Spam via Web Forms, Suggestions?

madmatt

Awesome is as awesome does.
Political Access
Joined
5 Apr 2002
Messages
13,314
I have a client or two that is receiving upwards of 100 spam messages a day from the forms on their web site. I am already using error checking and on the form in question a check box must be checked prior to being able to submit.

I have attached a screen capture so you can see the spam.

Does anyone have any suggestions to prevent this from happening?

Thank you.
 

Attachments

  • Capture.JPG
    Capture.JPG
    131.5 KB · Views: 184

madmatt

Awesome is as awesome does.
Political Access
Joined
5 Apr 2002
Messages
13,314
It may come down to that unless there are any other suggestions.
 

kcnychief

??? ??? ?
Political Access
Joined
8 Apr 2005
Messages
16,950
Yeah, captcha. I'd be interested in how else it could be done though. I'm developing something offline for now which will be using a captcha but honestly I think it's fugly :) I would prefer something more hidden.
 

Geffy

OSNN Veteran Addict
Joined
18 Mar 2002
Messages
7,805
theres a lot to be said for the old "read-only" web
 

madmatt

Awesome is as awesome does.
Political Access
Joined
5 Apr 2002
Messages
13,314
So I disabled the form and the client is still complaining. It became obvious that the spammers are calling the action file. But, that makes me wonder how are they injecting information into it without filling out the form?

Hopefully that makes sense.
 

Geffy

OSNN Veteran Addict
Joined
18 Mar 2002
Messages
7,805
So I disabled the form and the client is still complaining. It became obvious that the spammers are calling the action file. But, that makes me wonder how are they injecting information into it without filling out the form?

Hopefully that makes sense.

Well thats simple, if they've looked at the form then they know the form field names. Once they've got that why do they need to write something to fill in your form first, they can just send an HTTP POST request with the required form field data. This is how a regular browser works, the only purpose of the form is for the human to provide values for the form fields the user agent needs to send to the form action.
 

madmatt

Awesome is as awesome does.
Political Access
Joined
5 Apr 2002
Messages
13,314
So how do we prevent this from happening?
 

X-Istence

*
Political Access
Joined
5 Dec 2001
Messages
6,498
or Captcha.

You can even do what speedy_b does, and that is give them a math problem to solve.
 

falconguard

Carbon based lifeform
Political Access
Joined
11 Feb 2004
Messages
3,406
can you put in a javascript function to display the field?
 

Geffy

OSNN Veteran Addict
Joined
18 Mar 2002
Messages
7,805
Not terribly nice for people with JS turned off, while their numbers are declining they are still there.

Matt can you generate a unique token for each user session and maybe put that in a hidden field in the form and then check for its presence in the action file. That should at least stop casual POST'ing to the action file without first hitting up the form.

The token could be generated from the session key but should not actually be the session key, the reason is they could make one hit to your site, trap the key and the start POST'ing to the form action again. It should also be temporal but be determinable for a set period of time. If they don't submit the form within say 5 minutes it should reject the request.

Dunno if you use Rails at all, but the protect_from_forgery setting does a lot of this for you.
 

Xander Zerge

OSNN One Post Wonder
Joined
11 Nov 2004
Messages
1
About 95% of casual web surfers have JavaScript enabled in their browsers. Simple message asking to enable JavaScript for the page showed for remaining 5% is much better than annoying all your visitors every time they visit your site (or even page) by need of recognizing captcha images, answering anti-bot questions, solving brainteasers, etc.
There are automated solutions which can obfuscate HTML code and make it totally unreadable for spambots, except only those, which executes every JavaScript on the page, what is still computationally ineffective, especially in the age of so called "Web 2.0".
I am developing one of such solutions, Web Form Anti-Spam, so if anyone will ever be interested in my recommendations, feel free to contact me directly - I would like to avoid being called "forum spammer" here. :)

One of the simpliest methods to stop spam bots, is to rename fields to less obvious names and place hidden fields with old, frequently used names, like "email", "phone", "message", etc. For example:
...
<input type="text" name="i13kfsl" value="" />
<input type="text" name="email" value="" style="display:none" />
...
When processing form data by server script, ensure that "email" value is still empty and accept "i13kfsl" field value as e-mail address typed by visitor. This measure is helpful because spambots are trying to fill all fields they see, especially with frequently used names.

style="display:none" is simple method of hiding the bot-catching field. You can use different styles to achieve that effect, by making it zero-height, or positioning it absolutely at some negative position. Keeping hiding style in external css file will hide the style itself - spambots are not so smart to read, parse and interpret styles to find all catches.
 

Members online

No members online now.

Latest profile posts

Electronic Punk wrote on Sazar's profile.
Rest in peace my friend, been trying to find you and finally did in the worst way imaginable.
Terrahertz wrote on Electronic Punk's profile.
Yo fellas!
Electronic Punk wrote on Sazar's profile.
Where are you buddy?
Perris Calderon wrote on Electronic Punk's profile.
Hey EP! All good with me, applying for Microsoft MVP right now, should have done this a while ago.

Notifications don't work, I only found your response by coming back to hunt up some threads, if you want, give me your email address so we can keep in touch easier!
Perris Calderon wrote on Electronic Punk's profile.
EP, glad to see you come back and tidy up...did want to ask a one day favor, I want to enhance my resume , was hoping you could make me administrator for a day, if so, take me right off since I won't be here to do anything, and don't know the slightest about the board, but it would be nice putting "served administrator osnn", if can do, THANKS

Been running around Quora lately, luv it there!

Forum statistics

Threads
61,997
Messages
673,411
Members
5,590
Latest member
AntonioPR