You mean something trivially simple for the spammer to use instead.
1 Like
@felgall @Mittineague and I have already came to the conclusion that the form needs a protection layer. By just allowing them to submit freely, you allow the user to spam your website with massive amounts of data without stopping. Imagine a regular computer computing at half of a second of speed. Now imagine that with your form. The people you host your website on will most likely suspend your website due to high volume.
I can tell you how honeypot and flood-protection works.
Starting with honeypot. Itâs a hidden field that traps mainly bots and stupid people who want to modify page elements using tools like FIrefoxâs Inspect Element tool.
So what is it exactly do you ask? Itâs just a regular field that is hidden from regular users. Thinking like a bot, they can only see web forms. They ignore CSS and Javascript. Basically, all they see is a big blank white page with a bunch of yummy forms to submit. While they start submitting every form known to them on that page, they donât recognize that one of the fields is a honeypot. Once they submit the form and it gets processed to PHP. You can validate to make sure that the honeypot field was not empty. If it wasnât empty, that means the submitter is attempting to submit everything on the page which also means that they are most likely a bot. Once you detect that they are a bot, you can give them a Captcha to solve like What is 2 + 2 = ?.
Next, for the flood-protection, you need to determine how much seconds you want until the user can submit the same form again. A good length would be 10 seconds to 20 seconds. This forces the user to wait for that amount of time. Even if they have the fastest and powerful super computer, they still have to wait.
So what you do is you check to see if the session for that flood-protection exists. If it exists, check to see if the time has passed your desired seconds. If it hasnât, redirect them back to the form page and tell them that they need to be patient and wait. If the time has passed, unset the session and allow them to process what they have submitted.
Now, on the actual HTML form page, check to see if the session for the flood-protection exists. If it does, again check to see the time has passed. If not, donât give them the form to use. Give them the same page, but with a warning telling them they have to wait. Once the time has passed, they are given the form.
This will reduce the amount of spam one will receive if one just allows users to freely submit the form.
Measure the time from when the user requests the page with the form on to when the form is submitted. If the time is less then a certain amount then you can be reasonably certain that itâs a spam bot, so serve them a generic error message
Not really, spamming via contact forms is way more effective than via direct email addresses, everybody uses Google Apps / Office 360 / Barracuda nowadays.
But since the form notification is already whitelisted it always hits the victimâs inbox.
They do???
1 Like
No it isnât - to send spam via the form they need to somehow bypass all the spam protection you build into the form. They also have to continue sending via the form.
Once they get an email address they can spam it from anywhere and then you are relying on the spam protection of your email program to detect it where most of the spam entered in the form will not even get sent.
@Nightwing You can use Google New reCaptcha Captcha for making your contact form more secure . Here i will post the code and if you have any doubts related to that just refer the reference page .
Simple Html Form :
<html>
<head><title>Recaptcha Verification Text</title></head>
<script src='https://www.google.com/recaptcha/api.js'></script>
<body>
<form action="action.php" method="POST">
<label>Name : <input type="text" name="name">
<br>
<label>Gmail : <input type="text" name="gmail">
<br>
<input type="submit" value="Submit" name="submit">
<div class="g-recaptcha" data-sitekey="YOUR SITE KEY HERE"></div>
</form>
</body>
</html>
Php Script for Google Captcha reCaptcha :
<?php
require_once "recaptchalib.php";
if(isset($_POST['g-recaptcha-response']))
$captcha=$_POST['g-recaptcha-response'];
if(!$captcha){
echo '<h2>Please check the the captcha form.</h2>';
exit;
}
$response=json_decode(file_get_contents("https://www.google.com/recaptcha/api/siteverify?secret=YOUR SECRET KEY HERE&response=".$captcha."&remoteip=".$_SERVER['REMOTE_ADDR']), true);
if($response['success'] == false)
{
echo '<h2>You are a Robot</h2>';
}
else
{
$name = $_POST['name'];
$gmail = $_POST['gmail'];
echo 'Your Name Is :'; echo $name;
echo '<br>';
echo 'Your Email Address Is :'; echo $gmail;
}
?>
Tutorial Reference : Google reCaptcha Captcha Configuring Using PHP
No, Googleâs reCaptcha no Captcha is not secure. Read the article I posted on post #4.
http://www.shieldsquare.com/sorry-google-captcha-recaptcha-doesnt-stop-bots/
Also, I have seen these things happen with my own eyes. The minute someone says âGoogleâs reCaptcha no Captcha is the best. It can stop spam bots.â Then poof. Their website or the website they are praising Googleâs reCaptcha on gets spammed with spam bots.
I remember that day exactly. I was on the computer surfing through this 3rd party forum platform. I was telling them that they should implement honeypot because Captchas just wonât cut it. The topic starter started saying that ever since they had Googleâs captcha on their website, they never got a spam ever. And I told them thatâs because their website has low visitors. Then they were praising Googleâs captcha like it was a god. Next thing you know. A new topic emerged from a random user. Guess what the topic was about?
Selling viagras and saying something about visiting some sort of spammed out website.
So I decided to go look at the 3rd party forum platform websiteâs sign up page. Long behold. They have the new Google reCaptcha no Captcha implemented. So please tell me. If Google reCaptcha no Captcha is so secure, then how did that spam bot get into that website and started posting stuff about viagra?
A honeypot IS a CAPTCHA so that statement is self contradictory.
Image captchas are just about useless (except the recaptcha one that is attempting to decode the parts of books that the OCR couldnât read properly and which has nothing whatever to do with form security). Other types of CAPTCHA do a far superior job of distinguishing between people and bots.
The most effective CAPTCHA is to use a password. As each individual real person is the only one to know their password they are the only one who can enter the correct value in that field in the form. Of course you then have to ensure that bots canât obtain passwords.
Thank you everyone for all efforts here 
This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.