Spam via Web Forms, Suggestions?

Discussion in 'Web Design & Coding' started by madmatt, Jul 7, 2008.

  1. madmatt

    madmatt Bow Down to the King Political User

    Messages:
    13,312
    Location:
    New York
    I have a client or two that is receiving upwards of 100 spam messages a day from the forms on their web site. I am already using error checking and on the form in question a check box must be checked prior to being able to submit.

    I have attached a screen capture so you can see the spam.

    Does anyone have any suggestions to prevent this from happening?

    Thank you.
     

    Attached Files:

  2. Henyman

    Henyman Secret Goat Fetish Political User

  3. madmatt

    madmatt Bow Down to the King Political User

    Messages:
    13,312
    Location:
    New York
    It may come down to that unless there are any other suggestions.
     
  4. LordOfLA

    LordOfLA Godlike!

    Messages:
    7,027
    Location:
    Maidenhead, Berkshire, UK
    Captcha.
     
  5. Geffy

    Geffy Moderator Folding Team

    Messages:
    7,805
    Location:
    United Kingdom
    madmatt likes this.
  6. kcnychief

    kcnychief █▄█ ▀█▄ █ Political User Folding Team

    Messages:
    16,948
    Location:
    Massachusetts
    Yeah, captcha. I'd be interested in how else it could be done though. I'm developing something offline for now which will be using a captcha but honestly I think it's fugly :) I would prefer something more hidden.
     
  7. LordOfLA

    LordOfLA Godlike!

    Messages:
    7,027
    Location:
    Maidenhead, Berkshire, UK
    remove the submit form button :D

    No forms. No spam.
     
    madmatt likes this.
  8. madmatt

    madmatt Bow Down to the King Political User

    Messages:
    13,312
    Location:
    New York
    Winner of the best suggestion yet award. K? THX.
     
  9. Geffy

    Geffy Moderator Folding Team

    Messages:
    7,805
    Location:
    United Kingdom
    theres a lot to be said for the old "read-only" web
     
  10. madmatt

    madmatt Bow Down to the King Political User

    Messages:
    13,312
    Location:
    New York
    So I disabled the form and the client is still complaining. It became obvious that the spammers are calling the action file. But, that makes me wonder how are they injecting information into it without filling out the form?

    Hopefully that makes sense.
     
  11. Geffy

    Geffy Moderator Folding Team

    Messages:
    7,805
    Location:
    United Kingdom
    Well thats simple, if they've looked at the form then they know the form field names. Once they've got that why do they need to write something to fill in your form first, they can just send an HTTP POST request with the required form field data. This is how a regular browser works, the only purpose of the form is for the human to provide values for the form fields the user agent needs to send to the form action.
     
  12. madmatt

    madmatt Bow Down to the King Political User

    Messages:
    13,312
    Location:
    New York
    So how do we prevent this from happening?
     
  13. LordOfLA

    LordOfLA Godlike!

    Messages:
    7,027
    Location:
    Maidenhead, Berkshire, UK
    blacklist the IP(s) spamming.
     
  14. X-Istence

    X-Istence * Political User

    Messages:
    6,498
    Location:
    USA
    or Captcha.

    You can even do what speedy_b does, and that is give them a math problem to solve.
     
  15. Geffy

    Geffy Moderator Folding Team

    Messages:
    7,805
    Location:
    United Kingdom
    remove the action file? If you still need the form to work you will have to use either captcha or some spam filtering rules/service
     
  16. falconguard

    falconguard Carbon based lifeform Political User Folding Team

    Messages:
    3,406
    Location:
    SoCal
    can you put in a javascript function to display the field?
     
  17. Geffy

    Geffy Moderator Folding Team

    Messages:
    7,805
    Location:
    United Kingdom
    Not terribly nice for people with JS turned off, while their numbers are declining they are still there.

    Matt can you generate a unique token for each user session and maybe put that in a hidden field in the form and then check for its presence in the action file. That should at least stop casual POST'ing to the action file without first hitting up the form.

    The token could be generated from the session key but should not actually be the session key, the reason is they could make one hit to your site, trap the key and the start POST'ing to the form action again. It should also be temporal but be determinable for a set period of time. If they don't submit the form within say 5 minutes it should reject the request.

    Dunno if you use Rails at all, but the protect_from_forgery setting does a lot of this for you.
     
  18. Xander Zerge

    Xander Zerge OSNN One Post Wonder

    Messages:
    1
    About 95% of casual web surfers have JavaScript enabled in their browsers. Simple message asking to enable JavaScript for the page showed for remaining 5% is much better than annoying all your visitors every time they visit your site (or even page) by need of recognizing captcha images, answering anti-bot questions, solving brainteasers, etc.
    There are automated solutions which can obfuscate HTML code and make it totally unreadable for spambots, except only those, which executes every JavaScript on the page, what is still computationally ineffective, especially in the age of so called "Web 2.0".
    I am developing one of such solutions, Web Form Anti-Spam, so if anyone will ever be interested in my recommendations, feel free to contact me directly - I would like to avoid being called "forum spammer" here. :)

    One of the simpliest methods to stop spam bots, is to rename fields to less obvious names and place hidden fields with old, frequently used names, like "email", "phone", "message", etc. For example:
    ...
    <input type="text" name="i13kfsl" value="" />
    <input type="text" name="email" value="" style="display:none" />
    ...
    When processing form data by server script, ensure that "email" value is still empty and accept "i13kfsl" field value as e-mail address typed by visitor. This measure is helpful because spambots are trying to fill all fields they see, especially with frequently used names.

    style="display:none" is simple method of hiding the bot-catching field. You can use different styles to achieve that effect, by making it zero-height, or positioning it absolutely at some negative position. Keeping hiding style in external css file will hide the style itself - spambots are not so smart to read, parse and interpret styles to find all catches.