Jump to content

  • Log in with Facebook Log in with Twitter Log In with Google      Sign In   
  • Create Account

Subscribe to HRA Now!

 



Are you a Google Analytics enthusiast?

Share and download Custom Google Analytics Reports, dashboards and advanced segments--for FREE! 

 



 

 www.CustomReportSharing.com 

From the folks who brought you High Rankings!



Photo
- - - - -

How To Stop The Spambot From Submitting The Form


  • Please log in to reply
13 replies to this topic

#1 rolf

rolf

    HR 6

  • Active Members
  • PipPipPipPipPipPip
  • 675 posts
  • Location:Suffolk UK

Posted 18 March 2009 - 11:19 AM

I have a client who has a contact form on their site. Soon after the site went live last year they started getting masses of junk submissions.

The submissions suggest that the spammer thinks they're able to use the form to send out email by including cc/bcc email headers, although I checked it all out and it doesn't seem like that is possible.

The volume of the spam suggests that it is generated by a bot, so the first change I made was to put in a 'capcha' style word recognition system. This didn't seem to have any effect.

Then I changed the location of the script that actually send the mail, inacse they had a cached version of the original form without the capcha thing, but that didn't work either.

The next thing I did was to examine the sender's IP, which changes frequently, so that excludes my next idea of temporary or permanent blocking of IPs.

Next I put a regex in the email submission script to disallow the sending of forms that include URLs and to send them to an error page. This has effectively stopped the spam from getting to my client, but is still burning through bandwidth and skewing the site statistics for page views, bandwidth etc. and the bot doesn't seem to be giving up

Any suggestions about how I could trip the bot up or send it an error or something to get it go away?

#2 Andy_Seo

Andy_Seo

    HR 4

  • Active Members
  • PipPipPipPip
  • 237 posts
  • Location:Welwyn Garden City

Posted 18 March 2009 - 11:56 AM

I had a similar problem with my forum and I used to get 150 new registered users a day - posting nonsense! So what I did was install (its phpbb) a series of questions in the registration phase - which has worked a treat. I get absolutely no spam whatsoever now - although more members would be nice! tongue.gif

Can you install a '2+2=_' or 'Is fire hot or cold' spam control field?

#3 Randy

Randy

    Convert Me!

  • Moderator
  • 17,540 posts

Posted 18 March 2009 - 12:29 PM

I did something similar with my personal blog Andy. To make a comment the question is "What is Randy's name? giggle.gif

Rolf, one thing I did on my email forms to combat spambots that was quite was to put a normal old Reset button on the form next to the Submit button. Then I gave that Reset button a name. eg

CODE
<input type="reset" value="Reset" name="B7">


Then in my little php script that handles the mailing my very first lines look like:

CODE
<?php
if(isset($_POST['B7'])) {
echo "Sorry, automated submission detected.  All processes halted.";
exit();
}


It doesn't stop them from submitting, but they only get a minimalistic form submission page that's just a few bytes bandwidth. No graphics, no html. Just one line of text.

The theory behind the madness is Normal submissions will never have the Reset as part of the POST string. It's a reset button after all. But the spam bots only read the code on the page and make sure to submit every form input field, in case one of them requires information in order to complete the submission.

My form processing script checks for other things too. Like BCC and CC fields, someone trying to set a MIME Type and even <a href html code they'd want to put around their links. The combination has gotten my mail contact form down from getting spammed dozens of times per day to about once per month on average. naughty.gif

#4 rolf

rolf

    HR 6

  • Active Members
  • PipPipPipPipPipPip
  • 675 posts
  • Location:Suffolk UK

Posted 18 March 2009 - 04:08 PM

Thanks for the suggestions. Good idea about sending them a simple text error message to save bandwidth. If I can't get them to go away at least I can try to minimise the annoyance.


#5 Michael Martinez

Michael Martinez

    HR 10

  • Active Members
  • PipPipPipPipPipPipPipPipPipPip
  • 5,120 posts
  • Location:Georgia

Posted 18 March 2009 - 04:51 PM

The script should be set to reject any offsite activations. Something like this:
CODE
if( $ENV{ HTTP_REFERER } !~ /$homeurl/ )
    { die "Posting script called from outside domain.\n"; }


The text message is not necessary.

#6 Randy

Randy

    Convert Me!

  • Moderator
  • 17,540 posts

Posted 18 March 2009 - 05:16 PM

You can't do it quite that simply without causing genuine users some grief Michael. Unfortunately.

The reason being that there are some very popular A/V-Firewall out there --Norton's Anti-Virus being one of them-- do not report any referrer information back to the server at all. So you have to either construct your form processing script to accept your domain and no value, stopping someone from hotlinking to your form processing script but not direct accesses, or you hard code the referrer as you suggest and stop 'em if the referrer isn't your domain, but also offer an email address on the error page for the real people that end up there.

Either of those would give real users a way to get in touch with you and stop at least some spambots. The latter of course may well start getting your own email address spammed to death since the spambots tend to try to extract email addresses they run across. Which defeats the purpose if you go to the trouble of hiding your support email address from the spambots like I do.

#7 Michael Martinez

Michael Martinez

    HR 10

  • Active Members
  • PipPipPipPipPipPipPipPipPipPip
  • 5,120 posts
  • Location:Georgia

Posted 19 March 2009 - 12:42 PM

QUOTE(Randy @ Mar 18 2009, 03:16 PM) View Post
You can't do it quite that simply without causing genuine users some grief Michael. Unfortunately.

The reason being that there are some very popular A/V-Firewall out there --Norton's Anti-Virus being one of them-- do not report any referrer information back to the server at all. So you have to either construct your form processing script to accept your domain and no value, stopping someone from hotlinking to your form processing script but not direct accesses, or you hard code the referrer as you suggest and stop 'em if the referrer isn't your domain, but also offer an email address on the error page for the real people that end up there.


I agree the method could be expanded as you propose, but for the record in all the years that I've used this method in my posting scripts, I've never had anyone contact me about not being able to use the forms from within a firewall. I've received plenty of "Your form is broken" emails when script permissions weren't set right (after server moves, redesigns, etc.). Nothing about firewall incompatibilities.

I think each site has to figure out for itself what works best for its community. I hope the suggestions in this discussion help a lot of people.



#8 Since 1996

Since 1996

    HR 1

  • Members
  • Pip
  • 7 posts
  • Location:Southern Ohio, US

Posted 19 March 2009 - 09:59 PM

QUOTE(Andy_Seo @ Mar 18 2009, 12:56 PM) View Post
Can you install a '2+2=_' or 'Is fire hot or cold' spam control field?
Random questions totally eliminated spam from forms for me. I made up about 20 of them.


#9 internetdominus

internetdominus

    HR 2

  • Members
  • PipPip
  • 20 posts

Posted 25 March 2009 - 02:24 AM

How about the old captcha image? Isn't that faster? or Is it not as effective?

#10 Randy

Randy

    Convert Me!

  • Moderator
  • 17,540 posts

Posted 25 March 2009 - 06:26 AM

Do Captcha's work to stop spambot? Yes, most of the time they do.

Is it easier than a random question? Not really.

Are captcha's better? Not necessarily.

Some spam bots can even process captcha's nowadays, but few are smart enough to figure out what to them is a random question, let alone discern the correct answer. Even when the correct answer is given in the question!

Plus in my own market surveys some users still have difficulty with captcha images, even though there out there a lot more these days than they were a few years ago. Especially older users, presumably because the eyes just aren't as good when we get older. In some more whimsical circumstances (mainly with personal sites where a bit of humor was injected) most of my test subjects found the secret question thing more entertaining or informative than captcha. And in some ecomm situations I've actually been able to increase conversions simply by using a secret question as a trust building element.

Have I mentioned lately that I tend to test anything and everything? giggle.gif

#11 rolf

rolf

    HR 6

  • Active Members
  • PipPipPipPipPipPip
  • 675 posts
  • Location:Suffolk UK

Posted 25 March 2009 - 06:22 PM

QUOTE
Have I mentioned lately that I tend to test anything and everything?


No, I did not know that, you've never said... :-P lol.gif

I had a capcha thing on the form, but it didn't do any good. Stopping the form from submitting URLs stopped the spam from getting through, but so far nothing has stopped the bots from trying over and over, which is the main thing I'm trying to do in an attempt to stop them wasting bandwidth and processor power. Neither of these wastages are at problematic levels, it's just annoying and it skews the statistics.

#12 Randy

Randy

    Convert Me!

  • Moderator
  • 17,540 posts

Posted 25 March 2009 - 09:16 PM

Is there anything in the user-agent string for the spambots you can use as a trigger Rolf?

That's really the only way to keep them from even accessing the form at all. If it's a sophisticated one it'll probably be emulating a normal browser user-agent. You can never tell though, some miss the little things.

The only other thing I can think of that you may be able to do is to actually require a cookie be set to use that page. In theory no real users should hit the contact form page first, so if you attempt to set a cookie on every other page, then query to see if it's there before displaying the contact form that may slow them down. It would have to be a really sophisticated spambot, or a straight out browser hack to actually accept cookies.

You'd want to give real users who may not accept cookies another option though. Those should be few and far between, but if using the contact form is important it'll be something to keep in mind.

#13 1dmf

1dmf

    Keep Asking, Keep Questioning, Keep Learning

  • Active Members
  • PipPipPipPipPipPipPip
  • 2,167 posts
  • Location:Worthing - England

Posted 26 March 2009 - 05:19 AM

Rolf my penny.gif

HTTP_REFERER (spelt wrong for a start!) is unreliable and cannot be used server side, FireFox can be told to specifically withold the referer URL as it's all part of this 'privacy' argument.

CAPTCHA is everywhere these days, but I don't know if you're like me, they drive me nuts. I have rather good 20/20 vision, infact better than normal vision as Glycoma runs in the family, so it actualy gives you better eye sight in your youth (ok no funny comments please) and only really affects you as you get old and the Glycoma sets in, any way, I find it hard to work out those CAPTCHA things, so think how someone with slightly impaired vision finds them, IMHO CAPTCHA flies in the face of 'W3C accessibility guidelines' anyway.

Adding an additional field or question can be OK, but i they really want to spam you the BOT is either cleverer than that or they visit your site and adjust the BOT coding accordingly!

So what's the likely hood of a visually impared person using a browser with JavaScript enabled , compared to being able to read a CAPTCHA

And how many BOT's can run JavaScript?

So what I do (used on the pattayaholidayflats website) is use AJAX to load the webform. that way 99.9% of BOTs never even know a form exists on my site.

Well that's how I do it smile.gif YMMV!

Edited by 1dmf, 26 March 2009 - 05:27 AM.


#14 fcu1

fcu1

    HR 1

  • Members
  • Pip
  • 5 posts

Posted 27 May 2009 - 08:28 PM

QUOTE(rolf @ Mar 25 2009, 07:22 PM) View Post
No, I did not know that, you've never said... :-P lol.gif

I had a capcha thing on the form, but it didn't do any good. Stopping the form from submitting URLs stopped the spam from getting through, but so far nothing has stopped the bots from trying over and over, which is the main thing I'm trying to do in an attempt to stop them wasting bandwidth and processor power. Neither of these wastages are at problematic levels, it's just annoying and it skews the statistics.


Like someone mentioned above, you could use Javascript to dynamically create the form on page load. I've done this on one occasion where I had the contact information (telephone and address) inside a DIV, and upon page load a form and its child elements would be written into a previously empty DIV directly above the contact info. It certainly leaves those without Javascript in the cold, but a bot won't try to submit a form that it doesn't know about. As someone who has done a fair amount of web scraping, I can say with a very high amount of certainty that 99.9% of bots are not executing the Javascript on the pages.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

SPAM FREE FORUM!
 
If you are just registering to spam,
don't bother. You will be wasting your
time as your spam will never see the
light of day!