best way to prevent form spam?
- Thread starter mike82
- Start date
- Status
Fuck, I thought you said FORUM not form.
If you do use capatcha's make sure your not using the 'default' fonts. Either use or implement badbehavior that alone will get rid of a lot of the misconfigured bots.
If you do use capatcha's make sure your not using the 'default' fonts. Either use or implement badbehavior that alone will get rid of a lot of the misconfigured bots.
Seocracy is right, although it does not matter if it renders or not. Bots will read the HTML not the CSS and will just fill it out because its a form input. If you get something from a field that should be blank or should have a certain value, then you know something is off. I would recommend naming your fields with uncommon names and then hiding fields with common names like email, from, and subject. This will undoubtably throw the bots' intelligence off and make it easy to trap.
You can also set a cookie on the form page that is passed to the (POST) submit page. If the form and the cookie don't check out then you know something is off. This way the the visitor must load your form page and pass the cookie or it will not sync up. This is similar to the captcha, but more client-side. Only smart bots would pull this off and you wouldn't have to burden your visitors with a captcha.
You can also set a cookie on the form page that is passed to the (POST) submit page. If the form and the cookie don't check out then you know something is off. This way the the visitor must load your form page and pass the cookie or it will not sync up. This is similar to the captcha, but more client-side. Only smart bots would pull this off and you wouldn't have to burden your visitors with a captcha.
I posted this on a previous thread.
One thing I do, I think I saw it on Schiflett or something is this (you have to use sessions). This passes a random token with the form and through sessions to your form processing script and verifies they are the same. This makes it pretty certain the form was submitted from your site. Someone could still sit there and spam manually of course, but that would likely be quite limited.
In the page with your form use these lines, asumming sessions active.
In your form use (in php because of the var)
Then in the script that processes and validates your form use this.
You must check all form data to make sure it is something you want and not bcc:, etc. Validate all email addresses, and strip all unwanted characters, don't forget stuff like 0x, base64, content-type:, etc.
You can also pass a time stamp and check it in the processing to make sure the form was submitted with xx minutes of the form being loaded.
One thing I do, I think I saw it on Schiflett or something is this (you have to use sessions). This passes a random token with the form and through sessions to your form processing script and verifies they are the same. This makes it pretty certain the form was submitted from your site. Someone could still sit there and spam manually of course, but that would likely be quite limited.
In the page with your form use these lines, asumming sessions active.
Code:
<?php
$token = md5(uniqid(rand(), TRUE));
$_SESSION['token'] = $token;
?>
Code:
<input type='hidden' name='token' value='$token' />
Code:
if ($_POST['token'] != $_SESSION['token']) {
echo "Get lost mofo!";
exit;
}You can also pass a time stamp and check it in the processing to make sure the form was submitted with xx minutes of the form being loaded.
You can also pass each value into a validation(String input) method to check for HTML and SQL tokens (and e-mail tokens like to: from: bcc
. Assuming you aren't looking for that stuff in any of the form fields, you can just bail out as soon as you detect any of it.
. Assuming you aren't looking for that stuff in any of the form fields, you can just bail out as soon as you detect any of it.Using just a token still makes you vulnerable, although it takes an extra step.
The spammer should simply request form.php first (which sets the token) and then process.php. It's a good extra step though, so use it.
As stevenhsn said, I always block posts and stuff like that.
The spammer should simply request form.php first (which sets the token) and then process.php. It's a good extra step though, so use it.
As stevenhsn said, I always block posts and stuff like that.
But bots don't target single sites - they target and are written for manymany sites. That's why just tripping them up will stop the majority of spam bots.
I found most of the annoying bots where trying to inject mime headers / bcc CR,LF into fields where a normal message would not have them. So I check for that and chuck it away if it exists.
Now I only get very occasional from spam to me, rather than form spam that is intended to find a way to email spam.
Crispin
Now I only get very occasional from spam to me, rather than form spam that is intended to find a way to email spam.
Crispin
i'm not a programmer, so I can't offer an explanation on how its done - but I made sure to request disabling of any and all links/scripts/etc in any comments on my site. Might not stop a bot from posting something, but at least it won't be clickable, or do some sort of redirect, etc to my pages...
- Status