Keeping spammers from processing forms

[mawells]

I have form scripts written in PHP, Cold Fusion and ASP and they all have "required fields" that must be completed. Yet, spammers still manage to process these forms with garbage in the fields or nothing in the fields.

If I were to put a robot.txt "no index" tag on the form page - do you think it would cut down on these spammers since the page would not be included in the search engines?

[incrediblehelp]

Try using an image, color or math captcha.

[mawells]

One of my sites does implement captcha and still receives spammy entries (although not as often as the other sites)

I thought if the page isn't indexed by search engines it would not be found by spammers. Perhaps my thinking is wrong. I have no idea how or why spammers even exist in this world...

[yookoso]

If you are coding the forms yourself, an interesting and easy-to-implement alternative to captcha is a simple math question: e.g., 2+2. This has the added benefit of being more accessible for visually impaired users. I have used it successfully multiple times. This idea isn't mine, but I can't remember where I first read about it. JB

[mikesmith76]

I've used the following method to reduce spam entries in the past. It works by ensuring that any data posted to the form processor has come from the form on my website, and not directly from another package.

- user visits your form page and a token is created with a fixed expiry time and placed in a hidden form field

- user submits the form. the form processor checks if the token field is present, valid and still in time (how this is done depends on your language but session handling functions are a big help here)

- if the token passes the checks above the rest of the form is processed.

This may not remove all your spam but should help to reduce it, with the added advantage of no extra fields for your visitors

Mike

[Webnauts]

Quote:

Originally Posted by yookoso

If you are coding the forms yourself, an interesting and easy-to-implement alternative to captcha is a simple math question: e.g., 2+2. This has the added benefit of being more accessible for visually impaired users. I have used it successfully multiple times. This idea isn't mine, but I can't remember where I first read about it. JB

Do you mean as we have done here? http://www.seoworkers.com/tools/analyzer.html

[DrTandem1]

Yes, CAPTCHAs are a must. Also, in the PHP script, you need to strip tags, not allow line breaks, which is a favorite way for them to add a Cc to an email, and not allow certain character strings such as "http." Disallow the use of your site's own domain as this is another favorite trick for the spammer to try spoof their identity as you. When the rules are violated, the script should be set to die.

Also, don't use words in file names for the scripts or forms that are obviously associated with emails. Don't use "send," "mail," etc.

[getmea]

Interesting discussion...

I received 40 emails -- all received within 30 seconds of each other -- on my Blackberry sitting on my nightstand at 3 in the morning one night. The emails were from a few of my site's pages (ask a question, add a picture, mailing list submission, etc) and they all use a common email id.

The interesting thing I noticed was the emails did not come from common@getmea-skateboard.com. Instead, it came from my physical server address ie: hostxxx.aaaaa@getmea-skateboard.com.

The surprising thing is I am not mad this happened. On the contrary, I'd like to know HOW this was done.

I reported this event to my host, but they cannot do anything.

Given the above, how can I institute a "captcha" or a mini math quiz on my pages if spammers appear to be circumventing normal page rendering?

[adverlicious]

Quote:

Originally Posted by mawells

If I were to put a robot.txt "no index" tag on the form page - do you think it would cut down on these spammers since the page would not be included in the search engines?

Ethical, law-abiding organizations choose to follow the suggestions laid out in your robots.txt file. The ones you're dealing with clearly choose not to -- and never will.

Said differently: robots.txt is not a replacement for security. Think of it as a sign in your front window that is read and observed only by good neighbors. Criminals, no-gooders and others will ignore it or even use its information against you.

Use it as intended and for nothing else.

[DrTandem1]

Quote:

Originally Posted by getmea

Interesting discussion...

I received 40 emails -- all received within 30 seconds of each other -- on my Blackberry sitting on my nightstand at 3 in the morning one night. The emails were from a few of my site's pages (ask a question, add a picture, mailing list submission, etc) and they all use a common email id.

The interesting thing I noticed was the emails did not come from common@getmea-skateboard.com. Instead, it came from my physical server address ie: hostxxx.aaaaa@getmea-skateboard.com.

The surprising thing is I am not mad this happened. On the contrary, I'd like to know HOW this was done.

I reported this event to my host, but they cannot do anything.

Given the above, how can I institute a "captcha" or a mini math quiz on my pages if spammers appear to be circumventing normal page rendering?

I suspect they are simply adding code to the text fields of your form. I would suggest moving to a PHP script.

[mantawebsolutions]

Adding Captcha to my site and client sites have made it 90% better but adding math is just as good.

While you are trying to stop spam, you should always have your legitimate site users in mind. How user-friendly is the form to your site visitor? Don't overdo it either...

[mikesmith76]

There's a lot of good advice here about adding CAPTCHAs. Just be aware that some of the visual captcha's are very easy to break so if you are going down this route do some research into the good ones.

[pagetta]

we had a aproblem with spamming and also a problem with someone using our php form to send big emails to thousands of addresses blocking our mail exchange so we have implemented phpp code to limit the number of characters in each field and if they are too many the php simply won't process the email request.

although following this discussion i will also be looking to implement captcha too some great tips here!

[DrTandem1]

Some don't even realize that their form has been hijacked and used as a launch platform for spam. A typical hijack attempt will send you a comment such as "Great site. Thanks." Also, numerous instances of a URL will be found in various text fields.

If you are getting a number of these, it is highly likely that your form has been hijacked.

Stripping responses of tags and disallowing line breaks and your site's own domain name by having the script die makes it useless to the hijacker.

Adding a CAPTCHA will prevent automated/scripted replies. Having a math question for the visually impaired appears to be a good idea, but the function needs to be random. Also, it isn't much of a leap to have a script perform mathematical functions.

You will need to strike a balance to make the form inconvenient enough for the hijacker, but not too inconvenient for the legitimate visitor.

[vivecapark]

I need to know where to find these codes to use for my form. I am getting the same site using my form several times a day. I do see urls so maybe they are using it for e-mail.

I have put restrictions on characters, but that doesn't seem to make a difference.

Please direct me where to find these codes.

Thank you for your assistance.

[NYChris]

This isn't a new exploit.
And here's roughly how it works:
It hunts down forms with a .php extention.
The source is analyzed and the name of each field is extracted.
Values are assigned for each field name. These Values are actually MySql queries and sendmail arguments.
The page is reloaded with the querries in place and the PHP engine processes them.... and executes everything.

The simplest solution is to name the forms with a custom extention such as .pqr and create an apache directive to process these through the php engine.

The exploit is spidering for .php because that's what it requires. It will completely overlook your forms.

[getmea]

DrTandem1:
All my pages are php which call a perl routine (chmod 755) for sending the email to the requestor plus a copy to me.

Just as I was reading your reply last night, I received 2 more phantom "guestbook" entries.

All my email notification from my server read was:

From: () <------should be my site's email address
Date: 2 May 2007 05:00:43
Cc:recipient list not shown: ;
Subject: Entry to Guestbook

You have a new question or comment:

-------------------------------------------------

Tue May 1, 2007, 22:0:43
-------------------------------------------------

I recently found code and added it to my perl routines to strip out special characters:

# Un-Webify plus signs and %-encoding
$value =~ tr/+/ /;
$value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;
$value =~ s///g;

if ($allow_html != 1) {
$value =~ s/<([^>]|\n)*>//g;
}

Above this code, $allow_html is set to false. At least I am not getting html added to my guestbook anymore.

Besides the captcha and arithmetic logic, anyone know of other ways to prevent this spamming? How about setting a cookie at index.html load so child pages can check if "probable human" processing? How about random perl page naming at index.html startup so a spam script cannot call the same .pl 500 times?

Just wondering...

[getmea]

NYChris:

If your suggestion really works, I would not care if my "ask a question" or "add me to your mailing list" pages are indexed...

thanks for the suggestion.

[hommealone]

Here are some thoughts on form-->mail security that I've tried to utilize; I'd love to hear other folks' thoughts on which make sense and which don't.

I figure that there are no truly hacker-proof form scripts. But some seem more secure than others, so I start by trying to find one that seems to put security at a premium, and then try to do what i can to increase the security. I figure that hackers/spammers will go for the low hanging fruit, so the more barriers I put in the way, the better.

When I find a form-->mail script on line that I like, I figure that spammers have seen it as well. I imagine that spammers may try to figure out how to hack a script, then look for instances of it in use, and spam with it from thousands of websites. So I recommend never using a publicly available script "straight", without changes. Change the name of the script file; break the script up into several pieces if you can. Even better, change something about it's functionality if you have the skills.

Try adding a layer of javascript validation on top of the script's built in validation. Use scripting and javascript to hide identifiable "signatures" of the script, and to write in elements neccesary for the functionality of the form and/or the script. (E.g., some neccesarily "human" action must be performed before the form becomes fully functional.) For example, you might use javascript to write in or change the file name that controls the action of the form, make the submit button accessible, etc.

Don't make it obvious or easy to find your form or your script. Don't put your form on a page called contact.php, for example. Give the page, and the script, file names that have nothing to do with mail or forms. If you were a spammer, wouldn't you go around sniffing out pages called contactus.html, etc?

If possible, change the form field names. Don't use the obvious "name" "email" "message" "comments", etc.

I've heard that there is a type of "carpet-bombing" spammer method in which the spammer fills in every field in hopes of getting it right and avoiding validation errors. (Can anyone confirm that this is true, and if so what is this called?) I use a field - either invisible or explained to humans with a note - that MUST be left blank in order to validate. (I give that field a common field name like "comments".)

Capchas and simple math questions are good. I like to use simple and obvious questions that anyone who has used the site would know the answer to: name or location of organization, for example. Just be sure to explain to your visitors why you're asking such seemingly dumb questions.

If the spammers are going to use my form, I want to d*mn well make sure they will have to work for it. It's that low-hanging fruit thing I mentioned. Pile on the obstacles. They may be able to get around any one of them individually, but if there are enough of them, I figure that most of the creeps will just go somewhere else instead.