SitePoint Sponsor

User Tag List

Results 1 to 7 of 7
  1. #1
    SitePoint Addict singersower's Avatar
    Join Date
    Nov 2004
    Location
    TX
    Posts
    240
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Question .. its fairly easy to stop the form spam.

    So I read this in the other post and I'm wondering how is this?

    I have a site that I have implemented CAPTCHA with all the forms and the poor company keeps getting all kinds of nasty emails.

    Can anyone point me in the right direction for what I should be looking for?

    This site is on a Windows server and as far as I can tell, does not have an IP deny for their email. Do they need to change hosts and get one that has an IP deny capability or is there another way to stop the madness?

    thank you so much for taking time to help
    Singersower
    HopeSpring Design

  2. #2
    SitePoint Wizard bronze trophy
    Join Date
    Jul 2008
    Posts
    5,757
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    My first thought is that the captcha implementation is flawed. Consider doing some analytics on the forms, and the code logic. Make sure these emails really are coming from the forms.

    You may also want to look at
    http://spamassassin.apache.org/

  3. #3
    SitePoint Author silver trophybronze trophy
    wwb_99's Avatar
    Join Date
    May 2003
    Location
    Washington, DC
    Posts
    10,625
    Mentioned
    4 Post(s)
    Tagged
    0 Thread(s)
    Well, the spam could be coming from alot of places, not necessarily their form. Upgrading to a decent mail service with some spam filters should help, as should a good anaysis of the site's mail forms for any flaws.

  4. #4
    SitePoint Zealot
    Join Date
    Jul 2005
    Location
    Osoyoos BC Canada
    Posts
    178
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Various strategies to stop forum or, indeed, any automatic 'bot' form posting that can be implemented I know off include:

    If a submission includes html rather than allowable characters , then simply don't display/store/email it.

    When a form is submitted amongst other info in the header is the ip from which it was posted. So you should be able to ban posts from that IP. (Problematic however if it is a big service provider like AOL. Also ip allocation can be dynamic, the ip you get from your provider may be given to someone else next time you log out and back in. More usual with dial up services though)

    Use of a Capcha see http://en.wikipedia.org/wiki/Capcha (software can now break most of these)

    Use of Maths Capcha (ask the user to do a simple sum) (Again can be broken by simple software, harder if the numbers are turned into pictures before being displayed)

    Show a random picture, eg cat, cow etc and ask the user what is in the picture. (Fiddly but works well) etc

    Add a hidden field to the form that the client browser doesn't display. The robot will not know that it shouldn't be filled in and will do so. If the Server receives a form with that field filled in, it wasn't submitted by a human (good method, but some speech readers for blind folk may read it out, so not totally foolproof in stopping humans from filling it in)

    And, finally the one I like, send a time-stamp out as part of the form from the server, put it in a hidden field. When the form is returned (submitted) check the server time-stamp again and compare with the timestamp in the hidden field. Let's say we use 20 secs as our threshold. If the form is returned within 20 secs it is likely that a computer filled it in and returned it, if it took more than 20 secs then probably a human read it before filling it in..

    A combination of the three, a picture based maths capcha, hidden form field and minimum time mean that as far as I can tell none of the forms I create get any automated postings.

    Anyone have any more ideas? I'd love to hear about them.

  5. #5
    SitePoint Member
    Join Date
    Jul 2007
    Posts
    19
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Are you sure they are not sending spam directly to the email addresses? Having a Captcha on an email form won't stop them from emailing directly if they know the address.

    It may sound stupid, but also check that the Captcha is actually verified. If there is a way to submit the form even when the Captcha is incorrect, it obviously won't prevent anything.

  6. #6
    SitePoint Enthusiast UglyDogDesigns's Avatar
    Join Date
    Sep 2008
    Location
    Colorado Springs, CO
    Posts
    44
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I also had this problem and if it is a bot that scanned your pages to pull email addresses like it did mine then what worked for me was to break up your email address into pieces like the following...The bots cant seem to read the scripts...

    Code:
    <&#37;
    ToAdP1 = "user"
    ToAdP2 = "domain"
    ToAdP3 = "com"
    ToAddress = ToAdP1 & "@" & ToAdP2 & "." & ToAdP3
    %>
    Then just add the ToAddress variable to where you address the To object for sending the email message...

    ...
    objMessage.To = ToAddress
    ...
    Last edited by UglyDogDesigns; Sep 16, 2008 at 11:06. Reason: Left out info...
    Craig McGuire
    Current Design : UglyDogDesigns.com
    New Design: UglyDogDesigns.com

  7. #7
    SQL Consultant gold trophysilver trophybronze trophy
    r937's Avatar
    Join Date
    Jul 2002
    Location
    Toronto, Canada
    Posts
    39,220
    Mentioned
    58 Post(s)
    Tagged
    3 Thread(s)
    here's my approach --

    if the contents of the form contain the substring 'http://' anywhere, it's spam, so they get a 403

    would a spammer be a spammer if no url is included in the message?

    rudy.ca | @rudydotca
    Buy my SitePoint book: Simply SQL
    "giving out my real stuffs"


Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •