...

View Full Version : Spam on contact form



designedbyria
05-16-2011, 02:07 PM
Hi Guys,

I was hoping someone could help with this, our site is currently receiving no end of spam at the moment! I have very limited space to put a captcha code (and don't really know how these work) so have instead entered a form field...

what colour is an orange?

if the user enters orange then the form is sent, if not t a pop up will open prompting the user to answer the question.

The problem is this simply does not work! Perhaps the bots can answer this question but for what ever reason I need a really good way of blocking the spam.

Any suggestions?

Here is the code I'm using...


<form id="form1" name="form" method="post" action="form.php" onsubmit="return validateForm();">

<label>Name
<span class="small">Required</span>
</label>
<input type="text" name="name" id="name">

<label>Email
<span class="small">Required</span>
</label>
<input type="text" name="email" id="email">

<label>Phone Number<span class="small"> Required</span></label>
<input type="text" name="phone" id="phone">

<label>Enquiry <span class="small">Your message</span></label>
<textarea name="message" cols="4" rows="2" id="message"></textarea>

<label for="verify">What color is an orange? <span class="small">Required</span></label>
<input type="text" name="verify" id="verify" value="" size="22" tabindex="1" onchange="javascript:this.value=this.value.toLowerCase();" />

<button type="submit">Send message</button>

</form>

Many thanks in advance!

AndrewGSW
05-16-2011, 02:19 PM
A small point, but you could ask 'What colour is a lemon?' Ans: Yellow!

I don't know how these bot-things work but, I suppose, if the answer is within the client-side script then it might find it..? :confused:

If they're clever I suppose, also, that it could look for questions beginning 'What colour is..' and just guess a number of times.

bullant
05-16-2011, 02:21 PM
Imo question/answer type captcha's are one of the weakest you can use because all a hacker has to do is continually load your form to eventually get all if not most of the questions and then program the bot to provide the correct answer depending on the question it gets.

Imo one of the better freebie, fairly easy to integrate captchas is reCaptcha . (http://www.google.com/recaptcha)
I used it before building my own captcha.

But if you don't want to use a captcha, one thing you can do that should stop much of the spam is:

1) add an empty hidden input textbox in your form. People users won't see it but bots probably will and so will enter some string into it.

2) in your form processing script, first check if any data has been sent in the hidden text box. If it has then abort the rest of the processing of the server side script. If it is empty, then hopefully a human submitted the form.

As I said, this won't guarantee all spam will be blocked but it should block much of it.


(http://www.google.com/recaptcha)

designedbyria
05-16-2011, 02:23 PM
Hi Andrew,

That's what I was worrying about! These bots are clever, and although I don't have a clue how they work, I think they will find a way. Once they've found a site they know they can spam on they will keep doing it!

I like your suggestion about the lemon though, that makes much more sense! i will give that a go and also add a few invisible form fields, then somehow if these fields have been filled I will know it's a bot - just need to find a way of preventing the form from sending if this is the case...

I read about that somewhere...

designedbyria
05-16-2011, 02:27 PM
Bullant you read my mind! That's exactly what I'm gonna do! If that doesn't work I'll take a look at the reCaptcha suggested. I guess I'll just rejig the form in some way to allow for space if that happens. I don't like Captchas but if they work they work. I guess this will pretty much be trial and error...

oesxyl
05-16-2011, 02:40 PM
Hi Guys,

I was hoping someone could help with this, our site is currently receiving no end of spam at the moment! I have very limited space to put a captcha code (and don't really know how these work) so have instead entered a form field...

what colour is an orange?

if the user enters orange then the form is sent, if not t a pop up will open prompting the user to answer the question.

The problem is this simply does not work! Perhaps the bots can answer this question but for what ever reason I need a really good way of blocking the spam.

Any suggestions?

Here is the code I'm using...



Many thanks in advance!
if you validate data only using javascript and not on server side, in form.php, there is no need to answer to any question, they just send a post request to form.php with few information extracted from your form.

best regards

bullant
05-16-2011, 03:12 PM
Bullant you read my mind! That's exactly what I'm gonna do! If that doesn't work I'll take a look at the reCaptcha suggested. I guess I'll just rejig the form in some way to allow for space if that happens. I don't like Captchas but if they work they work. I guess this will pretty much be trial and error...

no problem :)

Also, try to make the hidden input look as legitimate as possible in terms of the name you give it so that if a hacker looks at your html source, the purpose of the hidden input doesn't become obvious. And maybe use css to hide the input instead of using type="hidden"

designedbyria
05-16-2011, 04:19 PM
Right... I'm getting in a bit of a mess here, I have created an invisible form field using an online guide I found...


<form id="form" name="form" method="post" action="form.php">

<label>First Name
<span class="small">
Required</span></label>
<input name="first_name" type="text" id="first_name" />

<label>Surname
<span class="small">
Required</span></label>
<input name="last_name" type="text" id="first_name" />

<label>Email<span class="small"> Required</span></label>
<input name="email" type="text" id="email" />
<label>Phone Number<span class="small"> Required</span></label>
<input name="telephone" type="text" id="email" />
<label>Enquiry<span class="small"> Required</span></label>
<textarea name="comments" id="comments"></textarea>
<!-- The following field is for robots only, invisible to humans: -->
<p class="robotic" id="pot">
<label>If you're human leave this blank:</label>
<input name="emailconfirm" type="text" id="emailconfirm" class="robotest" />
</p>
<p>
<input type="submit" value="Send Message" class="submit" />
</p>
</form>

this works as I can easily work out how to hide elements using css. I'm getting in a mess with the PHP. When filling out the form an error.. "complete all fields" shows - and obviously this is not what we want. I have amended the original php file to this...


<?php
if(isset($_POST['email'])) {

// EDIT THE 2 LINES BELOW AS REQUIRED
$email_to = "you@yourdomain.com";
$email_subject = "Your email subject line";


function died($error) {
// your error code can go here
echo "We are very sorry, but there were error(s) found with the form you submitted. ";
echo "These errors appear below.<br /><br />";
echo $error."<br /><br />";
echo "Please go back and fix these errors.<br /><br />";
die();
}

// validation expected data exists
if(!isset($_POST['first_name']) ||
!isset($_POST['last_name']) ||
!isset($_POST['email']) ||
!isset($_POST['telephone']) ||
!isset($_POST['comments'])) {
died('We are sorry, but there appears to be a problem with the form you submitted.');
}

$first_name = $_POST['first_name']; // required
$last_name = $_POST['last_name']; // required
$email_from = $_POST['email']; // required
$telephone = $_POST['telephone']; // not required
$comments = $_POST['comments']; // required
$email_message .= "First Name: ".($first_name)."\n";
$email_message .= "Last Name: ".($last_name)."\n";
$email_message .= "Email: ".($email_from)."\n";
$email_message .= "Telephone: ".($telephone)."\n";
$email_message .= "Comments: ".($comments)."\n";
$robotest = $_POST['emailconfirm'];
if($robotest)
$error = "There has been an error, please try again.";
else{
if($from_name && $from_email && $message){
$header = "From: $from_name <$from_email>";
if(mail($to, $subject, $message, $header))
$success = "Thank you for contacting our Bristol office, your message has sent!";
else
$error = "Sorry there was a problem sending the e-mail. Please try again.";
}else
$error = "All fields are required.";
}
if($error)
echo '<div class="msg error">'.$error.'</div>';
elseif($success)
echo '<div class="msg success">'.$success.'</div>';
}
?>


I know it's a tall order but if any one can spot my mistake(s) that would be an enormous help! I've been looking at it for so long now and getting nowhere! If anything I'm making things worse!

Thanks!

designedbyria
05-16-2011, 04:57 PM
I've sorted it out now :) I made that harder than it needed to be! Thanks for all your help!

oesxyl
05-16-2011, 05:27 PM
I've sorted it out now :) I made that harder than it needed to be! Thanks for all your help!
no, is not harder at all, is useless and you didn't solve the problem because the validation in form.php is missing. A simple post request to your form.php with all names of the form filled, including the 'invisible' one, will pass and you will get a mail.
to make clear one things, the bots usualy doesn't use your form to submit data but they jump directly to the script from your action attribute of the form

best regards

bullant
05-17-2011, 12:56 AM
no, is not harder at all, is useless

No it's not useless at all. If the hidden input has been filled in then you know it was filled in by a bot. If it is empty, then the form is more likely to have been submitted by a human.

The server side script needs to validate all incoming data whether it came from an associated input form or not.

From earlier


But if you don't want to use a captcha, one thing you can do that should stop much of the spam is:

1) add an empty hidden input textbox in your form. People users won't see it but bots probably will and so will enter some string into it.

2) in your form processing script, first check if any data has been sent in the hidden text box. If it has then abort the rest of the processing of the server side script. If it is empty, then hopefully a human submitted the form.

As I said, this won't guarantee all spam will be blocked but it should block much of it

bullant
05-17-2011, 01:08 AM
I've sorted it out now :) I made that harder than it needed to be! Thanks for all your help!

You're welcome :), but I have a few concerns about your code.


<label>If you're human leave this blank:</label>
<input name="emailconfirm" type="text" id="emailconfirm" class="robotest" />I'm not sure why you need the label at all. It provides hackers with a clue that you might have hidden fields in your form.

I would have an email confirm input as part of the normal form to make users confirm their email address.

I wouldn't name any inputs with names like "robotest" which essentially tell hackers that input's purpose is to try to stop spam. Use names that appear to be related to the rest of the form.



$robotest = $_POST['emailconfirm'];
if($robotest)This code only checks for the existence of $robotest and not if there is something entered in it. Even if it is empty, as would be the case when a human submits the form, the test condition will evaluate to true. You can use empty() to check if a bot entered anything into the hidden input.

SKY-ProToSs
05-17-2011, 02:34 AM
Every time the user submits you want to run a function that adds the value 1 to a variable. In the if statement to process the form, you want to have the if say if ($variable = 0) {

Then you could just have a 30 second timer to set it back from 1 to 0.

You could also store a cookie and use it as identification, or use sessions.

That way if he submits, it creates a cookie using his data and then you can check for the cookie. The javascript method works too, but you have to run both the java file and the php file for the same form.

Java would look like this:




var $ = function (id) {

return document.getElementById(id);

}

var timer = 0;
var timer2 = 0;

var addtotimer = function () {

if (timer == 1) {

alert("You cannot click twice!");
window.location("theform.php");

}

if (timer == 0) {

timer = timer + 1;

}

setInterval("timer()", 1000);

function timer () {

timer2 = timer2 + 1;

if (timer2 == 30) {

timer = 0;

}

}

}

window.onload = function () {

$("submit").onclick = addtotimer;

}



I think you should just make it for logged in users :/

designedbyria
05-17-2011, 05:28 PM
Wow and I thought it was sorted! Thank you all for your comments but now if I;m 100% honest I'm completely confused...

I changed the code from what I last posted – here is the code for the form...


<div id="stylized" class="myform">
<form id="form" name="form" method="post" action="form.php">
<label>Name</label>
<input name="name" type="text" id="name" />

<label>Email</label>
<input name="email" type="text" id="email" />

<label>Telephone Number</label>
<input name="number" type="text" id="number" />
<label>Message</label>
<textarea name="message" rows="2" id="message"></textarea>
<!-- The following field is for robots only, invisible to humans: -->
<p class="robotic" id="pot">
<label>If you're human leave this blank:</label>
<input name="robotest" type="text" id="robotest" class="robotest" />
</p>
<input type="submit" value="Send Message" class="submit" />
</form>
</div>

and this is the PHP...


<?php
if($_POST){
$to = 'email@here.co.uk';
$subject = 'Bristol Contact Form Submission';
$from_name = $_POST['name'];
$from_email = $_POST['email'];
$message = "MESSAGE".$message."\nNUMBER".$number."\n";

$from_phone = $_POST['phone'];
$robotest = $_POST['robotest'];
if($robotest)
$error = "Sorry there has been an error.";
else{
if($from_name && $from_email && $message){
$header = "From: $from_name <$from_email>";
if(mail($to, $subject, $message, $header))
$success = "Your message was sent!";
else
$error = "There was a problem sending your message. Please try again.";
}else
$error = "All fields are required.";
}
if($error)
echo '<div class="msg error">'.$error.'</div>';
elseif($success)
echo '<div class="msg success">'.$success.'</div>';
}
?>

Right now I'm going to take your advice and change the form label and tags etc. Probably to something like "confirm" I guess?

How would I add validation in the php? or is this not needed?

Sorry very confused...

bullant
05-18-2011, 01:05 AM
Like I said before



I'm not sure why you need the label at all. It provides hackers with a clue that you might have hidden fields in your form.
...
...
I wouldn't name any inputs with names like "robotest" which essentially tell hackers that input's purpose is to try to stop spam. Use names that appear to be related to the rest of the form.With


<label>If you're human leave this blank:</label>
<input name="robotest" type="text" id="robotest" class="robotest" />imo you are wasting your time trying to stop spam because if I was a hacker I would see what you are doing by simply viewing your page source. I don't see any point in playing with this code until you change the above in your code.

Regarding


How would I add validation in the php? or is this not needed?I'm surprised you ask that because it shows you haven't read the previous posts where oesxyl and I both say server side (php) validation is required and I suggested one way of doing it earlier.

designedbyria
05-18-2011, 10:09 AM
Sorry bullant, I did read all of the posts just got myself rather confused! I have removed the labels and changed the input name id and class. I have used confirm as hopefully peoples browsers will not auto-fill this!

I'm still confused by the server side validation. I thought I had fixed that?


<?php
if($_POST){
$to = 'email@test.com';
$subject = 'Bristol Contact Form Submission';
$from_name = $_POST['name'];
$from_email = $_POST['email'];
$message = "MESSAGE".$message."\nNUMBER".$number."\n";

$from_phone = $_POST['phone'];
$confirm = $_POST['confirm'];
if($confirm)
$error = "Sorry there has been an error.";
else{
if($from_name && $from_email && $message){
$header = "From: $from_name <$from_email>";
if(mail($to, $subject, $message, $header))
$success = "Your message was sent!";
else
$error = "There was a problem sending your message. Please try again.";
}else
$error = "All fields are required.";
}
if($error)
echo '<div class="msg error">'.$error.'</div>';
elseif($success)
echo '<div class="msg success">'.$success.'</div>';
}
?>



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum