SitePoint Sponsor |
|
User Tag List
Results 1 to 25 of 32
Thread: with captcha I still get spam
-
May 26, 2009, 17:08 #1
with captcha I still get spam
I put this captcha on my site but I still get spam from my contact page.
What do you recommend me?
-
May 26, 2009, 17:56 #2
- Join Date
- Apr 2007
- Posts
- 300
- Mentioned
- 0 Post(s)
- Tagged
- 0 Thread(s)
I prefer to use simple math questions like what is 22 + 19 ? Seems to work a lot better than captcha. I also use a form key which is unique and changes upon each refresh. Since then spam has almost disappeared.
-
May 26, 2009, 18:34 #3
I looked for a captcha math tut or script but I didn't find one. If u have the script or a link with this please give me that.
-
May 26, 2009, 18:47 #4
- Join Date
- Apr 2007
- Posts
- 300
- Mentioned
- 0 Post(s)
- Tagged
- 0 Thread(s)
Try this
I generally build my own based on the requirement.
-
May 26, 2009, 19:39 #5
Thank you. I will try it.
-
May 26, 2009, 23:06 #6
- Join Date
- Jan 2002
- Location
- Australia
- Posts
- 2,634
- Mentioned
- 0 Post(s)
- Tagged
- 0 Thread(s)
If your contact form is being spammed your script is probably being used to send messages to a list of recipients that the spammer inputs. Have you added any protection against Header Injection?
-
May 27, 2009, 00:12 #7
- Join Date
- Dec 2005
- Location
- Cambridge, England
- Posts
- 2,443
- Mentioned
- 82 Post(s)
- Tagged
- 3 Thread(s)
One simple thing that can help is do not call your contact page contact!
I also added some code to detect if the email has a link and reject it before it was sent.
-
May 27, 2009, 00:28 #8
- Join Date
- Apr 2007
- Posts
- 300
- Mentioned
- 0 Post(s)
- Tagged
- 0 Thread(s)
Do you mean reject the email or strip out the links ? Some times legit emails can have links in them.
Some measures that work effectively against spam are...
Create a form key that is unique each time the form is loaded and match it with the a copy saved on server.
Reject message if user agent string is blank.
Limit the number of times the form can be used by a particular IP. Lot of grief saved that way. I limit mine to two in 6 hrs.
-
May 27, 2009, 00:53 #9
I saw that someone from Illinois goes direct to my contact page and, after that day, the whole week I got spam without that someone goes to my contact page. And every week is the same with that Illinois, with a different IP: one day goes to the contact page, because I see who visited me, and the rest of the week sends spam without using the contact form.
Because I'm a beginner I'm wonder how the robots can fill out the name, email, message, and to pass, because I put js validation and php, and after they put the numbers and letters from captcha??
Thank you for helping me. The only thing that I know that will be easy for me to do it is to put a math captcha.
If you have any tutorial or link that can show me how to put more security, then a math captcha I will appreciate.
-
May 27, 2009, 01:10 #10
Take down the contact page, and the script that handle it down from the server completely until you get it sorted out.
-
May 27, 2009, 01:18 #11
That's not hard to do it, I mean to take it down, but do you think a math captcha will be enough ?
-
May 27, 2009, 01:22 #12
-
May 27, 2009, 01:24 #13
Ok, I see, then please tell me what else will stop spam? What should I look for? Give an idea .
-
May 27, 2009, 01:27 #14
maybe you will find this interesting:
http://www.sitepoint.com/article/cap...s-alternatives
-
May 27, 2009, 01:30 #15
- Join Date
- Apr 2007
- Posts
- 300
- Mentioned
- 0 Post(s)
- Tagged
- 0 Thread(s)
Did you read my post above ?
-
May 27, 2009, 04:45 #16
- Join Date
- Dec 2005
- Location
- Cambridge, England
- Posts
- 2,443
- Mentioned
- 82 Post(s)
- Tagged
- 3 Thread(s)
I put a note saying:
Links will be classed as SPAM and so will be rejected. If you would like to send us a link please use the form and we will supply you with an email address that will not reject links.
-
May 27, 2009, 06:36 #17
- Join Date
- Jan 2002
- Location
- Australia
- Posts
- 2,634
- Mentioned
- 0 Post(s)
- Tagged
- 0 Thread(s)
Try this. Disable your form action script so that it does not attempt to actually send anything (call exit; before the critical moment). You can put a notice on your page to alert users. Maybe even hide the form with JS to stop legit users using it while you get this sorted.
Then log the exact input that is coming to your form handling script. Log the IP and all POST variables so you can see what is being posted. Once you have a suspicious entry you might want to post here for some advice.
If you are the victim of header injection (Wikipedia via Google will help here) you might see input like this for your user email address field:
Code:spammer@example.com BCC:victim1@example.com,victim2@example.com
-
May 27, 2009, 07:08 #18
- Join Date
- May 2006
- Location
- Lancaster University, UK
- Posts
- 7,062
- Mentioned
- 2 Post(s)
- Tagged
- 0 Thread(s)
The OP said he is receiving spam, not that his form is being used to send it to other victims, so stopping header injections etc won't really help here.
Assuming it isn't ending to other victims:
Captchas don't work for one simple reason. Whilst most spam is sent by spambots, alot of spam is sent by a person, who would obviously be able to comprehend the captcha.
So, look at the spam you're getting. What's different about it than any legitimate mail that you get? Certain names? Specific words?
You can filter the form by spotting certain phrases etc, identifying it as spam.
Maybe you could do some email-validation, so that they enter an email and have to confirm it by clicking a link in an email sent to them, before their email is sent to you?
You could then have a link sent in the email you receive from your script saying 'spammer?'. By clicking on it, you'll update a database of emails to block. If you get many from a specific private domain, you could also block emails from that domain.
That would not only prevent spambots, but put human spammers off posting - especially if they need to use varying email addresses/domains just to get their message sent.Jake Arkinstall
"Sometimes you don't need to reinvent the wheel;
Sometimes its enough to make that wheel more rounded"-Molona
-
May 27, 2009, 10:37 #19
I saw semantic7 what you said, but the their IP is different every time, even is the same state from US. And I get a spam sometimes one time in day, sometimes once in a week. So if I limit, I can't limit to 5 days.
arkinstall is right. Sometimes I get spam and I don't see that someone used the form to send it.
I looked closer for the past visitors and I saw that the Illinois IP came to my site from a google search. They searched for mishu.com and my site has that word in the domain name. After this visit I got spam with no visitors. And again the that Illinois, with a diff IP, came to my site from the same google search: mishu.com.
-
May 27, 2009, 12:50 #20
- Join Date
- May 2009
- Posts
- 10
- Mentioned
- 0 Post(s)
- Tagged
- 0 Thread(s)
hmmm...
not sure what is happening, but I've been told there is software that can actually scrape the screen and read capture letters. Best thing to do is use capture that actually obfuscates the letters and maybe use math equations, as that type of software may not understand logic type questions
if you can't get a math captcha try a captcha that creates a random sentence and asks for the position of a random word in that sentence. Same idea to avoid screen scrapers
-
May 27, 2009, 13:09 #21
-
May 27, 2009, 13:51 #22
- Join Date
- Apr 2007
- Posts
- 300
- Mentioned
- 0 Post(s)
- Tagged
- 0 Thread(s)
You could also try things like A cat is a a)animal b)bird c)insect d)none of the above. Have radio buttons by the side for the user to pick an answer. It would be very difficult for the bot to come up with the right answer. The another thing you could try is have a field that is hidden by css and call it email2 or last name and check if it has any value when the form is submitted. A bot would put something in that field for sure.
-
May 27, 2009, 14:14 #23
-
May 27, 2009, 14:15 #24
- Join Date
- Dec 2005
- Location
- Cambridge, England
- Posts
- 2,443
- Mentioned
- 82 Post(s)
- Tagged
- 3 Thread(s)
I used this one on a site that works well: http://identipic.com/
-
May 27, 2009, 14:22 #25
- Join Date
- Apr 2006
- Location
- London, Formerly Somalia
- Posts
- 612
- Mentioned
- 0 Post(s)
- Tagged
- 0 Thread(s)
Arkinstall, what you suggested is a little too drastic I think.
Besides the captcha, I suggest that you try the 'honey trap' technique as an additional anti-spam measure. I find both these techniques deployed together work very effectively.------------------
Bookmarks