Contact form spam

debbidoo · Jan 5, 2010

I'm seeing increased spam on this particular contact form on my website (I'm not including the link for advertising purposes - just so that someone in the know can rummage through the code and help me!)

This is the sort of spam I'm getting (I've added spaces to break the links - wouldn't want to give the feckers free advertising):

awagvkgkbm
Your organisation WwBwhkaEFSd
Your number 85632
Details fl6a1K <a href="http://smacddoytmpg.com/">smacddoytmpg</a>, mtznghizjekv, [link= http:// kqelteakmqnc.com/]kqelteakmqnc[/link], http:// orkpzcrfolsn.com/

Bearing in mind the type of coding I've used for the form, can anyone suggest a relatively easy-to-install solution/deterrent?

Thanks in advance

fisicx · Jan 5, 2010

Add a maths question such as: "what is 5+9?"

When you validate the form is checks to see if the answer is 14. If not then rejection.

You can also validate the fields and if there are any iffy charcters again rejection.

Example here: http://www.aerin.co.uk/contactform/index.php

Try entering anything except letters in the name field or numbers in the telephone field and you get an error message.

debbidoo · Jan 5, 2010

Cheers Graham

How do I implement that in the php code though? That's the bit I really need help with - at the moment it's very, very basic...

Thanks

Kev Jaques · Jan 5, 2010

It's the old "do not trust user input"!
You need to sanitize the details entered, make sure xss and sql injection issues are taken care of as best possible. (possibly also stripping any html tags depending on your depth of paranoia

)
Also look at adding a captcha of some sort, although that won't stop the spam. You will still get some even putting those measures in.

debbidoo · Jan 5, 2010

Kev Jaques said:
It's the old "do not trust user input"!
You need to sanitize the details entered, make sure xss and sql injection issues are taken care of as best possible. (possibly also stripping any html tags depending on your depth of paranoia )

Lol - way to confuse a blonde, Kev! Now say that in English?

fisicx · Jan 5, 2010

As kev says it's not simples but it is necessary.

If you want the code from the example form I use I can send it to you. The code looks horrific but it is very stable and does work.

debbidoo · Jan 5, 2010

cheers Graham, that'd be fab. Reading code doesn't frighten me too much - I'll PM my email address to you.

Thanks again, angel

Peter Bowen · Jan 5, 2010

There is a way that's less hostile to your customers. I've used this on about 40 forms in the last few months and haven't had a single spam submission yet. It's not 100% bulletproof but for now it works well enough against automated form filling bots.

Put a couple of text fields in a hidden div in the form. If these fields are filled out then you know it's a spam submission. Just have your form processing script check for these fields before carrying on.

Some thoughts on the subject of spam submissions:

http://sethgodin.typepad.com/seths_blog/2009/10/promiscuous-dispersal-of-your-email-address.html

debbidoo · Jan 5, 2010

Thanks Peter

Sounds like I need to spend some time brushing up my (lamentable) PHP skills...

edmondscommerce · Jan 5, 2010

i filter anything with http:// in there on my contact form..

maybe not the most elegant solution but it works 100%

like the hidden fields idea though

Peter Bowen · Jan 5, 2010

Here's how to do it:

In your form (somewhere between <form method=POST action=> and </form>): Put this bit of html:

<div style='display: none;'><input type=text name=text1><input type=text name=text2></div>

In the php script that processes the form: Put this bit of PHP near the top (just after the opening <?php tag is probably fine):

if($_POST['text1'] != ''OR $_POST['text1'] != ''){die();}

J-Wholesale · Jan 5, 2010

Peter has the best approach. I do this on all my sites and never get any spam. It wouldn't work for very popular sites, as spammers would make the extra effort required to circumvent the anti-spam measure, but for robots hitting your site alongside 1000 others, it should work without problems.

bdw · Jan 6, 2010

I use the human test method of asking a simple question and validating the answer. I have found this to be very effective. I get the odd spam submission that is submitted manually but it has stopped all of the automatic submissions.

Debbidoo there is a low cost form wizard construction tool available which allows validation and more. It's well worth the money - Google tools4php.

3cellhosting · Jan 6, 2010

Hi all,

I have a developer account with http://recaptcha.net/ , which is free and I use this on most of my forms.

One thing to bear in mind is that in Eastern Bloc countries and places like India, labour is so cheap they pay people to manually complete forms so you will always get some spam filtering through.

Hope this helps

David

bdw · Jan 6, 2010

Isn't the problem with Recaptcha that some of their images are barely decipherable? I have found that I get angry when I am faced with such a situation and it tends to make me reject the use of some forms.

I think it's easier to ask people to enter answers to unambiguous questions like "what is 5 + 9?" and "what colour is coal?" With CAPTCHA you have to strike some sort of a balance between effectiveness and ease of use.

3cellhosting · Jan 6, 2010

Hi bdw.

There are some words that I have found to be a bit fuzzy but in general they are better than they used to be.

Here is a screenshot of an actual recaptcha input...

If you cant read a combination you just use the refresh button.

It also has audio for partially sighted, which is a must with the current DDA (Disability Discrimantion Act).

With Joomla integration I get to set style etc. so long as I have my developer details for login.

Regards

David

fisicx · Jan 6, 2010

The problem with captcha is that it has been compromised. Google for 'captcha hacking' and you will see any number of the methods.

The hidden field method does work as do simple maths question or comparison question (is a mouse bigger than an elephant Y or N).

Nothing is foolproof but a few simple validation checks will strip out most of the spammers.

Peter Bowen · Jan 6, 2010

There is another problem with CAPTCHA. It's hostile to your customers. It's like putting up a barbed wire fence in front of your shop.

We should look at making it as smooth and easy as possible for people to do business with us - even if it means spending 5 minutes a day deleting spam.

edmondscommerce · Jan 6, 2010

recaptcha has not been compromised as far as I know other than the human intervention methods

debbidoo · Jan 7, 2010

Thanks very much to all of you for your input, and big thanks to Peter for explaining how to code it, and to Graham for sending me his code by email

I'm going to be doing a big redesign of my site in the next few weeks, and as I have more than one contact form on the site I may actually try all the 'fixes' suggested by you, and let you know which one worked best

Cheers guys

seiretto · Jan 7, 2010

its not just spam you must guard against when adding contact forms to your own site and those you design, but also you MUST ensure you CLEAN the user input. If you fail to then eventually a hacker/spammer or spambot will exploit your forms and send out thousands of emails without you knowing

Try "phpFormMailer" its a free script which checks and cleans user input.

Stan003 · Jan 10, 2010

Hi,

I have a few different forms that i have written in php that protect against sql injection strip tags etc and use captcha to minimise spam, if you want me to send you a script that you can use then drop me a message it isn't a big job and if you have any difficulties i have no problem with lending you a hand.

Thanks

Stan

MartCactus · Jan 10, 2010

debbidoo said:
Bearing in mind the type of coding I've used for the form, can anyone suggest a relatively easy-to-install solution/deterrent?

By the content of the spams it appears that the bots think your form is a comment form on a blog... they are trying to add their links to your blog.

Looking at your form you have fields named like "email", "yourname". We've found the bots that hit webforms look for fields with "email" in them, and other commonly used ones.

Rename them something like this

ngo5hsfoa

The bots then find the form, but it doesn't look like a blog comment form, so they skip it. We found by renaming form fields like this (which takes very little coding change) we all but eliminated the problem. It won't stop someone manually setting up a bot to hit your site, but stops the vast majority that are robotic.

Brightpearl · Jan 10, 2010

Depending on what you want the contact form to do, it may even be worth embedding a Pearl smartform, which is anti-spam out of the box, and you can also add a Captcha if you really want to.

One solution I have heard works very well to prevent automated submissions is to have a hidden field, designed to have no content. If there is content in the field, then a bot is running your form. Simple but effective!

Chris

alpha7158 · Jan 10, 2010

3cellhosting said:
Hi all,

I have a developer account with http://recaptcha.net/ , which is free and I use this on most of my forms.

One thing to bear in mind is that in Eastern Bloc countries and places like India, labour is so cheap they pay people to manually complete forms so you will always get some spam filtering through.

Hope this helps

David

Yes! this is the way forward. Digitising books was a great innovation with this.

Cookie Consent

Essential

Analytics

Marketing

Contact form spam

Kev Jaques

bdw

bdw

seiretto

Stan003