WebProWorld Part of WebProNews.com
Page One Link To Us Edit Profile Private Messages Archives FAQ RSS Feeds  
 

Go Back   WebProWorld > Webmaster, IT and Security Discussion > Internet Security Discussion Forum
Subscribe to the Newsletter FREE!


Register FAQ Members List Calendar Arcade Chatbox Mark Forums Read

Internet Security Discussion Forum This forum is for the discussion of security related issues. If you find a new Phishing scheme, spyware, virus or malicious site - let us know about it. If any of the above found you... here's where you ask for help.

Reply
 
LinkBack Thread Tools Display Modes
  #1 (permalink)  
Old 05-14-2008, 03:15 AM
WebProWorld New Member
 

Join Date: Nov 2003
Location: Hamilton
Posts: 17
fpeter RepRank 0
Default Form spam help needed

Hi Guys and Girls

I need some help and have a few questions most of you will know the answers to but as I am not code minded I need the simplified versions please so nothing too technical.

I am receiving some spam emails through some of my contact forms, I don't have a blog or comments page where you can add to, just contact forms for visitors to submit information for a quote and a form to submit to my directory.

I suspect this is not being done manually but by a spambot as the information will not be added until I check it.
My forms are all on html pages using cgi and formmail.

Now for the questions, how to make them more secure?

1. Is there any way to stop http:// or www being entered into any of the fields, I don't really need this part as I can add it myself when adding the said website to my directory.

2. I want to add a field that will be hidden from visitors, so not filled in, but will presumably be filled in by the spambots and the form information not sent.
I can add a field to my forms but can anyone tell me how to hide it and how to have it rejected?

3.I suspect that some bots don't even go near my forms but send straight to the server, changing the script name on the server used to keep them at bay for a few months but there is one which seems to get through right away.
When you hover over the submit button you can see exactly what action my form is using and the name of the .pl script, can this be encoded or hidden?

I have been everywhere on the internet to find solutions to all of these over the past two months to no avail.
Any help appreciated

Last edited by fpeter : 05-14-2008 at 03:17 AM. Reason: Parts looked confusing
Reply With Quote
  #2 (permalink)  
Old 05-14-2008, 05:09 PM
WebProWorld New Member
 

Join Date: Apr 2006
Location: Gilbert, AZ
Posts: 9
flyclothing RepRank 0
Default Re: Form spam help needed

Create an image verification so the form can't be submitted automatically.
__________________
Jonathan Hedden
Flyclothing, LLC
PO BOX 1571
Gilbert, AZ 85299
www.flyclothing.com
P: 480.422.7350
F: 480.422.7350
TF: 888-FLYCLOTHING
Reply With Quote
  #3 (permalink)  
Old 05-14-2008, 05:30 PM
Dubbya's Avatar
WebProWorld 1,000+ Club
 

Join Date: Nov 2006
Location: Steinbach, Manitoba, Canada
Posts: 1,260
Dubbya RepRank 3Dubbya RepRank 3
Default Re: Form spam help needed

Because bots tend to enter data in any text field possible, one thing that works fairly well are invisible empty form fields.

HTML Code:
<input type="text" style="display: none;" name="botCheck" value=""/>
After the form is submitted, have your validation script check the hidden field's value, if it's not empty (""), it was submitted by a bot and you can reject the submission. Case closed, problem solved.

Captcha's are nice too but they pose their own problems as users tend to get frustrated with them.

.02
__________________
Printer ink, inkjet & toner cartridges in Canada
"Price-wise printing supplies"
inkjetOasis.ca
Reply With Quote
  #4 (permalink)  
Old 05-14-2008, 05:40 PM
WebProWorld Pro
 

Join Date: Jan 2008
Posts: 290
Tech Manager RepRank 1
Lightbulb Re: Form spam help needed

Quote:
Originally Posted by flyclothing View Post
Create an image verification so the form can't be submitted automatically.

Forget about image verification. It might slow down some form spammers but it is inefficient at best.


Quote:
1. Is there any way to stop http:// or www being entered into any of the fields, I don't really need this part as I can add it myself when adding the said website to my directory.
You should use a script to validate all your variables. Use regular expressions to limit input to what you will allow. You can also test the variables for specific content or terms. For example: If you wanted to test for the existence of http:// you could probably settle on http: as in the following example (assuming your variable name is $comment):

<?php
$comment="";
extract($_POST, EXTR_IF_EXISTS);

$string1 = strip_tags($comment);
$string1 = strtok($string1, "/");

if($string1 == "http:") {

// take evasive action

}

?>

Keep in mind this is just one of many techniques you could or would use.


Quote:
2. I want to add a field that will be hidden from visitors, so not filled in, but will presumably be filled in by the spambots and the form information not sent.
I can add a field to my forms but can anyone tell me how to hide it and how to have it rejected?
Your question is a bit vague. Hidden form fields are not a good solution as they are not truly hidden. You would be better off populating a session variable using a SSI.

If you want to block spambots you are better off skipping captcha and relying on a human inference script. For example:

<?php
session_start();
?>

Somewhere within your script you could populate a random question. Perhaps a random number between 1 - 1000. Then you could dynamically generate a question within your form asking for the number that immediately follows 763 (or whatever number was dynamically generated). You can do this with numbers, colors, sports questions or even ask for the thirteenth word in a specific paragraph.

When the form is submitted you would test for the existence of this data and validate the answer.


Quote:
3.I suspect that some bots don't even go near my forms but send straight to the server, changing the script name on the server used to keep them at bay for a few months but there is one which seems to get through right away.
When you hover over the submit button you can see exactly what action my form is using and the name of the .pl script, can this be encoded or hidden?
Most of the bots use a script to submit content directly into your form. This can be done dynamically by using other scripts to get the layout of your form and then simply use $_GET or $_POST variables to bypass your form completely. This is why you need to use dynamic variables to help eliminate remote scripting.

There really is no need to hide the action="" within the script. Most (not all) of the secure forms I create use the same page to validate and process the form. If you are using PHP or .ASP or some other SSI you can hide all the validation and processing scripts within the same or another page. The process will remain invisible.

Quote:
I have been everywhere on the internet to find solutions to all of these over the past two months to no avail.
Any help appreciated
I hope my brief answers give you some ideas.
__________________
I use Country IP Blocks as added security for my networks and servers.

Last edited by Tech Manager : 05-14-2008 at 06:54 PM.
Reply With Quote
  #5 (permalink)  
Old 05-14-2008, 06:49 PM
WebProWorld Pro
 

Join Date: Apr 2004
Posts: 288
imvain2 RepRank 0
Default Re: Form spam help needed

Quote:
Originally Posted by Dubbya View Post
Because bots tend to enter data in any text field possible, one thing that works fairly well are invisible empty form fields.

HTML Code:
<input type="text" style="display: none;" name="botCheck" value=""/>
After the form is submitted, have your validation script check the hidden field's value, if it's not empty (""), it was submitted by a bot and you can reject the submission. Case closed, problem solved.

Captcha's are nice too but they pose their own problems as users tend to get frustrated with them.

.02

I completely agree, seems like I posted this same thing before. LOL, which I actually stole the idea from someone else....

I'm not sure if it matters, but I would maybe change the name of the field to something more common that way it increases the chances of the bot filling in the field. Something like myemail or myphone would work, but isn't required.
Reply With Quote
  #6 (permalink)  
Old 05-14-2008, 06:59 PM
WebProWorld Member
 

Join Date: Aug 2003
Location: Oklahoma
Posts: 25
netroact RepRank 0
Default Re: Form spam help needed

Quote:
Originally Posted by Dubbya View Post
Because bots tend to enter data in any text field possible, one thing that works fairly well are invisible empty form fields.

HTML Code:
<input type="text" style="display: none;" name="botCheck" value=""/>
After the form is submitted, have your validation script check the hidden field's value, if it's not empty (""), it was submitted by a bot and you can reject the submission. Case closed, problem solved.

Captcha's are nice too but they pose their own problems as users tend to get frustrated with them.

.02
Excellent idea. Sure beats adding all those captchas to my contact forms.
Reply With Quote
  #7 (permalink)  
Old 05-15-2008, 05:36 AM
WebProWorld New Member
 

Join Date: Oct 2005
Posts: 11
gavinscott RepRank 0
Default Re: Form spam help needed

Quote:
Originally Posted by imvain2 View Post
I'm not sure if it matters, but I would maybe change the name of the field to something more common that way it increases the chances of the bot filling in the field.
Wouldn't adding a name to the field cause a problem for anyone using autofill? The browser would automatically fill the field, and the user wouldn't even realise as it is hidden. You would then be losing valid enquiries; far worse than being spammed.
Reply With Quote
  #8 (permalink)  
Old 05-15-2008, 05:53 AM
WebProWorld New Member
 

Join Date: Nov 2003
Location: Hamilton
Posts: 17
fpeter RepRank 0
Default Re: Form spam help needed

Thank you everyone for your ideas and replying to my questions, most helpful.

I prefer not to go for a captcha or the sum due to the accesabilty issues and the fact that it adds something extra to the form to be filled in.

Since posting I have managed to figure out how to add a hidden field to my form using a div:

<div style="display: none;">
<input type="text" name="url1" id="url1">
</div>

I have called it URL1 as I think the bots would like this and fill it in.

I use CGI Formmail 3.14c1 to validate and send the form but I am stumped as to the part to add to tell the form not to send if this field has anything in it.

If anyone knows what and where to add it would be very much appreciated?
Reply With Quote
  #9 (permalink)  
Old 05-15-2008, 07:15 AM
WebProWorld Pro
 

Join Date: Apr 2008
Location: Toronto On., Ca.
Posts: 235
Terry Van Horne RepRank 1
Default Re: Form spam help needed

If you are referring to formmail by Matt Wright please consider removing the forms. These programs have been around for over 10 years! They've been hacked more than IIS 3 server. The hacks are documented and often used because many older ISPs and hosts support these scripts as free cgi programming. The spambots should be easily thwarted because as I recall there is a function that checks the domain the form was sent from and if it isn't in the list you give it the program will not submit the form and give a "Denied" message. There is a group of programmers who have written replacements for Matt's programs. These require the same skills and are better maintained and have improved security. Do a search on formmail hacks it should be rather enlightening!
Reply With Quote
  #10 (permalink)  
Old 05-15-2008, 11:12 AM
WebProWorld Pro
 

Join Date: Jan 2008
Posts: 290
Tech Manager RepRank 1
Default Re: Form spam help needed

Quote:
Originally Posted by fpeter View Post
Thank you everyone for your ideas and replying to my questions, most helpful.

I prefer not to go for a captcha or the sum due to the accesabilty issues and the fact that it adds something extra to the form to be filled in.

Since posting I have managed to figure out how to add a hidden field to my form using a div:

<div style="display: none;">
<input type="text" name="url1" id="url1">
</div>

I have called it URL1 as I think the bots would like this and fill it in.

I use CGI Formmail 3.14c1 to validate and send the form but I am stumped as to the part to add to tell the form not to send if this field has anything in it.

If anyone knows what and where to add it would be very much appreciated?
Contrary to the views of others you are not going to accomplish what you want using the display: none characteristic. You might catch a few spambots but not the sophisticated ones.

In response to:

Quote:
I use CGI Formmail 3.14c1 to validate and send the form but I am stumped as to the part to add to tell the form not to send if this field has anything in it.
It is quite simple to construct a filter. You can wrap your processing script with something like this:

if(isset($_POST['url1']) {

// Tell the script what to do if the variable has been filled in. You can exit, break, redirect, etc.

} else {

// Continue to validate and process the data

}
__________________
I use Country IP Blocks as added security for my networks and servers.

Last edited by Tech Manager : 05-15-2008 at 11:14 AM. Reason: to improve readability
Reply With Quote
  #11 (permalink)  
Old 05-15-2008, 03:56 PM
WebProWorld New Member
 

Join Date: Nov 2003
Location: Hamilton
Posts: 17
fpeter RepRank 0
Default Re: Form spam help needed

Is Matts Script less secure than NMS Formmail and is there a more secure method to send form data that I could be using?

As for some of the suggestions above, most are beyond my capabilities at the moment as I'm pretty new at this but I don't want to have to learn how to code just to have a contact form, just want a simple solution if one exists.

If I have a problem this is where I come for the answer, All your help is very much appreciated.
Reply With Quote
  #12 (permalink)  
Old 05-16-2008, 08:04 AM
WebProWorld Pro
 

Join Date: Apr 2008
Location: Toronto On., Ca.
Posts: 235
Terry Van Horne RepRank 1
Default Re: Form spam help needed

Quote:
Originally Posted by fpeter View Post
Is Matts Script less secure than NMS Formmail and is there a more secure method to send form data that I could be using?
Yes, in fact that is the project I mentioned above. I replaced Matt's scripts with theirs. Some of the people working on that were guru's back in the days when Perl/cgi ruled and PHP was a gleam in some programmers eye.
Reply With Quote
  #13 (permalink)  
Old 05-17-2008, 06:28 AM
WebProWorld New Member
 

Join Date: Nov 2003
Location: Hamilton
Posts: 17
fpeter RepRank 0
Default Re: Form spam help needed

Hi Terry Van Horne

I also replaced Matt's script with NMS Formail a few years ago and everything was fine, I only receive about twenty spam emails per day, so not a lot, they seem to come from the same source as they all contain the same info.

Should I continue to try and make my forms more secure or should I try creating a form using some other method?

What would you recommend?

Thanks in advance
Reply With Quote
  #14 (permalink)  
Old 05-18-2008, 05:24 PM
WebProWorld Pro
 

Join Date: Nov 2006
Posts: 100
qh4dotcom RepRank 0
Default Re: Form spam help needed

My website uses MyContactStation which asks humans to answer a simple math question that spambots can't answer

You can see how it works here...the contact link is at the bottom

QH4.com
__________________
You'll love this free traffic site...now it's getting me 4,000 targeted hits every day.
http://www.traffficswarm.com/wpw.html
Reply With Quote
  #15 (permalink)  
Old 05-29-2008, 01:19 PM
WebProWorld New Member
 

Join Date: May 2008
Posts: 1
skyetech RepRank 0
Default Re: Form spam help needed

How about adding a hidden field that autofills with the browser's session id? Then you don't process the form if the value doesn't match the actual session id. Of course this would only work for spammers that don't visit with a browser.
Reply With Quote
  #16 (permalink)  
Old 05-29-2008, 02:10 PM
Dubbya's Avatar
WebProWorld 1,000+ Club
 

Join Date: Nov 2006
Location: Steinbach, Manitoba, Canada
Posts: 1,260
Dubbya RepRank 3Dubbya RepRank 3
Default Re: Form spam help needed

Why bother checking the session id? Seems like more work than is necessary.

An empty hidden form field doesn't care what method the bot simulates, if there's data entered in the field, it's invalid. Simple and easy to implement.
__________________
Printer ink, inkjet & toner cartridges in Canada
"Price-wise printing supplies"
inkjetOasis.ca
Reply With Quote
  #17 (permalink)  
Old 05-30-2008, 01:36 AM
WebProWorld Member
 

Join Date: Mar 2007
Posts: 94
perry321 RepRank 0
Default Re: Form spam help needed

Thanks everyone for some good ideas, especially to you, Dubbya.

Maybe someone can help me and my programmer with my particular situation.

Spam bots are using my ordering form, contact us form, and "send to a friend" form to send me their mail. But here's the thing...if a human is filling out, say, the ordering form, they have to fill out all the boxes, or it can't be sent. But, the bots can do this. My programmer explained how they can do this, but I'm too dumb in this are to understand. heh. But at this point in time, he is still trying to figure out how to stop them.

He's not ready to wave the white flag yet, and neither am I.

Your idea sounds like a good one, but if the bots can send e-mail without having to fill out the forms, period, how can we stop the bastards???

Anyone?

Thanks!


Perry

Last edited by perry321 : 05-30-2008 at 01:42 AM.
Reply With Quote
  #18 (permalink)  
Old 06-05-2008, 07:21 PM
WebProWorld Member
 

Join Date: Mar 2007
Posts: 94
perry321 RepRank 0
Default Re:

Uh, well ok, then. ... Thanks.
Reply With Quote
  #19 (permalink)  
Old 07-01-2008, 05:34 AM
WebProWorld New Member
 

Join Date: Mar 2007
Posts: 3
VOVAN RepRank 0
Default Re: Form spam help needed

Hey everyone.

I'd like to know, how to make sure my emails are put NOT into SPAM folders of mail clients?

Here is the list of my email addresses:
pussycat-123@live.com
pusy@ymail.com
john.rutger@gmail.com
dick.*****@rocketmail.com
john.dicky@hotmail.com
porno145@gmail.com
aaabbbb@rocketmail.com

Please don't ask me why these addresses are "spam-like"... I have a specific job
Reply With Quote
  #20 (permalink)  
Old 07-01-2008, 11:08 AM
WebProWorld Pro
 

Join Date: Jan 2008
Posts: 290
Tech Manager RepRank 1
Default Re: Form spam help needed

Quote:
Originally Posted by VOVAN View Post
Hey everyone.

I'd like to know, how to make sure my emails are put NOT into SPAM folders of mail clients?

Here is the list of my email addresses:
pussycat-123@live.com
pusy@ymail.com
john.rutger@gmail.com
dick.*****@rocketmail.com
john.dicky@hotmail.com
porno145@gmail.com
aaabbbb@rocketmail.com

Please don't ask me why these addresses are "spam-like"... I have a specific job
I've added them to my spam list. Thanks for the warning.

But, as an aside, if you want to keep them out of people's spam folders/blacklists you start by not using them to send spam.
__________________
I use Country IP Blocks as added security for my networks and servers.
Reply With Quote
  #21 (permalink)  
Old 07-01-2008, 01:27 PM
WebProWorld 1,000+ Club
 

Join Date: May 2004
Location: Philadelphia, PA
Posts: 1,720
deepsand RepRank 2
Default Re: Form spam help needed

Quote:
Originally Posted by VOVAN View Post
Hey everyone.

I'd like to know, how to make sure my emails are put NOT into SPAM folders of mail clients?

Here is the list of my email addresses:
pussycat-123@live.com
pusy@ymail.com
john.rutger@gmail.com
dick.*****@rocketmail.com
john.dicky@hotmail.com
porno145@gmail.com
aaabbbb@rocketmail.com

Please don't ask me why