Can I stop spammers filling in my form?

[reebene]

I have hotel site which uses an online booking form. It's written in expression web.
There is an area for special requests i.e. disabled facilities, extra beds, cot etc.
I constantly get spam mail on it.
Trying to make up a form which covers all the eventualities with buttons or lists doesn't seem to cover all the questions people ask, so I'd rather keep the text area if I can.
Does anyone know a way to prevent the spammers using it?

Ree

[Webnauts]

Try this: GBCF-v3 - Secure and Accessible PHP Contact Form - Green-Beast.com

[advancedmerchant]

First, do not make the address visible, have your form post the email in code, where the address cannot be seen in a "View Source". This prevents email scrapers from getting the address.

Second, make one field a 'captcha', (a graphic must be read and typed in), or a human readable question and answer that a script could not answer, like "What color is the sky?" (answer would contain the word "blue")

[imvain2]

Captcha's aren't really a good idea. They work for the problem of spammers, but cause new problems with customer usability.

You could always follow the K.I.S.S process.

Create a text field and name it, then wrap that field in a div with display:none.

Then in the server side form processing code, look to see if the form field myemail is empty, if its not empty then don't allow the form to be submitted.

Code:

<div style="display:none;">
<input type="text" name="myemail" value="">
</div>

How does this work? The spammer programs are made to fill out the text fields, so they will see the text form field myemail and enter in content. Which then your programming will see that there has been something filled in and not allow the form to be submitted.

I have ran this on many sites are stopped all spam forms from being sent.

Also, if your code looks for a specific field to start processing, I would change the name of that field. Since the spammers already have that field name store in their system.

[bj]

Most of my forms are coded within the CMS I use and fairly spamproof, but friends of mine have a unique way of handling this with their static html site. They've done a sort of backward captcha. It's a text field that is hidden offscreen by using the css. If it's filled in, then the email is simply discarded since it will only be filled out by 'bots. Humans will never see it so they never fill in that field.

[niggles]

I agree with imvain2 -> the invisible field is a really simple and great way to check if it's a SPAMBOT or human without impacting on your customer.

All you need to do is write code which says :

Code:

<?php


if(!empty($_POST["myemail"]){

     $spam = true;
} else {

    $spam = false; 
}

?>

Then just before you send off the email message you check whether it's true or false and if it's true, don't send the email :

Code:

if(!$spam){

     // send your email

}

[Orion]

Quote:

Originally Posted by imvain2

Create a text field and name it, then wrap that field in a div with display:none.

Then in the server side form processing code, look to see if the form field myemail is empty, if its not empty then don't allow the form to be submitted.

Code:

<div style="display:none;">
<input type="text" name="myemail" value="">
</div>

OH WOW! Wicked solution! Any chance you or BJ can post the scripting that looks at the field and kills the submit?

I have a couple older sites that would benefit from this...

[IndustrialWebGuy2]

I like the invisible field suggestion and I'll have to try it. But I have also used a CAPTCHA solution that is very easy to work with. Even though all CAPTCHA presents useability issues, this one, at least, has an audio version that reads the image for the visually impaired and also has a reload button to generate another CAPTCHA image if the first was too hard to read. Check it out at ProtectWebForm.com. I wouldn't use it for secure information because it seems to run the captured inputs through their server then route them back to your server, but for your run of the mill inquiry form, it's okay. Another interesting version of CAPTCHA is found at ReCaptcha.net.

[tmaster]

Quote:

Originally Posted by reebene

I have hotel site which uses an online booking form. It's written in expression web.
There is an area for special requests i.e. disabled facilities, extra beds, cot etc.
I constantly get spam mail on it.
Trying to make up a form which covers all the eventualities with buttons or lists doesn't seem to cover all the questions people ask, so I'd rather keep the text area if I can.
Does anyone know a way to prevent the spammers using it?

Ree

You need to lock down your forms. You can use a capta system or you can have a photo be displayed and ask the user what it is
in the photo like a cat or a dog. The scripts at green-beast.com might be good but it has problems I see right away.

Never send or allow the script to send a copy to the users email because spammers will use it to send spam to other users using your form.

Hard code all headers To: From: Subject: Do not enter any data into these fields from your contact form because spammers can inject code into the headers and take control of your mailer and send spam to others. You can try to trap the injected code but you may miss something better safe than sorry.

Put the senders from address and subject line inside the body of the message. And hard code your email address into the To and from lines.



What the others said about having dummy fields is also a great ideal.

[niggles]

Here's the full PHP script of my anti spam check which also checks for "bad" characters + if the extra email was filled in + also writes a timestamp to see if the form was submitted too quickly or too long after being generated i.e it was saved offline and submitted by bots.

And as tmaster says, always hard-code the To: From: Subject: fields.

In the PHP header code

Code:

// check if any of the SPAMBOT criteria are true

	if(preg_match("/bcc:|cc:|multipart|url|Content-Type:/i", implode($_POST))) {
		$spam=true;
	}
	if (preg_match_all("/<a|http:/i", implode($_POST), $out) > 3) {
		$spam=true;
	}
	if(!empty($_POST['emailagain'])){
		$spam = true;
	}

	// if e-mail is not formatted correctly, show error message
	if(!eregi("^[_a-z0-9-]+(.[_a-z0-9-]+)*@[a-z0-9-]+(.[a-z0-9-]+)*(.[a-z]{2,3})$", $_POST['email'])) {
			$error = true ;
	}

	if($_POST['formtime'] < time()-3600)  {
		$spam=true;
	}

In the form, I add these fields:

Code:

<span style="display:none;visibility:hidden;">
  <label for="emailagain">Do not enter anything in this field as it's designed to stop SPAMBOTS!</label>
  <input type="text" name="emailagain" id="emailagain" value="" />
  <input type="text" name="formtime" value="<?php echo time(); ?>" />
</span>

Cheers,
Niggles

[nelsonez]

Very clever solution imvain2. I like it. It is a good added layer to go along with a CAPTCHA, server-side validation, and a modrewrite solution that I use shown below.

Code:

<div style="display:none;">
<input type="text" name="myemail" value="">
</div>

One should never be too arrogrant to think that a spammer or hacker can't get through one layer of defense. While they do depend on automated bots to most of the heavy lifting there are real humans behind these bots that can very easily look at the source code of a webpage and make code modifications to their bots faster than we can say boo.

This modrewrite solution that you can add to your server's HTACCESS file can be very useful if implemented correctly. And along with the other suggestions on this thread can create a very good multi-prong approach.

Code:

RewriteEngine On
# Code needed in case server config hasn't completely enabled Mod Rewrite
RewriteBase /

RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} .*your_posting_page\.php*
RewriteCond %{HTTP_REFERER} !.*yourdomain.com.* [OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule (.*) http://www.yourdomain.com/errorpage.htm [R,L]

[crossland]

It looks as if most of the spam is generated by software that detects forms and fills in a few random fields.

When we started getting a lot of spam, we simply added a check to ensure that the contents of one field was numeric.
If the field didn't contain numeric data, we returned a polite request for this field to be completed.
An email would only be generated if this field contained numeric data.
Also the email address was only contained within the PHP code.

Since we implemented this change, we haven't had any spam getting through from the form.

Hope this helps,

Tim
WebSphere MQ

[DVDStar]

Quote:

Originally Posted by imvain2

Captcha's aren't really a good idea. They work for the problem of spammers, but cause new problems with customer usability.

I had exactly the same problem with a old contact form which I forgot about and didn't even link to anymore...my host temporarily banned my site.

If you are going to go down the CAPTCHA route then make sure you check out various solutions before settling on one. Some of the third party capture packages can be very difficult for even the most able eyed of people to understand. Personally I feel that a bad example would be Google's keyword suggestion tool site, while an example going to the opposite extreme would be my own cd duplication site.

The later is too easy for programs to read, while at times the former can be way too skewed to read properly. The hidden field idea is also new to me, and I'll be looking at trying this out!
------------------------------

[qh4dotcom]

Even if you follow the advice from the other members, it will be hard if not impossible to get your e-mail address removed from the spammers lists.

What I would do is setup another e-mail address and have Gmail fetch the e-mail from the old address, filter out the spam and forward the e-mail to your new address.

[reebene]

Thanks everyone for all the suggestions.
I'm not worried about them collecting my e.mail address as I always code them. It's just the nuisance value.
I've taken it all on board and I'll try one or two and see what happens.

Thanks again,
Ree

[webmax]

Taking all your good advice into consideration, we've put together this form:
Contacte a GRUATEC en San José, Costa Rica
We don't know PHP so well. We copy code from here and there and then test it. How do I know for sure that spammers aren't going use this form to send spam to other people? What is it exactly that I have to enter in the fields to check it? I know it has to be something that uses slashes and other symbols, but I don't know exactly what.
Thank you for your help.