Looking for some help here...

We use GMFormMail to handle our form submissions for over 70 clients. Some of these clients have started to receive alot of spam submissions from what appears to be bots.

We are hoping someone out there has experienced something similar with GMFormMail and has a solution or someone out there that has experience with GMFormMail and would be interested in helping us code an enhancement to stop these spam submissions. We would ofcourse be willing to pay for this help.

Please contact me at keith@legalisi.com to discuss what options you think we may have.

Thanks,

I know some people frown on this solution, but perhaps a Captcha would
be the easiest thing to impliment.

http://en.wikipedia.org/wiki/Captcha

It doesn't have to be fancy. You could even switch between a half-dozen
images just to change it up. Just that extra step to determine if the user
is human. You could even ask a simple question that only a human could
answer instead of a Captcha image.

And ...

Change the name of your email script. Most people probably get bothered
because the robots search the internet for a certain list of email script names.
Call your email script "e1m2a3i4l.cgi" or something like that.

Don't use filenames like GMFormMail, FormMail, Email, Mail, FormMailer ... etc.

mlseim,

Thanks for the reply. I have looked into the CAPTCHA solution and while that is a viable option, we are trying to see if there any other options out there that we could implement quickly. We use the GMFormMail script for well over 500 forms and to change each of those forms to use a CAPTCHA would be very time consuming.

However, we do use the same GMFormMail.cgi script located on our server that we can change and the change would be reflected for each of our client's forms.

Do you know if it is possible to implement the CAPTCHA as a standalone page meaning that if someone fills out a form, they would be taken to a new page where they would be required to match the CAPTCHA in order to verify the submission and then upon verification, the form would work as its supposed to?

Obviously this would require some modifications to the GMFormMail script itself and we would need a third-party to help us with that but is that a viable option or should we just roll up our sleeves and handle each form individually with the CAPTCHA solution?

I've never used the GMFormMail script, but I just downloaded and looked it over. It's an old script that hasn't been updated since 1998 and it's not written very well. My recommendation would be to switch to a better written and more secure formmail script instead of trying to patch this one. The formmail script from the nms project is the best that I've seen.
http://nms-cgi.sourceforge.net/scripts.shtml

FishMonger,

The script from the nms project looks pretty solid but do you know if they have any type of functions in place to keep bots from filling out the form and sending tons of spam via them?

One of the main reasons the nms formmail script was written was to replace the older unsecure formmail scripts (such as this one) with a secure script that prevents spammers from hijacking the forms.

Here's a quote from the original author of the nms script when someone else asked a similar question.
The whole point of starting the nms project was to replace Matt's programs with secure versions that ISPs would be happy to recommend to their customers.http://www.experts-exchange.com/Programming/Programming_Languages/Perl/Q_21528086.html

FishMonger,

I've been playing with the NMS script and while it does work fine there are several features which are going to make using the script a little difficult for us.

1. The @allow_mail_to tag is more of a pain then a help. I understand the idea behind it but for us to have to update that tag each time one of our clients want to have a form directed to a new email address is a big pain.

2. The confirmation email that recipients receive after filling out the form is lacking as compared to the GMFormMail script.

If we could configure this script to allow us to mail the forms to anyone and not have to keep a running list of the email addresses or domain names whom can receive output from the form and also configure the confirmation email to be form-dependent, much like how GMFormMail does it, then this script would be a winner.

Do you happen to have any insight on how to make modifications such as the ones above?

Sorry about the delay in responding. Each time I started to write the response, I got sidetracked.

1. The @allow_mail_to tag is more of a pain then a help. I understand the idea behind it but for us to have to update that tag each time one of our clients want to have a form directed to a new email address is a big pain.
I don't follow your reasoning in your fist issue. Assigning (hard codding) the allowed recipients in the formmail script is one of the key factors in securing the script. The script can be modified to make it easier to maintain/update the recipients and we can look into that if you wish.

How are you currently restricting the assignment of the recipients? One of the most common mistakes made in formmail scripts is that they include the recipient address in the form via a hidden field or a textfield that the user fills in. That is an open door for spammers to use for their purpose.

2. The confirmation email that recipients receive after filling out the form is lacking as compared to the GMFormMail script.
Your second issue is valid. I should have clarified my recommendation and said that it's one of the best and secure scripts in the SIMPLE realm. The format of the email can be made prettier, but it may be more effort than you wish. Here's a better option, the nms project has another formmail script that's newer, just as secure if not more so, and uses template files to generate an html email. The script is called TFMail and can be downloaded from the same page as FormMail. TFMail is more complex to setup, but I think you'll find that it's worth the effort.

Fishmonger,

Again, thanks for your reply!

Currently with the GMFormMail script, we do use a hidden form field to designate whom receives the form responses as well as any email addresses whom might be CC or BCC to the form responses.

I understand that bots can grab those email addresses from the hidden fields and use them for spam but the real problem we are having isn't with regular spam, rather bots filling out the forms with gibberish and links to other sites.

I'm probably glossing over something but how do any of the nms scripts prevent bots from filling out the forms?

We aren't as concerned about bots "stealing" email addresses from the hidden form fields as we are with the amount of nonsense form submissions our clients are receiving.

Is there one textbox on your form that the bots are not
filling in correctly? If so, make that box the one you check for.

If a human filled out your form, they would have put a valid value
in that textbox. The bots would have failed to do that.

This would be easier than a captcha, because you don't need to alter the
forms at all, just the script ... to validate that one textbox.

Let us see a copy of the actual form.

Below is a sample form from one of our client's sites. The odd thing is that some of the bad form submissions we are receiving do not match the form subject title that we specify in one of the hidden fields. This makes me wonder how these bots are sending the forms as any form submitted should come to our client with the subject line that we specify.

<form name="Form" method="get" action="GMFormMail.cgi">
<table width="100%" border="0" cellpadding="2" cellspacing="2" class="right_nav">
<tr><td width="67%">
<input type=hidden name="recipient" value="email goes here">
<input type=hidden name="subject" value="Title of company legal help contact request">
<input type=hidden name="required" value="Email,Name,Phone">
<input type=hidden name="redirect" value="thanks.htm">
<input type=hidden name="print_blank_fields" value="1" disabled>
<input type=hidden name="exclude" value="env_report">
<input type=hidden name="env_report" value="REMOTE_HOST, HTTP_USER_AGENT">
<input type=hidden name="print_config" value="email,subject">
<input type=hidden name="title" value="" disabled>
<input type=hidden name="return_link_url" value="" disabled>
<input type=hidden name="return_link_title" value="Back to Main Page" disabled>
<input type=hidden name="missing_fields_redirect" value="error.htm">
<input type=hidden name="bgcolor" value="#FFFFFF" disabled>
<input type=hidden name="text_color" value="#000000" disabled>
<input type=hidden name="link_color" value="#FF0000" disabled>
<input type=hidden name="alink_color" value="#0000FF" disabled>
<input type=hidden name="vlink_color" value="#0000FF" disabled>
<input type=hidden name="bcc" value="">
<!--Courtesy Reply Options-->
<input type=hidden name="courtesy_reply" value="yes">
<input type=hidden name="courtesy_reply_texta" value="Thank you for contacting Title of company.">
<input type=hidden name="courtesy_reply_textb" value="Your form has been sent. We will be in touch with you shortly.">
<input type=hidden name="courtesy_who_we_are" value="Title of company">
<input type=hidden name="courtesy_our_url" value="website URL">
<input type=hidden name="courtesy_our_email" value="Email Address">
<strong>Get Help Now</strong></td></tr>
<tr><td><strong>Name </strong>* <input name="Name" type="text" id="Name" size="16"></td></tr>
<tr><td><strong>Street Address <input name="Address" type="text" id="Address" size="16"></strong></td></tr>
<tr><td><strong>City <input name="City" type="text" id="City" size="16"></strong></td></tr>
<tr><td><strong>State
<select name="State">
<option value="" selected></option><option value="AL">AL</option><option value="AK">AK</option><option value="AZ">AZ</option><option value="AR">AR</option><option value="CA">CA</option><option value="CO">CO</option><option value="CT">CT</option><option value="DE">DE</option><option value="FL">FL</option><option value="GA">GA</option><option value="HI">HI</option><option value="ID">ID</option><option value="IL">IL</option><option value="IN">IN</option><option value="IA">IA</option><option value="KS">KS</option><option value="KY">KY</option><option value="LA">LA</option><option value="ME">ME</option><option value="MD">MD</option><option value="MA">MA</option><option value="MI">MI</option><option value="MN">MN</option><option value="MS">MS</option><option value="MO">MO</option><option value="MT">MT</option><option value="NE">NE</option><option value="NV">NV</option><option value="NH">NH</option><option value="NJ">NJ</option><option value="NM">NM</option><option value="NY">NY</option><option value="NC">NC</option><option value="ND">ND</option><option value="OH">OH</option><option value="OK">OK</option><option value="OR">OR</option><option value="PA">PA</option><option value="RI">RI</option><option value="SC">SC</option><option value="SD">SD</option><option value="TN">TN</option><option value="TX">TX</option><option value="UT">UT</option><option value="VT">VT</option><option value="VA">VA</option><option value="WA">WA</option><option value="DC">DC</option><option value="WV">WV</option><option value="WI">WI</option><option value="WY">WY</option></select></strong></td></tr>
<tr><td><strong>Zipcode <input name="Zipcode" type="text" id="Zipcode" size="16"></strong></td></tr>
<tr><td><strong>Best phone number to contact you</strong> * <input name="Phone" type="text" id="Phone" size="16"></td></tr>
<tr><td><strong>Email </strong>*<input name="Email" type="text" id="Email" size="16"></td></tr>
<tr><td><strong>Legal Problem</strong></td></tr>
<tr><td><textarea name="Question_Matter" cols="13" rows="4" wrap="PHYSICAL" id="textarea"></textarea></td></tr>
<tr><td><div align="center"><input type="submit" name="Submit" value="Submit">&nbsp;&nbsp;<input type="reset" name="Reset" value="Reset"></div></td></tr></table></form>

<form name="Form" method="get" action="GMFormMail.cgi">
<table width="100%" border="0" cellpadding="2" cellspacing="2" class="right_nav">
<tr><td width="67%">
<input type=hidden name="recipient" value="email goes here">
<input type=hidden name="subject" value="Title of company legal help contact request">
<input type=hidden name="required" value="Email,Name,Phone">
<input type=hidden name="redirect" value="thanks.htm">
etc
etc
That's a major part of your problem. Using that approach, spammers/bots can easily hijack and modify the submission. Good formmail scripts will have very few, if any, hidden fields and the key items such as those are hard coded in the script, not the form.

Are the bots putting a valid email address in the email field?

If not, check for '@' symbol and a period "." in the email field when the form
is submitted. If both of them are there, a human typed in their email
address. The bots may be putting garbage in that text box.

If the bots are finding the value "Email", change the name of that
variable to something else. Then you'll need to change it in all other
places too.

Change this line:

<tr><td><strong>Email </strong>*<input name="Email" type="text" id="Email" size="16"></td></tr>

to something like this:

<tr><td><strong>Email </strong>*<input name="E2m3a4i5l" type="text" id="E2m3a4i5l" size="16"></td></tr>

Do a find/replace to change it in all other places.