Form spam help needed

[fpeter]

Hi Guys and Girls

I need some help and have a few questions most of you will know the answers to but as I am not code minded I need the simplified versions please so nothing too technical.

I am receiving some spam emails through some of my contact forms, I don't have a blog or comments page where you can add to, just contact forms for visitors to submit information for a quote and a form to submit to my directory.

I suspect this is not being done manually but by a spambot as the information will not be added until I check it.
My forms are all on html pages using cgi and formmail.

Now for the questions, how to make them more secure?

1. Is there any way to stop http:// or www being entered into any of the fields, I don't really need this part as I can add it myself when adding the said website to my directory.

2. I want to add a field that will be hidden from visitors, so not filled in, but will presumably be filled in by the spambots and the form information not sent.
I can add a field to my forms but can anyone tell me how to hide it and how to have it rejected?

3.I suspect that some bots don't even go near my forms but send straight to the server, changing the script name on the server used to keep them at bay for a few months but there is one which seems to get through right away.
When you hover over the submit button you can see exactly what action my form is using and the name of the .pl script, can this be encoded or hidden?

I have been everywhere on the internet to find solutions to all of these over the past two months to no avail.
Any help appreciated

[flyclothing]

Create an image verification so the form can't be submitted automatically.

[Dubbya]

Because bots tend to enter data in any text field possible, one thing that works fairly well are invisible empty form fields.

HTML Code:

<input type="text" style="display: none;" name="botCheck" value=""/>

After the form is submitted, have your validation script check the hidden field's value, if it's not empty (""), it was submitted by a bot and you can reject the submission. Case closed, problem solved.

Captcha's are nice too but they pose their own problems as users tend to get frustrated with them.

.02

[Tech Manager]

Quote:

Originally Posted by flyclothing

Create an image verification so the form can't be submitted automatically.

Forget about image verification. It might slow down some form spammers but it is inefficient at best.

Quote:

1. Is there any way to stop http:// or www being entered into any of the fields, I don't really need this part as I can add it myself when adding the said website to my directory.

You should use a script to validate all your variables. Use regular expressions to limit input to what you will allow. You can also test the variables for specific content or terms. For example: If you wanted to test for the existence of http:// you could probably settle on http: as in the following example (assuming your variable name is $comment):

<?php
$comment="";
extract($_POST, EXTR_IF_EXISTS);

$string1 = strip_tags($comment);
$string1 = strtok($string1, "/");

if($string1 == "http:") {

// take evasive action

}

?>

Keep in mind this is just one of many techniques you could or would use.

Quote:

2. I want to add a field that will be hidden from visitors, so not filled in, but will presumably be filled in by the spambots and the form information not sent.
I can add a field to my forms but can anyone tell me how to hide it and how to have it rejected?

Your question is a bit vague. Hidden form fields are not a good solution as they are not truly hidden. You would be better off populating a session variable using a SSI.

If you want to block spambots you are better off skipping captcha and relying on a human inference script. For example:

<?php
session_start();
?>

Somewhere within your script you could populate a random question. Perhaps a random number between 1 - 1000. Then you could dynamically generate a question within your form asking for the number that immediately follows 763 (or whatever number was dynamically generated). You can do this with numbers, colors, sports questions or even ask for the thirteenth word in a specific paragraph.

When the form is submitted you would test for the existence of this data and validate the answer.

Quote:

3.I suspect that some bots don't even go near my forms but send straight to the server, changing the script name on the server used to keep them at bay for a few months but there is one which seems to get through right away.
When you hover over the submit button you can see exactly what action my form is using and the name of the .pl script, can this be encoded or hidden?

Most of the bots use a script to submit content directly into your form. This can be done dynamically by using other scripts to get the layout of your form and then simply use $_GET or $_POST variables to bypass your form completely. This is why you need to use dynamic variables to help eliminate remote scripting.

There really is no need to hide the action="" within the script. Most (not all) of the secure forms I create use the same page to validate and process the form. If you are using PHP or .ASP or some other SSI you can hide all the validation and processing scripts within the same or another page. The process will remain invisible.

Quote:

I have been everywhere on the internet to find solutions to all of these over the past two months to no avail.
Any help appreciated

I hope my brief answers give you some ideas.

[imvain2]

Quote:

Originally Posted by Dubbya

Because bots tend to enter data in any text field possible, one thing that works fairly well are invisible empty form fields.

HTML Code:

<input type="text" style="display: none;" name="botCheck" value=""/>

After the form is submitted, have your validation script check the hidden field's value, if it's not empty (""), it was submitted by a bot and you can reject the submission. Case closed, problem solved.

Captcha's are nice too but they pose their own problems as users tend to get frustrated with them.

.02

I completely agree, seems like I posted this same thing before. LOL, which I actually stole the idea from someone else....

I'm not sure if it matters, but I would maybe change the name of the field to something more common that way it increases the chances of the bot filling in the field. Something like myemail or myphone would work, but isn't required.

[netroact]

Quote:

Originally Posted by Dubbya

Because bots tend to enter data in any text field possible, one thing that works fairly well are invisible empty form fields.

HTML Code:

<input type="text" style="display: none;" name="botCheck" value=""/>

After the form is submitted, have your validation script check the hidden field's value, if it's not empty (""), it was submitted by a bot and you can reject the submission. Case closed, problem solved.

Captcha's are nice too but they pose their own problems as users tend to get frustrated with them.

.02

Excellent idea. Sure beats adding all those captchas to my contact forms.

[gavinscott]

Quote:

Originally Posted by imvain2

I'm not sure if it matters, but I would maybe change the name of the field to something more common that way it increases the chances of the bot filling in the field.

Wouldn't adding a name to the field cause a problem for anyone using autofill? The browser would automatically fill the field, and the user wouldn't even realise as it is hidden. You would then be losing valid enquiries; far worse than being spammed.

[fpeter]

Thank you everyone for your ideas and replying to my questions, most helpful.

I prefer not to go for a captcha or the sum due to the accesabilty issues and the fact that it adds something extra to the form to be filled in.

Since posting I have managed to figure out how to add a hidden field to my form using a div:

<div style="display: none;">
<input type="text" name="url1" id="url1">
</div>

I have called it URL1 as I think the bots would like this and fill it in.

I use CGI Formmail 3.14c1 to validate and send the form but I am stumped as to the part to add to tell the form not to send if this field has anything in it.

If anyone knows what and where to add it would be very much appreciated?

[Terry Van Horne]

If you are referring to formmail by Matt Wright please consider removing the forms. These programs have been around for over 10 years! They've been hacked more than IIS 3 server. The hacks are documented and often used because many older ISPs and hosts support these scripts as free cgi programming. The spambots should be easily thwarted because as I recall there is a function that checks the domain the form was sent from and if it isn't in the list you give it the program will not submit the form and give a "Denied" message. There is a group of programmers who have written replacements for Matt's programs. These require the same skills and are better maintained and have improved security. Do a search on formmail hacks it should be rather enlightening!

[Tech Manager]

Quote:

Originally Posted by fpeter

Thank you everyone for your ideas and replying to my questions, most helpful.

I prefer not to go for a captcha or the sum due to the accesabilty issues and the fact that it adds something extra to the form to be filled in.

Since posting I have managed to figure out how to add a hidden field to my form using a div:

<div style="display: none;">
<input type="text" name="url1" id="url1">
</div>

I have called it URL1 as I think the bots would like this and fill it in.

I use CGI Formmail 3.14c1 to validate and send the form but I am stumped as to the part to add to tell the form not to send if this field has anything in it.

If anyone knows what and where to add it would be very much appreciated?

Contrary to the views of others you are not going to accomplish what you want using the display: none characteristic. You might catch a few spambots but not the sophisticated ones.

In response to:

Quote:

I use CGI Formmail 3.14c1 to validate and send the form but I am stumped as to the part to add to tell the form not to send if this field has anything in it.

It is quite simple to construct a filter. You can wrap your processing script with something like this:

if(isset($_POST['url1']) {

// Tell the script what to do if the variable has been filled in. You can exit, break, redirect, etc.

} else {

// Continue to validate and process the data

}

[fpeter]

Is Matts Script less secure than NMS Formmail and is there a more secure method to send form data that I could be using?

As for some of the suggestions above, most are beyond my capabilities at the moment as I'm pretty new at this but I don't want to have to learn how to code just to have a contact form, just want a simple solution if one exists.

If I have a problem this is where I come for the answer, All your help is very much appreciated.

[Terry Van Horne]

Quote:

Originally Posted by fpeter

Is Matts Script less secure than NMS Formmail and is there a more secure method to send form data that I could be using?

Yes, in fact that is the project I mentioned above. I replaced Matt's scripts with theirs. Some of the people working on that were guru's back in the days when Perl/cgi ruled and PHP was a gleam in some programmers eye.

[fpeter]

Hi Terry Van Horne

I also replaced Matt's script with NMS Formail a few years ago and everything was fine, I only receive about twenty spam emails per day, so not a lot, they seem to come from the same source as they all contain the same info.

Should I continue to try and make my forms more secure or should I try creating a form using some other method?

What would you recommend?

Thanks in advance

[qh4dotcom]

My website uses MyContactStation which asks humans to answer a simple math question that spambots can't answer

You can see how it works here...the contact link is at the bottom

QH4.com

[skyetech]

How about adding a hidden field that autofills with the browser's session id? Then you don't process the form if the value doesn't match the actual session id. Of course this would only work for spammers that don't visit with a browser.

[Dubbya]

Why bother checking the session id? Seems like more work than is necessary.

An empty hidden form field doesn't care what method the bot simulates, if there's data entered in the field, it's invalid. Simple and easy to implement.

[perry321]

Thanks everyone for some good ideas, especially to you, Dubbya.

Maybe someone can help me and my programmer with my particular situation.

Spam bots are using my ordering form, contact us form, and "send to a friend" form to send me their mail. But here's the thing...if a human is filling out, say, the ordering form, they have to fill out all the boxes, or it can't be sent. But, the bots can do this. My programmer explained how they can do this, but I'm too dumb in this are to understand. heh. But at this point in time, he is still trying to figure out how to stop them.

He's not ready to wave the white flag yet, and neither am I.

Your idea sounds like a good one, but if the bots can send e-mail without having to fill out the forms, period, how can we stop the bastards???

Anyone?

Thanks!


Perry

[perry321]

Uh, well ok, then. ... Thanks.

[VOVAN]

Hey everyone.

I'd like to know, how to make sure my emails are put NOT into SPAM folders of mail clients?

Here is the list of my email addresses:
pussycat-123@live.com
pusy@ymail.com
john.rutger@gmail.com
dick.*****@rocketmail.com
john.dicky@hotmail.com
porno145@gmail.com
aaabbbb@rocketmail.com

Please don't ask me why these addresses are "spam-like"... I have a specific job

[Tech Manager]

Quote:

Originally Posted by VOVAN

Hey everyone.

I'd like to know, how to make sure my emails are put NOT into SPAM folders of mail clients?

Here is the list of my email addresses:
pussycat-123@live.com
pusy@ymail.com
john.rutger@gmail.com
dick.*****@rocketmail.com
john.dicky@hotmail.com
porno145@gmail.com
aaabbbb@rocketmail.com

Please don't ask me why these addresses are "spam-like"... I have a specific job

I've added them to my spam list. Thanks for the warning.

But, as an aside, if you want to keep them out of people's spam folders/blacklists you start by not using them to send spam.

[deepsand]

Quote:

Originally Posted by VOVAN

Hey everyone.

I'd like to know, how to make sure my emails are put NOT into SPAM folders of mail clients?

Here is the list of my email addresses:
pussycat-123@live.com
pusy@ymail.com
john.rutger@gmail.com
dick.*****@rocketmail.com
john.dicky@hotmail.com
porno145@gmail.com
aaabbbb@rocketmail.com

Please don't ask me why these addresses are "spam-like"... I have a specific job

You can't access the "white lists" of recipients.

[Dubbya]

VOVAN, if you don't want your email addresses to be harvested by spambots, the first thing you should do is STOP POSTING THEM ON THE INTERNET! (Be it here or in Russian forums)

In doing so, you've pretty much ensured that they'll end up receiving lots and lots of wonderful spam that will require hours of your time to filter out.

[TrafficProducer]

I classic way to help, nothings perfect, is to use Captchas. These display text, or image which a real user has to enter to complete the form.

[deepsand]

Users loath CAPTCHA as implemented via images.

Better to use Question/Answer challenges.