combat spam

[fpeter]

Thank you to everyone who answered my questions on my other post, the answers were excellent although some of them a bit beyond me to impliment.

Having thought about form and comment spam in a different way over the past few days I have come up with some ways to try and combat this.

I'm not sure if any of these will help or not but here goes with the ideas I had.

Spammers want to populate your forms with fake email addresses and links to website etc.

What if you split the email address field into two, the first field for the email address up to but not including the "@" symbol, the second field for the part after this symbol.
You could always add an image of the "@" symbol in the middle of these two fields so not to confuse visitors.

Then you would need to check for the "@" symbol in these fields and reject the data if present, presumably if spambots fill these fields you would get two email addresses and the "@" symbol in both.

For the web addresses you could always write the www part before the form field or even have an image of this and then check if that is added to the field and reject the data also.

A problem could be autofill and programs like Roboform etc that will populate these fields, Is there a way to disable autofill on forms?
How would you impliment any of these if they are are worth adding?

Hope i've at least given you something to think about and I apologise in advance if it's a bit vague.

[puamana]

I've been combatting the same issue for some time now, I like to have a form on my site for people to contact me with specific input, but the spamming has gotten SO out of hand, I'm tempted to do away with them entirely... a terrible time waster, checking each submission to see if it's legitimate or not...

It seems so stupid to me, to even bother with these forms, since submissions usually only go to a single email address.

I am wondering if there might be some way to bend .htaccess to our use in blocking the spambots from filling in and submitting the forms?

perhaps, requiring the presence of a unique ip address? Just a thought. I know that htaccess can block spiders from specific areas of a website, while allowing browser views of that content...

Is this at all a possibility?

Mahalos,
Puamana

[Weedy Lady]

To fpeter:

If you split the field it will violate the K.I.S.S. rule and about 40% (or more) of the real people who fill out the form will do it wrong. If it is important to you to receive messages from your web site visitors I strongly suggest that you do not use a split field.

Even the "brightest and best" Web Pro World forum members often misread a thread and then post answers that aren't pertinent to the question............think of what having to actually read and think would do to the average person trying to fill out your form??????

I tried several things with forms and form validation methods, none of which were satisfactory - so I finally made a graphic with my email address on it which people have to read and type into their own email to contact me. It actually works.

The graphic is complicated enough that the spam bots can't decode it and read my email address, but easy for real people to read. See it here: Happy Day Cards CONTACT ME Page

Have a good day!

[incrediblehelp]

Why arent you guys just using captcha's?

[Weedy Lady]

Yeah, I tried those. Didn't work on my site. Not being super-tech savvy I probably did something wrong, but it was too frustrating.

ALSO, when I am on a site that does use capptchas I find that often I have to try to type in the thing 2 or 3 times and this is extremely frustrating. I didn't want to do this to my visitors.

[itsdonny]

I read a great idea here a while ago where this webmaster incorporated an invisible field for someone to put there website or some other item. Viewers couldn't see that field so of course it wouldn't be filled in. This was the cue that the form was not from a robot spammer. The robots would see and fill in the invisible field for 'website' or whatever and when submitted the form would of course not go through. This is something I would like to incorporate on my contact page. If someone knows how to do it let me know please.

Don

PS: I am currently encoding my emails using Mysterious Ways - Hide Email Addresses from Spam Harvesters but I'm getting a bunch of spam which makes me think that spam harvesters know how to decode now.

[z28com]

Use this code to post your email address on your web site to stop spambots from harvesting your email address and allow real people to send you email:

<script type="text/javascript" language="">
user ="joeblow"
domain ="yahoo.com"
subCon = "Email question"
document.write('<a href="mailto:' + user + '@' + domain +'?subject=' +subCon+' " ' +' >' + user + '@' + domain +'</a>');
</script>

This will allow the person to send an email to joeblow@yahoo.com

Replace the email address above with your own and try it out. They can click on the link or cut and paste as normal. For a spambot, they will skip right past it. Try software such as Email Extractor Pro and you'll see that it will pass with flying colors. This has DRASTICALLY reduced spam for many of my clients.

Another example:

<script language=javascript>
<!--
var x1 = "johndoe";
var x2 = "hogvalley.com";
document.write("<a href=" + "ma" + "ilto:" + x1 + "@" + x2 + ">Email Webmaster for info</a>")
//-->
</script>

[fpeter]

Hi everyone

Since posting this I have had time to think and you are right, splitting the email field makes it far too complicated to fill in the form and as Weedy Lady has said many people won't read the it, I don't have a clue what K.I.S.S is anyway.

Weedy Lady has a good idea bit it's hardly a contact form just an image of your email address, my visitors need to leave information to be added to a directory.

It seems everywhere I look for a solution the more obsticles I find but I have never been one for giving up.

So splitting the email address won't work, so what will?

Seems the only idea that won't complicate matters for the visitors is the hidden field which when filled by the bots gets rejected.

Anyone out there using this method with NMS formmail or CSS, I would love to hear from you and how you implimented it.

Please note that you will be explaining this to a person with very little coding experience.

[deepsand]

Quote:

Originally Posted by incrediblehelp

Why arent you guys just using captcha's?

1) Users hate CAPTCHAs.

2) Human readable CAPTCHAs are insufficiently machine-proof.

3) CAPTCHAs that are not machine readable lead to item no. 1.

[Weedy Lady]

Probably several other people will tell you also, but K.I.S.S. means "keep it simple, stupid"..........

[bluemi]

Why don't you use the FormMail script from Tectite.com? I have managed to get my forms almost 100% spam free with it.

[z28com]

I have used Tectite and still got tons of form spam with it.

I use this to create forms and it seems to have worked the best:

CoffeeCup Web Form Builder - Create Web Forms without using HTML or Scripts !

It creates a Flash form that bots never mess with, plus it makes really nice looking forms as opposed to using HTML.

[Akashic]

Why not a simple question that humans can read and bots can't ? 1 + 2 = ?

Surely it follows the KISS theory in every way.

[z28com]

Quote:

Originally Posted by Akashic

Why not a simple question that humans can read and bots can't ? 1 + 2 = ?

Surely it follows the KISS theory in every way.

If you use that Javascript, you can safely post your real email address on your web site without fear of the bots or making the users answer any kind of questions. That just frustrates people.

[Raoul VdC]

Splitting the email field is the easiest solution for the webmaster, but makes it more complicated for the vistor as it is not clickable anymore. I use the JavaScript code and never had a problem with harvesters.
For the webforms I use a "user-friendly" CAPTCHA where the visitor does NOT have to type in anything.
Examples are to be found in the free e-book JavaScript Vitamins: Free JavaScripts, Tutorials, Example Code, Reference, Resources, And Help

[colincartwright]

I agree with Z8, I now exclusively use Coffee Cup's Web Form builder. It generates awsome forms, with background images - anything you like and because it designs forms in shockwave flash, spambots simply cannot even see the resulting forms, let alone fill them in. Anyone with no skills at all can easily learn to use it. I would highly reccommend the thing.

I have created over 100 customer forms to date and not one has ever reported any spam at all.

Of course downside is the user needs shockwave flash on their PC to be able to use the forms, but the majority now do.

Colin

[z28com]

Quote:

Originally Posted by Raoul VdC

Splitting the email field is the easiest solution for the webmaster, but makes it more complicated for the vistor as it is not clickable anymore. I use the JavaScript code and never had a problem with harvesters.
For the webforms I use a "user-friendly" CAPTCHA where the visitor does NOT have to type in anything.
Examples are to be found in the free e-book JavaScript Vitamins: Free JavaScripts, Tutorials, Example Code, Reference, Resources, And Help

If you use my Javascript example above, people can cut and paste and the link is clickable. I get virtually no spam on email addresses I have tested it with. And the stuff that I did get was from real humans (mainly Chinese people trying to sell me stuff related to my web site and not Cialis or Viagra spam.)

[z28com]

Quote:

Originally Posted by colincartwright

I agree with Z8, I now exclusively use Coffee Cup's Web Form builder. It generates awsome forms, with background images - anything you like and because it designs forms in shockwave flash, spambots simply cannot even see the resulting forms, let alone fill them in. Anyone with no skills at all can easily learn to use it. I would highly reccommend the thing.

I have created over 100 customer forms to date and not one has ever reported any spam at all.

Of course downside is the user needs shockwave flash on their PC to be able to use the forms, but the majority now do.

Colin

That software does rock.

[deepsand]

Quote:

Originally Posted by z28com

If you use my Javascript example above, people can cut and paste and the link is clickable.

In my experience, far too many users cannot copy/cut & paste with a proficiency sufficient for its being relied on for critical operations.

[z28com]

Quote:

Originally Posted by deepsand

In my experience, far too many users cannot copy/cut & paste with a proficiency sufficient for its being relied on for critical operations.

If you tried the script, you will see that the email address is clickable. It does the exact same function as somebody putting in something such as:

<A HREF="mailto:joeblow@somewhere.com">joeblow@somewh ere.com</A>

The visitor can click or cut and paste and the email address being posted won't have spambots harvesting it.

[littlegiant]

I killed spam dead on my feedback form by using Javascript to write out a hidden input:

<script type="text/javascript">
<!--
document.write('<input type=\"hidden\" name=\"xyzxyzxyz\" value=\"test\">');
// -->
</script>

Then I made that hidden input a required field in the script that processes the form.

Then I used Javascript to write out the Submit button.

<script type="text/javascript">
<!--
document.write('<input type=\"submit\" value=\"Submit\">');
// -->
</script>
<noscript>Javascript must be enabled to submit this form.</noscript>

Boom. No more spam.

Not going to win any awards for accessibility (since Javascript must be enabled to submit the form) but it worked.

[z28com]

Quote:

Originally Posted by littlegiant

I killed spam dead on my feedback form by using Javascript to write out a hidden input:

<script type="text/javascript">
<!--
document.write('<input type=\"hidden\" name=\"xyzxyzxyz\" value=\"test\">');
// -->
</script>

Then I made that hidden input a required field in the script that processes the form.

Then I used Javascript to write out the Submit button.

<script type="text/javascript">
<!--
document.write('<input type=\"submit\" value=\"Submit\">');
// -->
</script>
<noscript>Javascript must be enabled to submit this form.</noscript>

Boom. No more spam.

Not going to win any awards for accessibility (since Javascript must be enabled to submit the form) but it worked.

That's an awesome idea for forms. I will have to start putting that on some of mine. Thanks for that tip.

[tbond]

i've used several techniques. Some work on WordPress sites, some work only on PHP/HTML sites. The javascript version allows you to display a normal looking email address in the footer or where ever you want.

FOR HTML SITES USE THIS JAVASCRIPT:
=====

/* This script and many more are available free online at
The JavaScript Source :: JavaScript Source: Free JavaScripts, Tutorials, Example Code, Reference, Resources, and Help
Created by: Professor :: Professor's Coding Corner */

function mailTo() {
// Copyright 2006 Professional Website Design.
// For other useful scripts and tutorials, see
// Professor's Coding Corner
// You may use or modify the script in any way
// you want, but do not remove the first two
// lines above. Although it's not required, I
// would appreciate an email to let me know
// the URL of the page where you used it.

// The purpose of the mailTo script is to prevent
// email link harvesting by spammer's robots.
// Nothing shows in the file where this is used,
// other than an empty 'span' element. The mailto
// link is added dynamically, and will not show
// up even when you "View Source".

// A user having Javascript disabled will not see
// or be able to use the email link. This is
// necessary in order to achieve the script's
// stated purpose.

// To add a mailto link to your webpage, just:

// 1) Save this script as mailTo.js , or whatever
// else you want to call it. Be sure to include
// the window.onload statement AFTER the function.

// 2) Put the following in the "head" section of
// your webpage:
// <script type="text/javascript" src="mailTo.js">
// </script>

// 3) Put the following code in your webpage wherever
// you want the link to appear.
// <span id="mailTo"></span>

// 4) Substitute your own email address for the one
// in the line below.

var email = "you@yourdomain.com?Subject=Some subject goes here";

var emaildiplay = "you@yourdomain.com";

if (!document.getElementById("mailTo")) return false;

var spanobj = document.getElementById("mailTo");
var anch = document.createElement("a");
var mailto = "mailto:" + email;
anch.setAttribute("href",mailto);
spanobj.appendChild(anch);
var txt = document.createTextNode(emaildiplay);
anch.appendChild(txt);
}

window.onload = mailTo;


/* ==== END ===== */



FOR WORDPRESS SITES CONTACT FORM PAGES:
=====

I recommend the WP-gbcf plug-in, which shows up in your plug-in admin panel as "Secure and Accessible PHP Contact Form v.2.0WP. Obviously, it also comes in flavors that let you use it in non-WordPress sites, as long as your server is using PHP.

Good luck to you.

[littlegiant]

Re: Post #21-

I should mention that I had a problem with manual spammers as well (i.e., people would actually fill out my feedback form manually just to spam me). I locked them out on a one-by-one basis by building on the 'hidden input/force form submission by Javascript' method.

Here's how I did this-

First I wrote the following script and saved it as "feedback_form.js" in the same directory as the feedback form page:


function checkFormInput() {
var inputValueArray = new Array();

/* Replace spammer1.com, spammer2.com, etc with URLs manual spammers use in the form to spam you */
var specialStringArray = new Array("spammer1.com","spammer2.com","spammer3.com" );

var counter = 0;

/* The following makes an array out all HTML elements in form that can be used for input */
for (var i=0; i<document.FormName.elements.length; i++) {
if (document.FormName.elements[i].type == "text" || document.FormName.elements[i].tagName == "TEXTAREA") {
inputValueArray[counter] = document.FormName.elements[i].value;
counter++;
}
}

/* The following tests input form elements for spam URLs. If spam URL is found, the form is reset. */
for (var i=0; i<inputValueArray.length; i++) {
for (var k=0; k<specialStringArray.length; k++) {
if (inputValueArray[i].indexOf(specialStringArray[k]) > -1) {

/* Optional alert message if spam URL exists (uncomment following line). Not recommended though. Better to keep spammers guessing. Give them the impression that the form doesn't work at all. */

/* alert("Access denied."); */

document.FormName.reset();
return false;
}
}
}
}



To link this external Javascript to the feedback form page, you have to add the following HTML in between the <HEAD>...</HEAD> tags of the feedback form page:

<script src="feedback_form.js" type="text/javascript"></script>


The feedback page opening <form> tag must contain the following attribute/value pairs

name="FormName"
onsubmit="return checkInput();"

Example:

<form action="http://example.com/link_to_form_script" method="POST" name="FormName" onsubmit="return checkFormInput();">

FormName can be changed to whatever you like (just don't forget to change all instances of the FormName in the feedback_form.js to the same thing).

The javascript checks all input elements that have the type="text" attribute/value (single line inputs) or all <textarea> elements for the spammer1.com, spammer2.com or spammer3.com URLs (you can add or replace URLs to test for in the var specialStringArray line of the javascript).

If the spammer URL is found, the form is not submitted and the form is reset. This gives the impression to the spammer that the form is simply not working. You can also have an optional alert popup saying "Access denied." (or whatever you like) although that's not recommended because it tells the spammers that they are being blocked somehow.

If the manual spammer tries to circumvent this by disabling Javascript, they will not be able to submit the form because the submit button is created using Javascript (as per post #21 of this thread).

[z28com]

If any "http:" or "www." is found in a comment in a form for me, I automatically re-direct the person to another web site and don't even process the data.

I think I'm going to try the Javascript protection on the SUBMIT buttons and see what happens. Right now I am having problems with bots.

[littlegiant]

z28com,

Be advised that it's imperative to use the Javascript-written hidden input as your primary defense because --if I recall correctly-- spam bots can submit a form even if there is no HTML written submit button. In the method I cited in post #21, I put the Javascript-written submit button in as well to allow me to write scripts to filter out unwanted emails from manual submissions.

[langsor]

Quote:

Originally Posted by itsdonny

I read a great idea here a while ago where this webmaster incorporated an invisible field for someone to put there website or some other item. Viewers couldn't see that field so of course it wouldn't be filled in. This was the cue that the form was not from a robot spammer. The robots would see and fill in the invisible field for 'website' or whatever and when submitted the form would of course not go through. This is something I would like to incorporate on my contact page. If someone knows how to do it let me know please.

One thing to consider is that some people actually do have their JavaScript turned off -- so any SPAM defense requiring JavaScript will also mean the legitimate visitor with it turned off will not be able to view your email address or submit your form.

The above method sounds the most robust to me, even though I have not tried it personally.

You might use something like CSS to hide the field from web browsers, and not robots.

Place the style declaration in your page <head>

<style type="text/css">
#bots {
display: none;
}
</style>

Then in your form place your hidden field

<form ...>
<input type="text" name="website" id="bots" value="" />
...rest of form goes here...
</form>

This does require your server side form script to purge any form submissions where $_REQUEST['website'] has a value (PHP example)

Hope this might help someone

[jordanmcclements]

Quote:

Originally Posted by colincartwright

I agree with Z8, I now exclusively use Coffee Cup's Web Form builder. It generates awsome forms, with background images - anything you like and because it designs forms in shockwave flash, spambots simply cannot even see the resulting forms, let alone fill them in. Anyone with no skills at all can easily learn to use it. I would highly reccommend the thing.

I have created over 100 customer forms to date and not one has ever reported any spam at all.

Of course downside is the user needs shockwave flash on their PC to be able to use the forms, but the majority now do.

Colin

I use Roboform to fill forms (and increasingly non technical people fill forms with the Google toolbar etc) ! As I understand it, people on your web site will have to fill everything in manually?

[VOVAN]

I would like to know, how to put my email addresses into white lists, i.e. to make them NOT being out into SPAM folders of mail clients?

Here is the list of my emails:
pussycat-123@live.com
pusy@ymail.com
john.rutger@gmail.com
john.dicky@hotmail.com
porno145@gmail.com
aaabbbb@rocketmail.com

Please don't ask me why these addresses are "spam-like"... I have a specific job

[deepsand]

Quote:

Originally Posted by VOVAN

I would like to know, how to put my email addresses into white lists, i.e. to make them NOT being out into SPAM folders of mail clients?

Here is the list of my emails:
pussycat-123@live.com
pusy@ymail.com
john.rutger@gmail.com
john.dicky@hotmail.com
porno145@gmail.com
aaabbbb@rocketmail.com

Please don't ask me why these addresses are "spam-like"... I have a specific job

You cannot access the "white lists" of recipients.