iEntry 10th Anniversary Forum Rules Search
WebProWorld
Register FAQ Calendar Mark Forums Read
Internet Security Discussion Forum This forum is for the discussion of security related issues. If you find a new Phishing scheme, spyware, virus or malicious site - let us know about it. If any of the above found you... here's where you ask for help.

Share Thread: & Tags

Share Thread:

Reply
 
LinkBack Thread Tools Display Modes
  #1 (permalink)  
Old 05-14-2008, 04:15 AM
WebProWorld New Member
 
Join Date: Nov 2003
Location: Hamilton
Posts: 21
fpeter RepRank 0
Default Form spam help needed

Hi Guys and Girls

I need some help and have a few questions most of you will know the answers to but as I am not code minded I need the simplified versions please so nothing too technical.

I am receiving some spam emails through some of my contact forms, I don't have a blog or comments page where you can add to, just contact forms for visitors to submit information for a quote and a form to submit to my directory.

I suspect this is not being done manually but by a spambot as the information will not be added until I check it.
My forms are all on html pages using cgi and formmail.

Now for the questions, how to make them more secure?

1. Is there any way to stop http:// or www being entered into any of the fields, I don't really need this part as I can add it myself when adding the said website to my directory.

2. I want to add a field that will be hidden from visitors, so not filled in, but will presumably be filled in by the spambots and the form information not sent.
I can add a field to my forms but can anyone tell me how to hide it and how to have it rejected?

3.I suspect that some bots don't even go near my forms but send straight to the server, changing the script name on the server used to keep them at bay for a few months but there is one which seems to get through right away.
When you hover over the submit button you can see exactly what action my form is using and the name of the .pl script, can this be encoded or hidden?

I have been everywhere on the internet to find solutions to all of these over the past two months to no avail.
Any help appreciated

Last edited by fpeter; 05-14-2008 at 04:17 AM. Reason: Parts looked confusing
Reply With Quote
  #2 (permalink)  
Old 05-14-2008, 06:09 PM
WebProWorld New Member
 
Join Date: Apr 2006
Location: Gilbert, AZ
Posts: 9
flyclothing RepRank 0
Default Re: Form spam help needed

Create an image verification so the form can't be submitted automatically.
Reply With Quote
  #3 (permalink)  
Old 05-14-2008, 06:30 PM
Dubbya's Avatar
WebProWorld 1,000+ Club
WebProWorld MVP
 
Join Date: Nov 2006
Location: Steinbach, Manitoba, Canada
Posts: 1,300
Dubbya RepRank 4Dubbya RepRank 4Dubbya RepRank 4Dubbya RepRank 4Dubbya RepRank 4
Default Re: Form spam help needed

Because bots tend to enter data in any text field possible, one thing that works fairly well are invisible empty form fields.

HTML Code:
<input type="text" style="display: none;" name="botCheck" value=""/>
After the form is submitted, have your validation script check the hidden field's value, if it's not empty (""), it was submitted by a bot and you can reject the submission. Case closed, problem solved.

Captcha's are nice too but they pose their own problems as users tend to get frustrated with them.

.02
Reply With Quote
  #4 (permalink)  
Old 05-14-2008, 06:40 PM
WebProWorld Pro
 
Join Date: Jan 2008
Posts: 294
Tech Manager RepRank 1
Lightbulb Re: Form spam help needed

Quote:
Originally Posted by flyclothing View Post
Create an image verification so the form can't be submitted automatically.

Forget about image verification. It might slow down some form spammers but it is inefficient at best.


Quote:
1. Is there any way to stop http:// or www being entered into any of the fields, I don't really need this part as I can add it myself when adding the said website to my directory.
You should use a script to validate all your variables. Use regular expressions to limit input to what you will allow. You can also test the variables for specific content or terms. For example: If you wanted to test for the existence of http:// you could probably settle on http: as in the following example (assuming your variable name is $comment):

<?php
$comment="";
extract($_POST, EXTR_IF_EXISTS);

$string1 = strip_tags($comment);
$string1 = strtok($string1, "/");

if($string1 == "http:") {

// take evasive action

}

?>

Keep in mind this is just one of many techniques you could or would use.


Quote:
2. I want to add a field that will be hidden from visitors, so not filled in, but will presumably be filled in by the spambots and the form information not sent.
I can add a field to my forms but can anyone tell me how to hide it and how to have it rejected?
Your question is a bit vague. Hidden form fields are not a good solution as they are not truly hidden. You would be better off populating a session variable using a SSI.

If you want to block spambots you are better off skipping captcha and relying on a human inference script. For example:

<?php
session_start();
?>

Somewhere within your script you could populate a random question. Perhaps a random number between 1 - 1000. Then you could dynamically generate a question within your form asking for the number that immediately follows 763 (or whatever number was dynamically generated). You can do this with numbers, colors, sports questions or even ask for the thirteenth word in a specific paragraph.

When the form is submitted you would test for the existence of this data and validate the answer.


Quote:
3.I suspect that some bots don't even go near my forms but send straight to the server, changing the script name on the server used to keep them at bay for a few months but there is one which seems to get through right away.
When you hover over the submit button you can see exactly what action my form is using and the name of the .pl script, can this be encoded or hidden?
Most of the bots use a script to submit content directly into your form. This can be done dynamically by using other scripts to get the layout of your form and then simply use $_GET or $_POST variables to bypass your form completely. This is why you need to use dynamic variables to help eliminate remote scripting.

There really is no need to hide the action="" within the script. Most (not all) of the secure forms I create use the same page to validate and process the form. If you are using PHP or .ASP or some other SSI you can hide all the validation and processing scripts within the same or another page. The process will remain invisible.

Quote:
I have been everywhere on the internet to find solutions to all of these over the past two months to no avail.
Any help appreciated
I hope my brief answers give you some ideas.
__________________
I use Country IP Blocks as added security for my networks and servers.

Last edited by Tech Manager; 05-14-2008 at 07:54 PM.
Reply With Quote
  #5 (permalink)  
Old 05-14-2008, 07:49 PM
WebProWorld Veteran
 
Join Date: Apr 2004
Posts: 349
imvain2 RepRank 1
Default Re: Form spam help needed

Quote:
Originally Posted by Dubbya View Post
Because bots tend to enter data in any text field possible, one thing that works fairly well are invisible empty form fields.

HTML Code:
<input type="text" style="display: none;" name="botCheck" value=""/>
After the form is submitted, have your validation script check the hidden field's value, if it's not empty (""), it was submitted by a bot and you can reject the submission. Case closed, problem solved.

Captcha's are nice too but they pose their own problems as users tend to get frustrated with them.

.02

I completely agree, seems like I posted this same thing before. LOL, which I actually stole the idea from someone else....

I'm not sure if it matters, but I would maybe change the name of the field to something more common that way it increases the chances of the bot filling in the field. Something like myemail or myphone would work, but isn't required.
Reply With Quote
  #6 (permalink)  
Old 05-14-2008, 07:59 PM
WebProWorld Member
 
Join Date: Aug 2003
Location: Oklahoma
Posts: 33
netroact RepRank 0
Default Re: Form spam help needed

Quote:
Originally Posted by Dubbya View Post
Because bots tend to enter data in any text field possible, one thing that works fairly well are invisible empty form fields.

HTML Code:
<input type="text" style="display: none;" name="botCheck" value=""/>
After the form is submitted, have your validation script check the hidden field's value, if it's not empty (""), it was submitted by a bot and you can reject the submission. Case closed, problem solved.

Captcha's are nice too but they pose their own problems as users tend to get frustrated with them.

.02
Excellent idea. Sure beats adding all those captchas to my contact forms.
Reply With Quote
  #7 (permalink)  
Old 05-15-2008, 06:36 AM
WebProWorld Member
 
Join Date: Oct 2005
Posts: 29
gavinscott RepRank 0
Default Re: Form spam help needed

Quote:
Originally Posted by imvain2 View Post
I'm not sure if it matters, but I would maybe change the name of the field to something more common that way it increases the chances of the bot filling in the field.
Wouldn't adding a name to the field cause a problem for anyone using autofill? The browser would automatically fill the field, and the user wouldn't even realise as it is hidden. You would then be losing valid enquiries; far worse than being spammed.
Reply With Quote
  #8 (permalink)  
Old 05-15-2008, 06:53 AM
WebProWorld New Member
 
Join Date: Nov 2003
Location: Hamilton
Posts: 21
fpeter RepRank 0
Default Re: Form spam help needed

Thank you everyone for your ideas and replying to my questions, most helpful.

I prefer not to go for a captcha or the sum due to the accesabilty issues and the fact that it adds something extra to the form to be filled in.

Since posting I have managed to figure out how to add a hidden field to my form using a div:

<div style="display: none;">
<input type="text" name="url1" id="url1">
</div>

I have called it URL1 as I think the bots would like this and fill it in.

I use CGI Formmail 3.14c1 to validate and send the form but I am stumped as to the part to add to tell the form not to send if this field has anything in it.

If anyone knows what and where to add it would be very much appreciated?
Reply With Quote
  #9 (permalink)  
Old 05-15-2008, 08:15 AM
Terry Van Horne's Avatar
WebProWorld Veteran
 
Join Date: Apr 2008
Location: Toronto On., Ca.
Posts: 471
Terry Van Horne RepRank 4Terry Van Horne RepRank 4Terry Van Horne RepRank 4Terry Van Horne RepRank 4
Default Re: Form spam help needed

If you are referring to formmail by Matt Wright please consider removing the forms. These programs have been around for over 10 years! They've been hacked more than IIS 3 server. The hacks are documented and often used because many older ISPs and hosts support these scripts as free cgi programming. The spambots should be easily thwarted because as I recall there is a function that checks the domain the form was sent from and if it isn't in the list you give it the program will not submit the form and give a "Denied" message. There is a group of programmers who have written replacements for Matt's programs. These require the same skills and are better maintained and have improved security. Do a search on formmail hacks it should be rather enlightening!
__________________
Follow me on Twitter! On the Trail with SOSG How I became a Social Media Convert and Twitter and Agents of Influence and now regular poster at Cloudmixer where We're Mixing New Media Ideas.
Reply With Quote
  #10 (permalink)  
Old 05-15-2008, 12:12 PM
WebProWorld Pro
 
Join Date: Jan 2008
Posts: 294
Tech Manager RepRank 1
Default Re: Form spam help needed

Quote:
Originally Posted by fpeter View Post
Thank you everyone for your ideas and replying to my questions, most helpful.

I prefer not to go for a captcha or the sum due to the accesabilty issues and the fact that it adds something extra to the form to be filled in.

Since posting I have managed to figure out how to add a hidden field to my form using a div:

<div style="display: none;">
<input type="text" name="url1" id="url1">
</div>

I have called it URL1 as I think the bots would like this and fill it in.

I use CGI Formmail 3.14c1 to validate and send the form but I am stumped as to the part to add to tell the form not to send if this field has anything in it.

If anyone knows what and where to add it would be very much appreciated?
Contrary to the views of others you are not going to accomplish what you want using the display: none characteristic. You might catch a few spambots but not the sophisticated ones.

In response to:

Quote:
I use CGI Formmail 3.14c1 to validate and send the form but I am stumped as to the part to add to tell the form not to send if this field has anything in it.
It is quite simple to construct a filter. You can wrap your processing script with something like this:

if(isset($_POST['url1']) {

// Tell the script what to do if the variable has been filled in. You can exit, break, redirect, etc.

} else {

// Continue to validate and process the data

}
__________________
I use Country IP Blocks as added security for my networks and servers.

Last edited by Tech Manager; 05-15-2008 at 12:14 PM. Reason: to improve readability
Reply With Quote
  #11 (permalink)  
Old 05-15-2008, 04:56 PM
WebProWorld New Member
 
Join Date: Nov 2003
Location: Hamilton
Posts: 21
fpeter RepRank 0
Default Re: Form spam help needed

Is Matts Script less secure than NMS Formmail and is there a more secure method to send form data that I could be using?

As for some of the suggestions above, most are beyond my capabilities at the moment as I'm pretty new at this but I don't want to have to learn how to code just to have a contact form, just want a simple solution if one exists.

If I have a problem this is where I come for the answer, All your help is very much appreciated.
Reply With Quote
  #12 (permalink)  
Old 05-16-2008, 09:04 AM
Terry Van Horne's Avatar
WebProWorld Veteran
 
Join Date: Apr 2008
Location: Toronto On., Ca.
Posts: 471
Terry Van Horne RepRank 4Terry Van Horne RepRank 4Terry Van Horne RepRank 4Terry Van Horne RepRank 4
Default Re: Form spam help needed

Quote:
Originally Posted by fpeter View Post
Is Matts Script less secure than NMS Formmail and is there a more secure method to send form data that I could be using?
Yes, in fact that is the project I mentioned above. I replaced Matt's scripts with theirs. Some of the people working on that were guru's back in the days when Perl/cgi ruled and PHP was a gleam in some programmers eye.
__________________
Follow me on Twitter! On the Trail with SOSG How I became a Social Media Convert and Twitter and Agents of Influence and now regular poster at Cloudmixer where We're Mixing New Media Ideas.
Reply With Quote
  #13 (permalink)  
Old 05-17-2008, 07:28 AM
WebProWorld New Member
 
Join Date: Nov 2003
Location: Hamilton
Posts: 21
fpeter RepRank 0
Default Re: Form spam help needed

Hi Terry Van Horne

I also replaced Matt's script with NMS Formail a few years ago and everything was fine, I only receive about twenty spam emails per day, so not a lot, they seem to come from the same source as they all contain the same info.

Should I continue to try and make my forms more secure or should I try creating a form using some other method?

What would you recommend?

Thanks in advance
Reply With Quote
  #14 (permalink)  
Old 05-18-2008, 06:24 PM
WebProWorld Pro
 
Join Date: Nov 2006
Posts: 115
qh4dotcom RepRank 1
Default Re: Form spam help needed

My website uses MyContactStation which asks humans to answer a simple math question that spambots can't answer

You can see how it works here...the contact link is at the bottom

QH4.com
__________________
You'll love this free traffic site...now it's getting me 2,000 targeted hits every day.
http://www.traffficswarm.com/wpw.html
Reply With Quote
  #15 (permalink)  
Old 05-29-2008, 02:19 PM
WebProWorld New Member
 
Join Date: May 2008
Posts: 1
skyetech RepRank 0
Default Re: Form spam help needed

How about adding a hidden field that autofills with the browser's session id? Then you don't process the form if the value doesn't match the actual session id. Of course this would only work for spammers that don't visit with a browser.
Reply With Quote
  #16 (permalink)  
Old 05-29-2008, 03:10 PM
Dubbya's Avatar
WebProWorld 1,000+ Club
WebProWorld MVP
 
Join Date: Nov 2006
Location: Steinbach, Manitoba, Canada
Posts: 1,300
Dubbya RepRank 4Dubbya RepRank 4Dubbya RepRank 4Dubbya RepRank 4Dubbya RepRank 4
Default Re: Form spam help needed

Why bother checking the session id? Seems like more work than is necessary.

An empty hidden form field doesn't care what method the bot simulates, if there's data entered in the field, it's invalid. Simple and easy to implement.
Reply With Quote
  #17 (permalink)  
Old 05-30-2008, 02:36 AM
WebProWorld Member
 
Join Date: Mar 2007
Posts: 94
perry321 RepRank 0
Default Re: Form spam help needed

Thanks everyone for some good ideas, especially to you, Dubbya.

Maybe someone can help me and my programmer with my particular situation.

Spam bots are using my ordering form, contact us form, and "send to a friend" form to send me their mail. But here's the thing...if a human is filling out, say, the ordering form, they have to fill out all the boxes, or it can't be sent. But, the bots can do this. My programmer explained how they can do this, but I'm too dumb in this are to understand. heh. But at this point in time, he is still trying to figure out how to stop them.

He's not ready to wave the white flag yet, and neither am I.

Your idea sounds like a good one, but if the bots can send e-mail without having to fill out the forms, period, how can we stop the bastards???

Anyone?

Thanks!


Perry

Last edited by perry321; 05-30-2008 at 02:42 AM.
Reply With Quote
  #18 (permalink)  
Old 06-05-2008, 08:21 PM
WebProWorld Member
 
Join Date: Mar 2007
Posts: 94
perry321 RepRank 0
Default Re:

Uh, well ok, then. ... Thanks.
Reply With Quote
  #19 (permalink)  
Old 07-01-2008, 06:34 AM
VOVAN's Avatar
WebProWorld New Member
 
Join Date: Mar 2007
Location: Kherson, Ukraine
Posts: 3
VOVAN RepRank 0
Default Re: Form spam help needed

Hey everyone.

I'd like to know, how to make sure my emails are put NOT into SPAM folders of mail clients?

Here is the list of my email addresses:
pussycat-123@live.com
pusy@ymail.com
john.rutger@gmail.com
dick.*****@rocketmail.com
john.dicky@hotmail.com
porno145@gmail.com
aaabbbb@rocketmail.com

Please don't ask me why these addresses are "spam-like"... I have a specific job
Reply With Quote
  #20 (permalink)  
Old 07-01-2008, 12:08 PM
WebProWorld Pro
 
Join Date: Jan 2008
Posts: 294
Tech Manager RepRank 1
Default Re: Form spam help needed

Quote:
Originally Posted by VOVAN View Post
Hey everyone.

I'd like to know, how to make sure my emails are put NOT into SPAM folders of mail clients?

Here is the list of my email addresses:
pussycat-123@live.com
pusy@ymail.com
john.rutger@gmail.com
dick.*****@rocketmail.com
john.dicky@hotmail.com
porno145@gmail.com
aaabbbb@rocketmail.com

Please don't ask me why these addresses are "spam-like"... I have a specific job
I've added them to my spam list. Thanks for the warning.

But, as an aside, if you want to keep them out of people's spam folders/blacklists you start by not using them to send spam.
__________________
I use Country IP Blocks as added security for my networks and servers.
Reply With Quote
  #21 (permalink)  
Old 07-01-2008, 02:27 PM
deepsand's Avatar
WebProWorld 1,000+ Club
WebProWorld MVP
 
Join Date: May 2004
Location: Philadelphia, PA
Posts: 3,217
deepsand RepRank 9deepsand RepRank 9deepsand RepRank 9deepsand RepRank 9deepsand RepRank 9deepsand RepRank 9deepsand RepRank 9deepsand RepRank 9deepsand RepRank 9deepsand RepRank 9deepsand RepRank 9
Default Re: Form spam help needed

Quote:
Originally Posted by VOVAN View Post
Hey everyone.

I'd like to know, how to make sure my emails are put NOT into SPAM folders of mail clients?

Here is the list of my email addresses:
pussycat-123@live.com
pusy@ymail.com
john.rutger@gmail.com
dick.*****@rocketmail.com
john.dicky@hotmail.com
porno145@gmail.com
aaabbbb@rocketmail.com

Please don't ask me why these addresses are "spam-like"... I have a specific job
You can't access the "white lists" of recipients.
Reply With Quote
  #22 (permalink)  
Old 07-02-2008, 10:27 AM
Dubbya's Avatar
WebProWorld 1,000+ Club
WebProWorld MVP
 
Join Date: Nov 2006
Location: Steinbach, Manitoba, Canada
Posts: 1,300
Dubbya RepRank 4Dubbya RepRank 4Dubbya RepRank 4Dubbya RepRank 4Dubbya RepRank 4
Default Re: Form spam help needed

VOVAN, if you don't want your email addresses to be harvested by spambots, the first thing you should do is STOP POSTING THEM ON THE INTERNET! (Be it here or in Russian forums)

In doing so, you've pretty much ensured that they'll end up receiving lots and lots of wonderful spam that will require hours of your time to filter out.
Reply With Quote
  #23 (permalink)  
Old 09-15-2008, 07:49 AM
TrafficProducer's Avatar
WebProWorld 1,000+ Club
 
Join Date: Jul 2003
Location: United Kingdom
Posts: 1,642
TrafficProducer RepRank 3TrafficProducer RepRank 3TrafficProducer RepRank 3
Default Re: Form spam help needed

I classic way to help, nothings perfect, is to use Captchas. These display text, or image which a real user has to enter to complete the form.
Reply With Quote
  #24 (permalink)  
Old 09-15-2008, 03:16 PM
deepsand's Avatar
WebProWorld 1,000+ Club
WebProWorld MVP
 
Join Date: May 2004
Location: Philadelphia, PA
Posts: 3,217
deepsand RepRank 9deepsand RepRank 9deepsand RepRank 9deepsand RepRank 9deepsand RepRank 9deepsand RepRank 9deepsand RepRank 9deepsand RepRank 9deepsand RepRank 9deepsand RepRank 9deepsand RepRank 9
Default Re: Form spam help needed

Users loath CAPTCHA as implemented via images.

Better to use Question/Answer challenges.
Reply With Quote
Reply

  WebProWorld > Webmaster, IT and Security Discussion > Internet Security Discussion Forum

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On


Similar Threads
Thread Thread Starter Forum Replies Last Post
PHP spam resistant form help! optimalwebsite Web Programming Discussion Forum 2 10-01-2007 01:50 PM
Spam from form email rkstevens Internet Security Discussion Forum 6 05-16-2007 05:16 PM
Form and Forum SPAM and how to curb it MtraX Internet Security Discussion Forum 0 11-03-2006 02:52 AM
2 x Form Validations' Needed, nwisp Services for Sale/Hire 0 09-18-2005 11:59 AM
What to do about another form of spam I found bvi Google Discussion Forum 1 01-26-2004 03:29 PM


All times are GMT -4. The time now is 12:43 PM.



Search Engine Optimization by vBSEO 3.3.0