Tell A Friend Spam

felgall · July 2, 2010, 2:35am

My web hosting provider has advised me that my “Tell a Friend” form is being used to send out spam. I have temporarily removed the page while I work out how best to resolve the situation.

Ideas that have occurred to me is to add a CAPTCHA to the form and to log IP addresses and limit the number of emails that can be sent from the same IP. Neither of those really addresses the issue of preventing the form being misused but does limit the damage.

Does anyone have any alternative suggestions on an approach I could take?

AnthonySterling · July 2, 2010, 7:00am

As cranial-bore states, JS can be very handy. Use it to create a hidden input for your form, say has_js for example.

This, along with a form creation timestamp to compare the time it took for the ‘user’ to fill in the form should suffice.

Something along the lines of:-


<?php
#define a tolerance
$tolerance = isset($_POST['has_js']) ? 3 : 5 ;

if((time() - $_POST['timestamp']) <= $tolerance){
    #exit
}
?>

If the user has JS, we allow them to submit the form a little faster. We’re assuming that most both would pretty much submit the form straight away.

It would require tweaking, but allows graceful degradation.

felgall · July 2, 2010, 7:15am

Thanks for the ideas. I’m sure I can come up with something that combines at least some of those features to fix things.

cranial_bore · July 2, 2010, 4:29am

I assume we’re not talking about header injection where the spammers are able to do a mass mailing with a single form submission, and insert their own body text?

So I assume each form submission can only send to one recipient, and the spammers are doing multiple submissions and using a comments field to set their message. If that’s true you may be able to reduce the motivation by not allowing custom comments to go in the message body (just sender name so legit users of the form can identify themselves to their friend).

Otherwise you can check bot clues like:

measuring how long between page load and form submission (real users shouldn’t submit 2 seconds after requesting the page)
testing if invisible fields are filled out
testing if Javascript is executed (use JS to add a field to the form)*
asking text-based logic questions (how many legs does a dog have)

I think you’ll have a better idea of the solution if you know the nature of your spam. Perhaps try turning it back, and logging all the submissions instead of sending them so you can see what you’re up against.

* JS execution is a clue only. If parsed it’s more likely the user is real. If not it’s less likely they are real. You can use this to modify a spam-score rather than as definitive evidence.