Form Spamming

[mikmik]

This looks excellent! Secure & Accessible PHP Contact Form

Found it here: anti spam php contact form

[kgun]

PEAR :: Package :: HTML_QuickForm2 May be that takes care of it.

I didn't intentionally reject one of your comments. They are always relevant and I have no problem keeping your links in because they are relevant too. If one did slip through and get deleted in the midst of loads of spam, I'm sorry. Perhaps you could repost it and I'll give it my urgent attention.

I can not remember what I wrote.

<digression>
I think there is a fairly lare Simula miljeu in Canada. Have you heard of that?
</digression>

[TrafficProducer]

What may help is: As stated is

use a captcha on the form

.

Or and sense IP and block it code.


Captchas

Captchas are used to prevent automated spamming of website submission, posting of blogs and in the use of other online forms. A Captchas Example. May look sometime like this click for audio version and ask the user to enter the characters in to the on-line form as a check that it is a real person using that form.


Free CAPTCHA-Service

CAPTCHA: Telling Humans and Computers Apart Automatically.

Examples of Captchas Craziest Captchas on the Web.

[DaveSawers]

And that's a perfect example of why users hate captchas!

Is the second character supposed to be a Z or a 2 or just an R or possibly an L in a strange font? As for the fifth character??? Possibly a G or a 9 or maybe a Q? And is the sixth an O or a 0?

I haven't spent any time thinking about this problem, but I am certain there must be a better answer than a captcha.

[mikmik]

There are. Some capcha make better graphics than that, but I usually just put comments to be moderated first, and set notification 'notify by email' to review them first.

[wige]

Microsoft and an animal adoption agency have been experimenting with an alternative form of captcha that uses a massive database of photos of dogs and cats, and the user has to check which images are one or the other.

MSR Asirra: A Human Interactive Proof

[mikmik]

wige, can't connect to you blog comments!

DaveSawers

As for advertizing, I haven't done that for several years. I get more than enough work from my regular clients and occasional personal references. The rest I turn away or refer them to someone else.

Integrity! I like sites with no ads. If you are good, word of mouth and references is more than enough to handle.

[Tech Manager]

Hi I hope this is the right place for this:
We have one form on our website that keeps getting filled out with links to pron, viagra and cheap CDs. Its no other forms just one specific one - which is made in exactly the same way using asp as the others.

What is the purpose of spamming these forms with all this rubbish, and is it any threat th us other than being a bit of a pain? or is it something we need to stop and if so how? we get about 3-4 spam submissions a day

There are several ways to limit or eliminate webform spam. Lots of people rely on CAPTCHA, but personally I don't think it is as effective as it could be.

My suggestion is to use CAPTCHA and process your forms with an SSI language such as PHP.

I create highly secure webforms for several of my clients and I do so by using session variables that eliminate automated scripts from using the forms, then I make sure I do security processing on all the variables inputted into the form and potential variables that may be inserted from an outside script. I make sure to filter out any malicious scripts and especially those that would attempt to turn a webform into a spam-senders paradise. Generally speaking, if my form is 20-50 lines of code my security scripts will be 250-2500 lines of code.

Another good rule of thumb is to write scripts that will capture and log all the data inserted into your webform. This is especially important for forms using the POST method as this data will not normally be easily visible within your server logs. These security scripts will capture and clean the data and then write the variable data to a separate text file where I can view it later. You'd be surprised how much you can learn about the various techniques being used. You also want to make sure you capture the IP address of anyone using your webforms.

You can also create scripts that will check for open-proxies on the incoming connection and immediately block or disconnect.

If you are experiencing problems with webform spammers in specific countries you can also use Country IP Blocks aka Country IP Blocks dot Net, to get accurate IP Allocations for 239 countries. Country IP Blocks can also create instant .htaccess deny lists. I use them to create Cisco ACL Lists, .htaccess files, and various other Access Control lists. I also wrote the scripts so the database is updated with all the latest IP information at least once a day.

If you need further assistance please let me know.

[JacobRusso]

Hi beautiful...

I implemented the most simplistic... yet amazingly effective... mechanism which has obliterated 99.9% of these spam form submissions. No CAPTCHA or fancy footwork required.

Simply:

1. Add an extra Field to your form.
2. Give it a dummy default value (like "STOPSPAM")
3. Flag the field as "Required"
4. Add a requirement for the field "value" to be "Equal to" the dummy default value assigned in #2 above.

That's it.

The theory behind the effectiveness of this method is that most of the Form Spammers tend to add Spam data into every field to attempt to bypass the "Required" fields. By setting up a specific required (dummy) value. Their method backfilres.

Hope this helps. Oh... and HAPPY NEW YEAR to everyone!!!

[joncase]

What is the purpose of spamming these forms with all this rubbish, and is it any threat th us other than being a bit of a pain? or is it something we need to stop and if so how? we get about 3-4 spam submissions a day

As Dubbya said, if they are able to add a lot of other sendto email addresses in your form, or use your form script to send to lots of other email addresses, it is a big problem. That you would need to find out.

I have a number of clients who complained about getting sometimes hundreds of these a day. I fixed the form script so that it would not validate the Comments textarea if it had special characters in it such as <, =, or >, because the spammers use the links to hopefully generate traffic. If such special characters were in the Comment box on my forms, an error message was generated telling the sender those special characters are not allowed and must be removed to send the form. The spamming stopped immediately.