SitePoint Sponsor

User Tag List

Page 1 of 2 12 LastLast
Results 1 to 25 of 32
  1. #1
    SitePoint Addict sorin21us's Avatar
    Join Date
    Mar 2009
    Posts
    278
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    with captcha I still get spam

    I put this captcha on my site but I still get spam from my contact page.
    What do you recommend me?

  2. #2
    SitePoint Addict
    Join Date
    Apr 2007
    Posts
    300
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I prefer to use simple math questions like what is 22 + 19 ? Seems to work a lot better than captcha. I also use a form key which is unique and changes upon each refresh. Since then spam has almost disappeared.

  3. #3
    SitePoint Addict sorin21us's Avatar
    Join Date
    Mar 2009
    Posts
    278
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I looked for a captcha math tut or script but I didn't find one. If u have the script or a link with this please give me that.

  4. #4
    SitePoint Addict
    Join Date
    Apr 2007
    Posts
    300
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Try this

    I generally build my own based on the requirement.

  5. #5
    SitePoint Addict sorin21us's Avatar
    Join Date
    Mar 2009
    Posts
    278
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thank you. I will try it.

  6. #6
    SitePoint Wizard cranial-bore's Avatar
    Join Date
    Jan 2002
    Location
    Australia
    Posts
    2,634
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    If your contact form is being spammed your script is probably being used to send messages to a list of recipients that the spammer inputs. Have you added any protection against Header Injection?

  7. #7
    SitePoint Mentor silver trophy
    Rubble's Avatar
    Join Date
    Dec 2005
    Location
    Cambridge, England
    Posts
    2,369
    Mentioned
    80 Post(s)
    Tagged
    3 Thread(s)
    One simple thing that can help is do not call your contact page contact!

    I also added some code to detect if the email has a link and reject it before it was sent.

  8. #8
    SitePoint Addict
    Join Date
    Apr 2007
    Posts
    300
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Do you mean reject the email or strip out the links ? Some times legit emails can have links in them.

    Some measures that work effectively against spam are...

    Create a form key that is unique each time the form is loaded and match it with the a copy saved on server.

    Reject message if user agent string is blank.

    Limit the number of times the form can be used by a particular IP. Lot of grief saved that way. I limit mine to two in 6 hrs.

    Quote Originally Posted by Rubble View Post
    One simple thing that can help is do not call your contact page contact!

    I also added some code to detect if the email has a link and reject it before it was sent.

  9. #9
    SitePoint Addict sorin21us's Avatar
    Join Date
    Mar 2009
    Posts
    278
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I saw that someone from Illinois goes direct to my contact page and, after that day, the whole week I got spam without that someone goes to my contact page. And every week is the same with that Illinois, with a different IP: one day goes to the contact page, because I see who visited me, and the rest of the week sends spam without using the contact form.
    Because I'm a beginner I'm wonder how the robots can fill out the name, email, message, and to pass, because I put js validation and php, and after they put the numbers and letters from captcha??

    Thank you for helping me. The only thing that I know that will be easy for me to do it is to put a math captcha.

    If you have any tutorial or link that can show me how to put more security, then a math captcha I will appreciate.

  10. #10
    . shoooo... silver trophy logic_earth's Avatar
    Join Date
    Oct 2005
    Location
    CA
    Posts
    9,013
    Mentioned
    8 Post(s)
    Tagged
    0 Thread(s)
    Take down the contact page, and the script that handle it down from the server completely until you get it sorted out.
    Logic without the fatal effects.
    All code snippets are licensed under WTFPL.


  11. #11
    SitePoint Addict sorin21us's Avatar
    Join Date
    Mar 2009
    Posts
    278
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    That's not hard to do it, I mean to take it down, but do you think a math captcha will be enough ?

  12. #12
    . shoooo... silver trophy logic_earth's Avatar
    Join Date
    Oct 2005
    Location
    CA
    Posts
    9,013
    Mentioned
    8 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by sorin21us View Post
    That's not hard to do it, I mean to take it down, but do you think a math captcha will be enough ?
    No, CAPTCHAs are severally broken, they are not suited for stopping spam.
    Logic without the fatal effects.
    All code snippets are licensed under WTFPL.


  13. #13
    SitePoint Addict sorin21us's Avatar
    Join Date
    Mar 2009
    Posts
    278
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Ok, I see, then please tell me what else will stop spam? What should I look for? Give an idea .

  14. #14
    messing with my mind fristi's Avatar
    Join Date
    Feb 2009
    Posts
    292
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by sorin21us View Post
    Ok, I see, then please tell me what else will stop spam? What should I look for? Give an idea .

    maybe you will find this interesting:
    http://www.sitepoint.com/article/cap...s-alternatives
    To PHP or to Perl, that is the question!
    (Bucket - simpletest) User

  15. #15
    SitePoint Addict
    Join Date
    Apr 2007
    Posts
    300
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Did you read my post above ?

  16. #16
    SitePoint Mentor silver trophy
    Rubble's Avatar
    Join Date
    Dec 2005
    Location
    Cambridge, England
    Posts
    2,369
    Mentioned
    80 Post(s)
    Tagged
    3 Thread(s)
    I put a note saying:
    Links will be classed as SPAM and so will be rejected. If you would like to send us a link please use the form and we will supply you with an email address that will not reject links.

  17. #17
    SitePoint Wizard cranial-bore's Avatar
    Join Date
    Jan 2002
    Location
    Australia
    Posts
    2,634
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Try this. Disable your form action script so that it does not attempt to actually send anything (call exit; before the critical moment). You can put a notice on your page to alert users. Maybe even hide the form with JS to stop legit users using it while you get this sorted.
    Then log the exact input that is coming to your form handling script. Log the IP and all POST variables so you can see what is being posted. Once you have a suspicious entry you might want to post here for some advice.
    If you are the victim of header injection (Wikipedia via Google will help here) you might see input like this for your user email address field:
    Code:
    spammer@example.com
    BCC:victim1@example.com,victim2@example.com
    If your script is chucking that value into your mail headers you've probably been spamming a list of victims supplied by the spammer.

  18. #18
    Theoretical Physics Student bronze trophy Jake Arkinstall's Avatar
    Join Date
    May 2006
    Location
    Lancaster University, UK
    Posts
    7,062
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    The OP said he is receiving spam, not that his form is being used to send it to other victims, so stopping header injections etc won't really help here.

    Assuming it isn't ending to other victims:

    Captchas don't work for one simple reason. Whilst most spam is sent by spambots, alot of spam is sent by a person, who would obviously be able to comprehend the captcha.

    So, look at the spam you're getting. What's different about it than any legitimate mail that you get? Certain names? Specific words?

    You can filter the form by spotting certain phrases etc, identifying it as spam.

    Maybe you could do some email-validation, so that they enter an email and have to confirm it by clicking a link in an email sent to them, before their email is sent to you?

    You could then have a link sent in the email you receive from your script saying 'spammer?'. By clicking on it, you'll update a database of emails to block. If you get many from a specific private domain, you could also block emails from that domain.

    That would not only prevent spambots, but put human spammers off posting - especially if they need to use varying email addresses/domains just to get their message sent.
    Jake Arkinstall
    "Sometimes you don't need to reinvent the wheel;
    Sometimes its enough to make that wheel more rounded"-Molona

  19. #19
    SitePoint Addict sorin21us's Avatar
    Join Date
    Mar 2009
    Posts
    278
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I saw semantic7 what you said, but the their IP is different every time, even is the same state from US. And I get a spam sometimes one time in day, sometimes once in a week. So if I limit, I can't limit to 5 days.

    arkinstall is right. Sometimes I get spam and I don't see that someone used the form to send it.

    I looked closer for the past visitors and I saw that the Illinois IP came to my site from a google search. They searched for mishu.com and my site has that word in the domain name. After this visit I got spam with no visitors. And again the that Illinois, with a diff IP, came to my site from the same google search: mishu.com.

  20. #20
    SitePoint Member
    Join Date
    May 2009
    Posts
    10
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    hmmm...

    not sure what is happening, but I've been told there is software that can actually scrape the screen and read capture letters. Best thing to do is use capture that actually obfuscates the letters and maybe use math equations, as that type of software may not understand logic type questions

    if you can't get a math captcha try a captcha that creates a random sentence and asks for the position of a random word in that sentence. Same idea to avoid screen scrapers

  21. #21
    SitePoint Addict sorin21us's Avatar
    Join Date
    Mar 2009
    Posts
    278
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by gamemerlin View Post
    hmmm...

    not sure what is happening, but I've been told there is software that can actually scrape the screen and read capture letters. Best thing to do is use capture that actually obfuscates the letters and maybe use math equations, as that type of software may not understand logic type questions

    if you can't get a math captcha try a captcha that creates a random sentence and asks for the position of a random word in that sentence. Same idea to avoid screen scrapers
    fristi gave me a link for something like that. I will try first the math captcha from semantic7

  22. #22
    SitePoint Addict
    Join Date
    Apr 2007
    Posts
    300
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    You could also try things like A cat is a a)animal b)bird c)insect d)none of the above. Have radio buttons by the side for the user to pick an answer. It would be very difficult for the bot to come up with the right answer. The another thing you could try is have a field that is hidden by css and call it email2 or last name and check if it has any value when the form is submitted. A bot would put something in that field for sure.

  23. #23
    SitePoint Addict sorin21us's Avatar
    Join Date
    Mar 2009
    Posts
    278
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by semantic7 View Post
    You could also try things like A cat is a a)animal b)bird c)insect d)none of the above. Have radio buttons by the side for the user to pick an answer. It would be very difficult for the bot to come up with the right answer. The another thing you could try is have a field that is hidden by css and call it email2 or last name and check if it has any value when the form is submitted. A bot would put something in that field for sure.
    That's a good point. I will try every option to not get that spam any more.

  24. #24
    SitePoint Mentor silver trophy
    Rubble's Avatar
    Join Date
    Dec 2005
    Location
    Cambridge, England
    Posts
    2,369
    Mentioned
    80 Post(s)
    Tagged
    3 Thread(s)
    I used this one on a site that works well: http://identipic.com/

  25. #25
    SitePoint Guru rageh's Avatar
    Join Date
    Apr 2006
    Location
    London, Formerly Somalia
    Posts
    612
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Arkinstall, what you suggested is a little too drastic I think.

    Besides the captcha, I suggest that you try the 'honey trap' technique as an additional anti-spam measure. I find both these techniques deployed together work very effectively.
    ------------------


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •