-4 spam submissions a day

[Dubbya]

3-4 a day isn't a big deal. It's a PITA to be sure, but doesn't really pose a monstrous security risk, that is to say, as long as the form and associated scripts can only be used to send email to your inboxes.

If the script that sends email from form can be hacked to send email to anyone, you've got problems. Check with your Server Administrator to ensure that your email script is secure and that email relays have been disabled on that email account.

If the sp@m is becoming a problem, institute a captcha image script to prevent bots from submitting the form. There are tons of free captcha scripts out there.

Here's a link to more info:
The Official CAPTCHA Site

[DaveSawers]

Quote:

Originally Posted by pagetta

... we get about 3-4 spam submissions a day

I get 200-300 a day from the form on my blog site! The number of posts you get will increase. One simple way of preventing automatic submissions is to use a captcha on the form. I don't do that because I find them really annoying when I come across them.

Occasionally some of these submissions try and hack into the MySQL database that supports the blog but as long as you take basic precautions to prevent attempts to download code it's not really a problem. There was some discussion on this forum recently about how to prevent the more obvious attacks which is well worth a read.

As to why they do it, I really couldn't say. Nobody ever sees the junk they send out, except the receiver of the form information who is just going to delete them en masse. Presumably there is some benefit to the perps, as there must be to e-mail spammers, but neither have ever persuaded me to click on any of their links.

[mjtaylor]

I get tons from a couple of my forms ... others get none ... I just delete them. Not because I don't like captchas but because I am too lazy to install them and from other webmasters I know they can get around them as the spammers bypass the actual form and go straight to the server ... or so I understand ... the delete key works well for me.

[pagetta]

cool ok thanks for your help everyone! they're not too much of a pain at the minute i just wanted to check that it is not implying a major security risk. Thank you!

[Dubbya]

Yeah, as I said, just make sure that your email scripts can't be posted to from outside your domain and that your email server has message relay disabled. That alone will foil most attempts to hack your forms.

[mikmik]

What kind of forms? Email, comment, contact. There is some good stuff to block any of these, and I get comment spam and it is the most popular.

Captcha is a great suggestion, here are more from wikipedia

[TN Todd]

One simple solution I have found is to periodically change the name of the the file or the page.

For example, the form I am using requires the following file to POST the form.

my-site.com.cgi-bin/contact.pl

Simply change the file name to, and the corresponding value on the form itself

my-site.com.cgi-bin/contact2.pl

This takes litterally less than 2 minutes and will eliminate those spam postings, usually for a month or two. When you start to get them again, change the file name again.

[kgun]

Related WPW post:

Getting rid of a spammer

<digression>

Quote:

Originally Posted by DaveSawers

As to why they do it, I really couldn't say. Nobody ever sees the junk they send out, except the receiver of the form information who is just going to delete them en masse. Presumably there is some benefit to the perps, as there must be to e-mail spammers, but neither have ever persuaded me to click on any of their links.

So that was the reason you

Activeminds Blog - A New Search Engine Approach - February 18th 2007

did accept my last post?

Aside from my subconsciousness liking ad, I consciously not post unrelated links.

I think many from the Simula miljeu (I am in the periphery) would even take W3 Schools (that you and I often reccomend) as an unserious site on some topics, not knowing enough about programming. I can show you a post there that indicates it too. A Norwegain moderator there from my own home time said something to me about coming from university. I have identified non of the posters there coming from university (having a degree above elementary in programming languages. I may of course be wrong). That does not imply that the site and their forum is not one of the better on the internet.

Links in your and mine signature is of course ad.

You decide on your blog, and I on mine Of course, I respect your decision not to post my post containg some links to my own pages.

P.S: I was fired from the high school in his home time by the argument that I was too, theoretic. The aim of the School was being in the lead in Europe. I suspect they are. I knew I would be fired.
</digression>

[DaveSawers]

Quote:

Originally Posted by kgun

You decide on your blog, and I on mine Of course, I respect your decision not to post my post containg some links to my own pages.

I didn't intentionally reject one of your comments. They are always relevant and I have no problem keeping your links in because they are relevant too. If one did slip through and get deleted in the midst of loads of spam, I'm sorry. Perhaps you could repost it and I'll give it my urgent attention.

I guess that's the main problem I have with this kind of spam. Important stuff can get missed and that's annoying.

Quote:

Originally Posted by kgun

Links in your and mine signature is of course ad.

Yes, I guess that is an ad and could be considered spam. However, I would prefer to see those particular links as a way for anyone who might be interested to find out more about the poster. As for advertizing, I haven't done that for several years. I get more than enough work from my regular clients and occasional personal references. The rest I turn away or refer them to someone else.

[mikmik]

This looks excellent! Secure & Accessible PHP Contact Form

Found it here: anti spam php contact form

[kgun]

PEAR :: Package :: HTML_QuickForm2 May be that takes care of it.

Quote:

Originally Posted by DaveSawers

I didn't intentionally reject one of your comments. They are always relevant and I have no problem keeping your links in because they are relevant too. If one did slip through and get deleted in the midst of loads of spam, I'm sorry. Perhaps you could repost it and I'll give it my urgent attention.

I can not remember what I wrote.

<digression>
I think there is a fairly lare Simula miljeu in Canada. Have you heard of that?
</digression>

[TrafficProducer]

What may help is: As stated is

Quote:

use a captcha on the form

.

Or and sense IP and block it code.


Captchas

Captchas are used to prevent automated spamming of website submission, posting of blogs and in the use of other online forms. A Captchas Example. May look sometime like this click for audio version and ask the user to enter the characters in to the on-line form as a check that it is a real person using that form.


Free CAPTCHA-Service

CAPTCHA: Telling Humans and Computers Apart Automatically.

Examples of Captchas Craziest Captchas on the Web.

[DaveSawers]

And that's a perfect example of why users hate captchas!

Is the second character supposed to be a Z or a 2 or just an R or possibly an L in a strange font? As for the fifth character??? Possibly a G or a 9 or maybe a Q? And is the sixth an O or a 0?

I haven't spent any time thinking about this problem, but I am certain there must be a better answer than a captcha.

[mikmik]

There are. Some capcha make better graphics than that, but I usually just put comments to be moderated first, and set notification 'notify by email' to review them first.

[wige]

Microsoft and an animal adoption agency have been experimenting with an alternative form of captcha that uses a massive database of photos of dogs and cats, and the user has to check which images are one or the other.

MSR Asirra: A Human Interactive Proof

[mikmik]

wige, can't connect to you blog comments!

DaveSawers

Quote:

As for advertizing, I haven't done that for several years. I get more than enough work from my regular clients and occasional personal references. The rest I turn away or refer them to someone else.

Integrity! I like sites with no ads. If you are good, word of mouth and references is more than enough to handle.

[Tech Manager]

Quote:

Originally Posted by pagetta

Hi I hope this is the right place for this:
We have one form on our website that keeps getting filled out with links to pron, viagra and cheap CDs. Its no other forms just one specific one - which is made in exactly the same way using asp as the others.

What is the purpose of spamming these forms with all this rubbish, and is it any threat th us other than being a bit of a pain? or is it something we need to stop and if so how? we get about 3-4 spam submissions a day

There are several ways to limit or eliminate webform spam. Lots of people rely on CAPTCHA, but personally I don't think it is as effective as it could be.

My suggestion is to use CAPTCHA and process your forms with an SSI language such as PHP.

I create highly secure webforms for several of my clients and I do so by using session variables that eliminate automated scripts from using the forms, then I make sure I do security processing on all the variables inputted into the form and potential variables that may be inserted from an outside script. I make sure to filter out any malicious scripts and especially those that would attempt to turn a webform into a spam-senders paradise. Generally speaking, if my form is 20-50 lines of code my security scripts will be 250-2500 lines of code.

Another good rule of thumb is to write scripts that will capture and log all the data inserted into your webform. This is especially important for forms using the POST method as this data will not normally be easily visible within your server logs. These security scripts will capture and clean the data and then write the variable data to a separate text file where I can view it later. You'd be surprised how much you can learn about the various techniques being used. You also want to make sure you capture the IP address of anyone using your webforms.

You can also create scripts that will check for open-proxies on the incoming connection and immediately block or disconnect.

If you are experiencing problems with webform spammers in specific countries you can also use Country IP Blocks aka Country IP Blocks dot Net, to get accurate IP Allocations for 239 countries. Country IP Blocks can also create instant .htaccess deny lists. I use them to create Cisco ACL Lists, .htaccess files, and various other Access Control lists. I also wrote the scripts so the database is updated with all the latest IP information at least once a day.

If you need further assistance please let me know.

[JacobRusso]

Hi beautiful...

I implemented the most simplistic... yet amazingly effective... mechanism which has obliterated 99.9% of these spam form submissions. No CAPTCHA or fancy footwork required.

Simply:

1. Add an extra Field to your form.
2. Give it a dummy default value (like "STOPSPAM")
3. Flag the field as "Required"
4. Add a requirement for the field "value" to be "Equal to" the dummy default value assigned in #2 above.

That's it.

The theory behind the effectiveness of this method is that most of the Form Spammers tend to add Spam data into every field to attempt to bypass the "Required" fields. By setting up a specific required (dummy) value. Their method backfilres.

Hope this helps. Oh... and HAPPY NEW YEAR to everyone!!!