Can I stop spammers filling in my form?

[reebene]

I have hotel site which uses an online booking form. It's written in expression web.
There is an area for special requests i.e. disabled facilities, extra beds, cot etc.
I constantly get spam mail on it.
Trying to make up a form which covers all the eventualities with buttons or lists doesn't seem to cover all the questions people ask, so I'd rather keep the text area if I can.
Does anyone know a way to prevent the spammers using it?

Ree

[Webnauts]

Try this: GBCF-v3 - Secure and Accessible PHP Contact Form - Green-Beast.com

[advancedmerchant]

First, do not make the address visible, have your form post the email in code, where the address cannot be seen in a "View Source". This prevents email scrapers from getting the address.

Second, make one field a 'captcha', (a graphic must be read and typed in), or a human readable question and answer that a script could not answer, like "What color is the sky?" (answer would contain the word "blue")

[imvain2]

Captcha's aren't really a good idea. They work for the problem of spammers, but cause new problems with customer usability.

You could always follow the K.I.S.S process.

Create a text field and name it, then wrap that field in a div with display:none.

Then in the server side form processing code, look to see if the form field myemail is empty, if its not empty then don't allow the form to be submitted.

Code:

<div style="display:none;">
<input type="text" name="myemail" value="">
</div>

How does this work? The spammer programs are made to fill out the text fields, so they will see the text form field myemail and enter in content. Which then your programming will see that there has been something filled in and not allow the form to be submitted.

I have ran this on many sites are stopped all spam forms from being sent.

Also, if your code looks for a specific field to start processing, I would change the name of that field. Since the spammers already have that field name store in their system.

[bj]

Most of my forms are coded within the CMS I use and fairly spamproof, but friends of mine have a unique way of handling this with their static html site. They've done a sort of backward captcha. It's a text field that is hidden offscreen by using the css. If it's filled in, then the email is simply discarded since it will only be filled out by 'bots. Humans will never see it so they never fill in that field.

[niggles]

I agree with imvain2 -> the invisible field is a really simple and great way to check if it's a SPAMBOT or human without impacting on your customer.

All you need to do is write code which says :

Code:

<?php


if(!empty($_POST["myemail"]){

     $spam = true;
} else {

    $spam = false; 
}

?>

Then just before you send off the email message you check whether it's true or false and if it's true, don't send the email :

Code:

if(!$spam){

     // send your email

}

[Orion]

Create a text field and name it, then wrap that field in a div with display:none.

Then in the server side form processing code, look to see if the form field myemail is empty, if its not empty then don't allow the form to be submitted.

Code:

<div style="display:none;">
<input type="text" name="myemail" value="">
</div>

OH WOW! Wicked solution! Any chance you or BJ can post the scripting that looks at the field and kills the submit?

I have a couple older sites that would benefit from this...

[IndustrialWebGuy2]

I like the invisible field suggestion and I'll have to try it. But I have also used a CAPTCHA solution that is very easy to work with. Even though all CAPTCHA presents useability issues, this one, at least, has an audio version that reads the image for the visually impaired and also has a reload button to generate another CAPTCHA image if the first was too hard to read. Check it out at ProtectWebForm.com. I wouldn't use it for secure information because it seems to run the captured inputs through their server then route them back to your server, but for your run of the mill inquiry form, it's okay. Another interesting version of CAPTCHA is found at ReCaptcha.net.

[tmaster]

I have hotel site which uses an online booking form. It's written in expression web.
There is an area for special requests i.e. disabled facilities, extra beds, cot etc.
I constantly get spam mail on it.
Trying to make up a form which covers all the eventualities with buttons or lists doesn't seem to cover all the questions people ask, so I'd rather keep the text area if I can.
Does anyone know a way to prevent the spammers using it?

Ree

You need to lock down your forms. You can use a capta system or you can have a photo be displayed and ask the user what it is
in the photo like a cat or a dog. The scripts at green-beast.com might be good but it has problems I see right away.

Never send or allow the script to send a copy to the users email because spammers will use it to send spam to other users using your form.

Hard code all headers To: From: Subject: Do not enter any data into these fields from your contact form because spammers can inject code into the headers and take control of your mailer and send spam to others. You can try to trap the injected code but you may miss something better safe than sorry.

Put the senders from address and subject line inside the body of the message. And hard code your email address into the To and from lines.



What the others said about having dummy fields is also a great ideal.

[niggles]

Here's the full PHP script of my anti spam check which also checks for "bad" characters + if the extra email was filled in + also writes a timestamp to see if the form was submitted too quickly or too long after being generated i.e it was saved offline and submitted by bots.

And as tmaster says, always hard-code the To: From: Subject: fields.

In the PHP header code

Code:

// check if any of the SPAMBOT criteria are true

	if(preg_match("/bcc:|cc:|multipart|url|Content-Type:/i", implode($_POST))) {
		$spam=true;
	}
	if (preg_match_all("/<a|http:/i", implode($_POST), $out) > 3) {
		$spam=true;
	}
	if(!empty($_POST['emailagain'])){
		$spam = true;
	}

	// if e-mail is not formatted correctly, show error message
	if(!eregi("^[_a-z0-9-]+(.[_a-z0-9-]+)*@[a-z0-9-]+(.[a-z0-9-]+)*(.[a-z]{2,3})$", $_POST['email'])) {
			$error = true ;
	}

	if($_POST['formtime'] < time()-3600)  {
		$spam=true;
	}

In the form, I add these fields:

Code:

<span style="display:none;visibility:hidden;">
  <label for="emailagain">Do not enter anything in this field as it's designed to stop SPAMBOTS!</label>
  <input type="text" name="emailagain" id="emailagain" value="" />
  <input type="text" name="formtime" value="<?php echo time(); ?>" />
</span>

Cheers,
Niggles