I’ve set up a ‘Honeypot’ Contact Form, but still get spam.
<head>
...
<style>
.zip{
visibility: collapse;
}
</style>
...
</head>
<body>
...
<form action='../submit.php' method='post' name='myform' onSubmit="return checkemail()">
<textarea name="message" value="placeholder text" input type="text" onfocus="this.style.color='#f2f2f2';
this.value='';">Contact us - Enter your message here...</textarea>
<input class="form-control" type="text" id="name" name="name" maxlength="50" placeholder="Name">
<input class="form-control" type="text" id="email" name="email" maxlength="50" placeholder="Email">
<input name="zip" type="text" id="zip" class="zip" autocomplete="false">
<input class="btn btn-action" type='submit' value="Send Message">
</form>
...
</body>
<?php
//check if form was sent
if($_POST){
$to = 'contactForm@....com';
$subject = 'ContactForm';
$name = $_POST['name'];
$email = $_POST['email'];
$message = $_POST['message'];
$headers = $name;
$message .= "\r\n\r\n" . $name;
//honey pot field
$honeypot = $_POST['zip'];
//check if the honeypot field is filled out. If not, send mail.
if( $honeypot > 1 ){
return;
}else{
mail( $to, $subject, $message, $email, $headers );
}
}
?>
I received several spam replies all similar to this (instead of legitimate email address, message and name):
wade.carlson@gmail.com
Contact us - Enter your message here…
5ad16ea0879f7
Any help/suggestions on how to fix this so no (or very little) spam gets sent, will be appreciated.
chorn
November 28, 2017, 3:24pm
2
ChrisjChrisj:
if( $honeypot > 1 ){
this makes no sense, you do not get any real numbers by a form, just check with
var_dump($honeypot);
var_dump($honeypot > 1);
what you need is empty().
also this is not a spam protection script, this is actually a spam bot itself
Discover what to know about email injection, including what it is, how it relates to application security, and answers to common questions. Learn more here.
Est. reading time: 10 minutes
stop using mail(), take a wrapper like PHPMailer or Swiftmailer.
You’re using honeypot the wrong way. The honeypot is supposed to be invisible to human eyes. Bots typically type in any text field regardless of styles or JavaScript. If you are a legitimate person, modern browsers typically have CSS and JavaScript turned on. So you wouldn’t be seeing these honeypots.
Thanks for your replies.
What do you mean by: empty()
Also, regarding “the honeypot is supposed to be invisible”,
I look forward to any additional help.
SamA74
November 28, 2017, 7:05pm
5
1 Like
ChrisjChrisj:
Also, regarding “the honeypot is supposed to be invisible”,
I was referring to the CSS. But it seems that collapse works. The next thing is what @chorn and @SamA74 was talking about. You have to make sure that the text field isn’t empty. If it isn’t empty, then a bot submtted something to it. This is where you can do extra work/
system
February 28, 2018, 2:51am
7
This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.