Spam via Web Forms, Suggestions?

madmatt

Awesome is as awesome does.
Political Access
Joined
5 Apr 2002
Messages
13,314
I have a client or two that is receiving upwards of 100 spam messages a day from the forms on their web site. I am already using error checking and on the form in question a check box must be checked prior to being able to submit.

I have attached a screen capture so you can see the spam.

Does anyone have any suggestions to prevent this from happening?

Thank you.
 

Attachments

  • Capture.JPG
    Capture.JPG
    131.5 KB · Views: 192
It may come down to that unless there are any other suggestions.
 
Yeah, captcha. I'd be interested in how else it could be done though. I'm developing something offline for now which will be using a captcha but honestly I think it's fugly :) I would prefer something more hidden.
 
theres a lot to be said for the old "read-only" web
 
So I disabled the form and the client is still complaining. It became obvious that the spammers are calling the action file. But, that makes me wonder how are they injecting information into it without filling out the form?

Hopefully that makes sense.
 
So I disabled the form and the client is still complaining. It became obvious that the spammers are calling the action file. But, that makes me wonder how are they injecting information into it without filling out the form?

Hopefully that makes sense.

Well thats simple, if they've looked at the form then they know the form field names. Once they've got that why do they need to write something to fill in your form first, they can just send an HTTP POST request with the required form field data. This is how a regular browser works, the only purpose of the form is for the human to provide values for the form fields the user agent needs to send to the form action.
 
So how do we prevent this from happening?
 
or Captcha.

You can even do what speedy_b does, and that is give them a math problem to solve.
 
can you put in a javascript function to display the field?
 
Not terribly nice for people with JS turned off, while their numbers are declining they are still there.

Matt can you generate a unique token for each user session and maybe put that in a hidden field in the form and then check for its presence in the action file. That should at least stop casual POST'ing to the action file without first hitting up the form.

The token could be generated from the session key but should not actually be the session key, the reason is they could make one hit to your site, trap the key and the start POST'ing to the form action again. It should also be temporal but be determinable for a set period of time. If they don't submit the form within say 5 minutes it should reject the request.

Dunno if you use Rails at all, but the protect_from_forgery setting does a lot of this for you.
 
About 95% of casual web surfers have JavaScript enabled in their browsers. Simple message asking to enable JavaScript for the page showed for remaining 5% is much better than annoying all your visitors every time they visit your site (or even page) by need of recognizing captcha images, answering anti-bot questions, solving brainteasers, etc.
There are automated solutions which can obfuscate HTML code and make it totally unreadable for spambots, except only those, which executes every JavaScript on the page, what is still computationally ineffective, especially in the age of so called "Web 2.0".
I am developing one of such solutions, Web Form Anti-Spam, so if anyone will ever be interested in my recommendations, feel free to contact me directly - I would like to avoid being called "forum spammer" here. :)

One of the simpliest methods to stop spam bots, is to rename fields to less obvious names and place hidden fields with old, frequently used names, like "email", "phone", "message", etc. For example:
...
<input type="text" name="i13kfsl" value="" />
<input type="text" name="email" value="" style="display:none" />
...
When processing form data by server script, ensure that "email" value is still empty and accept "i13kfsl" field value as e-mail address typed by visitor. This measure is helpful because spambots are trying to fill all fields they see, especially with frequently used names.

style="display:none" is simple method of hiding the bot-catching field. You can use different styles to achieve that effect, by making it zero-height, or positioning it absolutely at some negative position. Keeping hiding style in external css file will hide the style itself - spambots are not so smart to read, parse and interpret styles to find all catches.
 

Members online

No members online now.

Latest profile posts

Also Hi EP and people. I found this place again while looking through a oooollllllldddd backup. I have filled over 10TB and was looking at my collection of antiques. Any bids on the 500Mhz Win 95 fix?
Any of the SP crew still out there?
Xie wrote on Electronic Punk's profile.
Impressed you have kept this alive this long EP! So many sites have come and gone. :(

Just did some crude math and I apparently joined almost 18yrs ago, how is that possible???
hello peeps... is been some time since i last came here.
Electronic Punk wrote on Sazar's profile.
Rest in peace my friend, been trying to find you and finally did in the worst way imaginable.

Forum statistics

Threads
62,015
Messages
673,494
Members
5,621
Latest member
naeemsafi
Back