Spam via Web Forms, Suggestions?

**madmatt** · July 7th, 2008

I have a client or two that is receiving upwards of 100 spam messages a day from the forms on their web site. I am already using error checking and on the form in question a check box must be checked prior to being able to submit.

I have attached a screen capture so you can see the spam.

Does anyone have any suggestions to prevent this from happening?

Thank you.

**Henyman** · July 7th, 2008

use captcha?

http://www.captcha.biz/captchaform/f...d-captcha.html

**madmatt** · July 7th, 2008

It may come down to that unless there are any other suggestions.

**LordOfLA** · July 8th, 2008

Captcha.

**Geffy** · July 8th, 2008

http://recaptcha.net/ or else run everything through a spam filter like http://akismet.com/

**kcnychief** · July 8th, 2008

Yeah, captcha. I'd be interested in how else it could be done though. I'm developing something offline for now which will be using a captcha but honestly I think it's fugly

I would prefer something more hidden.

**LordOfLA** · July 8th, 2008

remove the submit form button

No forms. No spam.

**madmatt** · July 8th, 2008

Originally Posted by LordOfLA

remove the submit form button

No forms. No spam.

Winner of the best suggestion yet award. K? THX.

**Geffy** · July 8th, 2008

theres a lot to be said for the old "read-only" web

**madmatt** · July 10th, 2008

So I disabled the form and the client is still complaining. It became obvious that the spammers are calling the action file. But, that makes me wonder how are they injecting information into it without filling out the form?

Hopefully that makes sense.

**Geffy** · July 10th, 2008

Originally Posted by madmatt

So I disabled the form and the client is still complaining. It became obvious that the spammers are calling the action file. But, that makes me wonder how are they injecting information into it without filling out the form?

Hopefully that makes sense.

Well thats simple, if they've looked at the form then they know the form field names. Once they've got that why do they need to write something to fill in your form first, they can just send an HTTP POST request with the required form field data. This is how a regular browser works, the only purpose of the form is for the human to provide values for the form fields the user agent needs to send to the form action.

**madmatt** · July 10th, 2008

So how do we prevent this from happening?

**LordOfLA** · July 10th, 2008

blacklist the IP(s) spamming.

**X-Istence** · July 10th, 2008

or Captcha.

You can even do what speedy_b does, and that is give them a math problem to solve.

**Geffy** · July 11th, 2008

Originally Posted by madmatt

So how do we prevent this from happening?

remove the action file? If you still need the form to work you will have to use either captcha or some spam filtering rules/service

**falconguard** · July 11th, 2008

can you put in a javascript function to display the field?

**Geffy** · July 11th, 2008

Not terribly nice for people with JS turned off, while their numbers are declining they are still there.

Matt can you generate a unique token for each user session and maybe put that in a hidden field in the form and then check for its presence in the action file. That should at least stop casual POST'ing to the action file without first hitting up the form.

The token could be generated from the session key but should not actually be the session key, the reason is they could make one hit to your site, trap the key and the start POST'ing to the form action again. It should also be temporal but be determinable for a set period of time. If they don't submit the form within say 5 minutes it should reject the request.

Dunno if you use Rails at all, but the protect_from_forgery setting does a lot of this for you.

Xander Zerge · July 22nd, 2008

About 95% of casual web surfers have JavaScript enabled in their browsers. Simple message asking to enable JavaScript for the page showed for remaining 5% is much better than annoying all your visitors every time they visit your site (or even page) by need of recognizing captcha images, answering anti-bot questions, solving brainteasers, etc.
There are automated solutions which can obfuscate HTML code and make it totally unreadable for spambots, except only those, which executes every JavaScript on the page, what is still computationally ineffective, especially in the age of so called "Web 2.0".
I am developing one of such solutions, Web Form Anti-Spam, so if anyone will ever be interested in my recommendations, feel free to contact me directly - I would like to avoid being called "forum spammer" here.

One of the simpliest methods to stop spam bots, is to rename fields to less obvious names and place hidden fields with old, frequently used names, like "email", "phone", "message", etc. For example:
...
<input type="text" name="i13kfsl" value="" />
<input type="text" name="email" value="" style="display:none" />
...
When processing form data by server script, ensure that "email" value is still empty and accept "i13kfsl" field value as e-mail address typed by visitor. This measure is helpful because spambots are trying to fill all fields they see, especially with frequently used names.

style="display:none" is simple method of hiding the bot-catching field. You can use different styles to achieve that effect, by making it zero-height, or positioning it absolutely at some negative position. Keeping hiding style in external css file will hide the style itself - spambots are not so smart to read, parse and interpret styles to find all catches.

July 7th, 2008	Top \| #1
madmatt Bow Down to the King Joined: April 2002 Location: New York Posts: 13,312 Reputation: 4090 Power: 297	Spam via Web Forms, Suggestions? I have a client or two that is receiving upwards of 100 spam messages a day from the forms on their web site. I am already using error checking and on the form in question a check box must be checked prior to being able to submit. I have attached a screen capture so you can see the spam. Does anyone have any suggestions to prevent this from happening? Thank you. Attached Thumbnails

July 7th, 2008	Top \| #2
Henyman Secret Goat Fetish Joined: June 2002 Location: Dorset, England Posts: More Than You Posts: 9,602 Reputation: 3548 Power: 253	Re: Spam via Web Forms, Suggestions? use captcha? http://www.captcha.biz/captchaform/f...d-captcha.html http://Henyman.com

July 7th, 2008	Top \| #3
madmatt Bow Down to the King Joined: April 2002 Location: New York Posts: 13,312 Reputation: 4090 Power: 297	Re: Spam via Web Forms, Suggestions? It may come down to that unless there are any other suggestions.

July 8th, 2008	Top \| #4
LordOfLA Godlike! Joined: February 2004 Location: Salisbury, Wiltshire, UK Posts: 7,031 Blog Entries: 5 Reputation: 4137 Power: 213	Re: Spam via Web Forms, Suggestions? Captcha. If HK-47 and GLaDOS had a child, the character they create would cause the video game world to overdose on awesome. -sheridanmovieguy: Dragon age forum user.

July 8th, 2008	Top \| #5
Geffy OSNN Veteran Addict Joined: March 2002 Location: United Kingdom Posts: 7,805 Reputation: 1490 Power: 217	Re: Spam via Web Forms, Suggestions? http://recaptcha.net/ or else run everything through a spam filter like http://akismet.com/  • blog • tumblog • lastfm • flickr • #rubyonrails • @twitter "I could be replaced with a very small shell script"

Latest News Posts

Latest Forum Posts

Latest Member Blogs

July 8th, 2008	Top \| #6
kcnychief █▄█ ▀█▄ █ Joined: April 2005 Location: Massachusetts Posts: 16,949 Reputation: 4941 Power: 305	Re: Spam via Web Forms, Suggestions? Yeah, captcha. I'd be interested in how else it could be done though. I'm developing something offline for now which will be using a captcha but honestly I think it's fugly I would prefer something more hidden. XBOX Live Gamertag: kcnychief

July 8th, 2008	Top \| #7
LordOfLA Godlike! Joined: February 2004 Location: Salisbury, Wiltshire, UK Posts: 7,031 Blog Entries: 5 Reputation: 4137 Power: 213	Re: Spam via Web Forms, Suggestions? remove the submit form button No forms. No spam. If HK-47 and GLaDOS had a child, the character they create would cause the video game world to overdose on awesome. -sheridanmovieguy: Dragon age forum user.

July 8th, 2008	Top \| #8
madmatt Bow Down to the King Joined: April 2002 Location: New York Posts: 13,312 Reputation: 4090 Power: 297	Re: Spam via Web Forms, Suggestions? Originally Posted by LordOfLA remove the submit form button No forms. No spam. Winner of the best suggestion yet award. K? THX.

July 8th, 2008	Top \| #9
Geffy OSNN Veteran Addict Joined: March 2002 Location: United Kingdom Posts: 7,805 Reputation: 1490 Power: 217	Re: Spam via Web Forms, Suggestions? theres a lot to be said for the old "read-only" web  • blog • tumblog • lastfm • flickr • #rubyonrails • @twitter "I could be replaced with a very small shell script"

July 10th, 2008	Top \| #10
madmatt Bow Down to the King Joined: April 2002 Location: New York Posts: 13,312 Reputation: 4090 Power: 297	Re: Spam via Web Forms, Suggestions? So I disabled the form and the client is still complaining. It became obvious that the spammers are calling the action file. But, that makes me wonder how are they injecting information into it without filling out the form? Hopefully that makes sense.

July 10th, 2008	Top \| #11
Geffy OSNN Veteran Addict Joined: March 2002 Location: United Kingdom Posts: 7,805 Reputation: 1490 Power: 217	Re: Spam via Web Forms, Suggestions? Originally Posted by madmatt So I disabled the form and the client is still complaining. It became obvious that the spammers are calling the action file. But, that makes me wonder how are they injecting information into it without filling out the form? Hopefully that makes sense. Well thats simple, if they've looked at the form then they know the form field names. Once they've got that why do they need to write something to fill in your form first, they can just send an HTTP POST request with the required form field data. This is how a regular browser works, the only purpose of the form is for the human to provide values for the form fields the user agent needs to send to the form action.  • blog • tumblog • lastfm • flickr • #rubyonrails • @twitter "I could be replaced with a very small shell script"

July 10th, 2008	Top \| #12
madmatt Bow Down to the King Joined: April 2002 Location: New York Posts: 13,312 Reputation: 4090 Power: 297	Re: Spam via Web Forms, Suggestions? So how do we prevent this from happening?

July 10th, 2008	Top \| #13
LordOfLA Godlike! Joined: February 2004 Location: Salisbury, Wiltshire, UK Posts: 7,031 Blog Entries: 5 Reputation: 4137 Power: 213	Re: Spam via Web Forms, Suggestions? blacklist the IP(s) spamming. If HK-47 and GLaDOS had a child, the character they create would cause the video game world to overdose on awesome. -sheridanmovieguy: Dragon age forum user.

July 10th, 2008	Top \| #14
X-Istence * Joined: December 2001 Location: USA Posts: 6,496 Reputation: 2808 Power: 220	Re: Spam via Web Forms, Suggestions? or Captcha. You can even do what speedy_b does, and that is give them a math problem to solve. An engineers technical notebook

July 11th, 2008	Top \| #15
Geffy OSNN Veteran Addict Joined: March 2002 Location: United Kingdom Posts: 7,805 Reputation: 1490 Power: 217	Re: Spam via Web Forms, Suggestions? Originally Posted by madmatt So how do we prevent this from happening? remove the action file? If you still need the form to work you will have to use either captcha or some spam filtering rules/service  • blog • tumblog • lastfm • flickr • #rubyonrails • @twitter "I could be replaced with a very small shell script"

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
HTML Forms	omg its nlm	Web Design & Coding	2	October 19th, 2004 3:18pm
Forms and Javascript help	AcftMecH	Web Design & Coding	2	January 18th, 2004 10:19am
Creating Forms in Front Page	gmagnuson	Web Design & Coding	9	November 16th, 2003 2:09pm
Forms in CSS	Tabula Rasa	Web Design & Coding	6	December 31st, 2002 11:21am
Forms / Select / Help needed :)	SPeedY_B	Web Design & Coding	5	October 22nd, 2002 3:16am

July 11th, 2008	Top \| #16
falconguard Carbon based lifeform Joined: February 2004 Location: SoCal Posts: 3,406 Reputation: 2305 Power: 158	Re: Spam via Web Forms, Suggestions? can you put in a javascript function to display the field?

July 11th, 2008	Top \| #17
Geffy OSNN Veteran Addict Joined: March 2002 Location: United Kingdom Posts: 7,805 Reputation: 1490 Power: 217	Re: Spam via Web Forms, Suggestions? Not terribly nice for people with JS turned off, while their numbers are declining they are still there. Matt can you generate a unique token for each user session and maybe put that in a hidden field in the form and then check for its presence in the action file. That should at least stop casual POST'ing to the action file without first hitting up the form. The token could be generated from the session key but should not actually be the session key, the reason is they could make one hit to your site, trap the key and the start POST'ing to the form action again. It should also be temporal but be determinable for a set period of time. If they don't submit the form within say 5 minutes it should reject the request. Dunno if you use Rails at all, but the protect_from_forgery setting does a lot of this for you.  • blog • tumblog • lastfm • flickr • #rubyonrails • @twitter "I could be replaced with a very small shell script"

July 22nd, 2008	Top \| #18
Xander Zerge OSNN One Post Wonder Joined: November 2004 Posts: 1 Reputation: 0 Power: 0	Re: Spam via Web Forms, Suggestions? About 95% of casual web surfers have JavaScript enabled in their browsers. Simple message asking to enable JavaScript for the page showed for remaining 5% is much better than annoying all your visitors every time they visit your site (or even page) by need of recognizing captcha images, answering anti-bot questions, solving brainteasers, etc. There are automated solutions which can obfuscate HTML code and make it totally unreadable for spambots, except only those, which executes every JavaScript on the page, what is still computationally ineffective, especially in the age of so called "Web 2.0". I am developing one of such solutions, Web Form Anti-Spam, so if anyone will ever be interested in my recommendations, feel free to contact me directly - I would like to avoid being called "forum spammer" here. One of the simpliest methods to stop spam bots, is to rename fields to less obvious names and place hidden fields with old, frequently used names, like "email", "phone", "message", etc. For example: ... <input type="text" name="i13kfsl" value="" /> <input type="text" name="email" value="" style="display:none" /> ... When processing form data by server script, ensure that "email" value is still empty and accept "i13kfsl" field value as e-mail address typed by visitor. This measure is helpful because spambots are trying to fill all fields they see, especially with frequently used names. style="display:none" is simple method of hiding the bot-catching field. You can use different styles to achieve that effect, by making it zero-height, or positioning it absolutely at some negative position. Keeping hiding style in external css file will hide the style itself - spambots are not so smart to read, parse and interpret styles to find all catches. Xander Zerge www.zerge.com