with captcha I still get spam

[sorin21us]

I put this captcha on my site but I still get spam from my contact page.
What do you recommend me?

[semantic7]

I prefer to use simple math questions like what is 22 + 19 ? Seems to work a lot better than captcha. I also use a form key which is unique and changes upon each refresh. Since then spam has almost disappeared.

[sorin21us]

I looked for a captcha math tut or script but I didn't find one. If u have the script or a link with this please give me that.

[semantic7]

Try this

I generally build my own based on the requirement.

[sorin21us]

Thank you. I will try it.

[cranial-bore]

If your contact form is being spammed your script is probably being used to send messages to a list of recipients that the spammer inputs. Have you added any protection against Header Injection?

[Rubble]

One simple thing that can help is do not call your contact page contact!

I also added some code to detect if the email has a link and reject it before it was sent.

[semantic7]

Do you mean reject the email or strip out the links ? Some times legit emails can have links in them.

Some measures that work effectively against spam are...

Create a form key that is unique each time the form is loaded and match it with the a copy saved on server.

Reject message if user agent string is blank.

Limit the number of times the form can be used by a particular IP. Lot of grief saved that way. I limit mine to two in 6 hrs.

One simple thing that can help is do not call your contact page contact!

I also added some code to detect if the email has a link and reject it before it was sent.

[sorin21us]

I saw that someone from Illinois goes direct to my contact page and, after that day, the whole week I got spam without that someone goes to my contact page. And every week is the same with that Illinois, with a different IP: one day goes to the contact page, because I see who visited me, and the rest of the week sends spam without using the contact form.
Because I'm a beginner I'm wonder how the robots can fill out the name, email, message, and to pass, because I put js validation and php, and after they put the numbers and letters from captcha??

Thank you for helping me. The only thing that I know that will be easy for me to do it is to put a math captcha.

If you have any tutorial or link that can show me how to put more security, then a math captcha I will appreciate.

[logic_earth]

Take down the contact page, and the script that handle it down from the server completely until you get it sorted out.

[sorin21us]

That's not hard to do it, I mean to take it down, but do you think a math captcha will be enough ?

[logic_earth]

That's not hard to do it, I mean to take it down, but do you think a math captcha will be enough ?

No, CAPTCHAs are severally broken, they are not suited for stopping spam.

[sorin21us]

Ok, I see, then please tell me what else will stop spam? What should I look for? Give an idea .

[fristi]

Ok, I see, then please tell me what else will stop spam? What should I look for? Give an idea .

maybe you will find this interesting:
http://www.sitepoint.com/article/cap...s-alternatives

[semantic7]

Did you read my post above ?

[Rubble]

I put a note saying:

Links will be classed as SPAM and so will be rejected. If you would like to send us a link please use the form and we will supply you with an email address that will not reject links.

[cranial-bore]

Try this. Disable your form action script so that it does not attempt to actually send anything (call exit; before the critical moment). You can put a notice on your page to alert users. Maybe even hide the form with JS to stop legit users using it while you get this sorted.
Then log the exact input that is coming to your form handling script. Log the IP and all POST variables so you can see what is being posted. Once you have a suspicious entry you might want to post here for some advice.
If you are the victim of header injection (Wikipedia via Google will help here) you might see input like this for your user email address field:

Code:

spammer@example.com
BCC:victim1@example.com,victim2@example.com

If your script is chucking that value into your mail headers you've probably been spamming a list of victims supplied by the spammer.

[Jake Arkinstall]

The OP said he is receiving spam, not that his form is being used to send it to other victims, so stopping header injections etc won't really help here.

Assuming it isn't ending to other victims:

Captchas don't work for one simple reason. Whilst most spam is sent by spambots, alot of spam is sent by a person, who would obviously be able to comprehend the captcha.

So, look at the spam you're getting. What's different about it than any legitimate mail that you get? Certain names? Specific words?

You can filter the form by spotting certain phrases etc, identifying it as spam.

Maybe you could do some email-validation, so that they enter an email and have to confirm it by clicking a link in an email sent to them, before their email is sent to you?

You could then have a link sent in the email you receive from your script saying 'spammer?'. By clicking on it, you'll update a database of emails to block. If you get many from a specific private domain, you could also block emails from that domain.

That would not only prevent spambots, but put human spammers off posting - especially if they need to use varying email addresses/domains just to get their message sent.

[sorin21us]

I saw semantic7 what you said, but the their IP is different every time, even is the same state from US. And I get a spam sometimes one time in day, sometimes once in a week. So if I limit, I can't limit to 5 days.

arkinstall is right. Sometimes I get spam and I don't see that someone used the form to send it.

I looked closer for the past visitors and I saw that the Illinois IP came to my site from a google search. They searched for mishu.com and my site has that word in the domain name. After this visit I got spam with no visitors. And again the that Illinois, with a diff IP, came to my site from the same google search: mishu.com.

[gamemerlin]

hmmm...

not sure what is happening, but I've been told there is software that can actually scrape the screen and read capture letters. Best thing to do is use capture that actually obfuscates the letters and maybe use math equations, as that type of software may not understand logic type questions

if you can't get a math captcha try a captcha that creates a random sentence and asks for the position of a random word in that sentence. Same idea to avoid screen scrapers

[sorin21us]

hmmm...

not sure what is happening, but I've been told there is software that can actually scrape the screen and read capture letters. Best thing to do is use capture that actually obfuscates the letters and maybe use math equations, as that type of software may not understand logic type questions

if you can't get a math captcha try a captcha that creates a random sentence and asks for the position of a random word in that sentence. Same idea to avoid screen scrapers

fristi gave me a link for something like that. I will try first the math captcha from semantic7

[semantic7]

You could also try things like A cat is a a)animal b)bird c)insect d)none of the above. Have radio buttons by the side for the user to pick an answer. It would be very difficult for the bot to come up with the right answer. The another thing you could try is have a field that is hidden by css and call it email2 or last name and check if it has any value when the form is submitted. A bot would put something in that field for sure.

[sorin21us]

You could also try things like A cat is a a)animal b)bird c)insect d)none of the above. Have radio buttons by the side for the user to pick an answer. It would be very difficult for the bot to come up with the right answer. The another thing you could try is have a field that is hidden by css and call it email2 or last name and check if it has any value when the form is submitted. A bot would put something in that field for sure.

That's a good point. I will try every option to not get that spam any more.

[Rubble]

I used this one on a site that works well: http://identipic.com/

[rageh]

Arkinstall, what you suggested is a little too drastic I think.

Besides the captcha, I suggest that you try the 'honey trap' technique as an additional anti-spam measure. I find both these techniques deployed together work very effectively.