...

View Full Version : Prevent spammers to use my contact form



guvenck
08-25-2006, 12:06 PM
Hi people,

I realized that spam bots are sending lots of spam to one of my clients, using a feedback form I wrote. How can I prevent this from happening?

Here is the code:



if(isset($_POST['postquote'])) {
$name = $_POST['name'];
$gender = $_POST['gender'];
$email = $_POST['email'];
$phone = $_POST['phone'];
$fax = $_POST['fax'];
$quote = $_POST['quote'];

$to = "info@mydomain.com";
$subject = "[My Client Web] Feedback";
// $headers = "";

$message = "";
$message .= "Following message has been sent to you through your website:\n\n";
$message .= "Sender: $name\n";
$message .= "Email: $email\n";
$message .= "Gender: $gender\n";
$message .= "Phone: $phone\n";
$message .= "Fax: $fax\n\n";
$message .= "Message Body:\n$quote\n";

include("header.php");

if (mail($to,$subject,$message,"From: $name <$email>\n")){
echo "<p>Dear $name, thank you for your feedback....</p>";
} else {
echo "<p>Message could not be sent. Please try again later.</p>";
}
include("footer.php");
exit();
}

// Mail form below

?>




Any advice will be highly appreciated. Thanks.

chump2877
08-25-2006, 12:12 PM
I would use image validation, there's no way a bot can bypass that as far as I know....

Like at the bottom of this form: http://www.mediamogulsweb.com/questionnaire.php.

I used a php class called KCAPTCHA on that page that can be found here: http://www.phpclasses.org/browse/package/3193.html.

Class works well and should be just what you need...

NancyJ
08-25-2006, 12:40 PM
CAPTCHA is annoying, however effective.
Read this: http://www.securephpwiki.com/index.php/Email_Injection on email injection - it may help you (unless the spammers are purely just filling in the form with text and spamming your client)

gsnedders
08-25-2006, 12:43 PM
I'd have a read of http://www.w3.org/TR/turingtest/ before using a CAPTCHA.

chump2877
08-25-2006, 01:24 PM
I'd have a read of http://www.w3.org/TR/turingtest/ before using a CAPTCHA.

I have to say, that is interesting....And something I never thought about...

I like audio validation as a future alternative... Like a person clicks on the CAPTCHA image (if they cant read it) and a wav file plays, that relays the CAPTCHA text... you have to think that people with disabilities are or will be equipped with the hardware necessary to hear stuff like this (speakers, headphones, etc.)...A regular HTML text message before the CAPTCHA image could prompt disabled users to go grab their headphones if they're not already using them...

It would be cool if you could dynamically create wav files with the CAPTCHA text....just like you can dynamically create image files with PHP's image functions...

lansing
08-25-2006, 03:50 PM
I have to say, that is interesting....And something I never thought about...

I like audio validation as a future alternative... Like a person clicks on the CAPTCHA image (if they cant read it) and a wav file plays, that relays the CAPTCHA text... you have to think that people with disabilities are or will be equipped with the hardware necessary to hear stuff like this (speakers, headphones, etc.)...A regular HTML text message before the CAPTCHA image could prompt disabled users to go grab their headphones if they're not already using them...

It would be cool if you could dynamically create wav files with the CAPTCHA text....just like you can dynamically create image files with PHP's image functions...I know of many sites that use this. Here is link to one site. https://www.omnipay.com/secure/logon.asp

How do we make a custom turing image?

Would it be waist of time to make the image Alternative Text value equal the image code? Like if the turing image value is 41Fd8Q then make the image alt="41Fd8Q" since that would help browsers that can't view image.

chump2877
08-25-2006, 04:17 PM
I know of many sites that use this. Here is link to one site. https://www.omnipay.com/secure/logon.asp

Sweet! :thumbsup: Would you happen to know how they did that, and if the audio is dynamically generated (along with the image)?


Would it be waist of time to make the image Alternative Text value equal the image code? Like if the turing image value is 41Fd8Q then make the image alt="41Fd8Q" since that would help browsers that can't view image.

I think that a clever web bot or program could use the "alt" or "title" attribute text to bypass the system (just like regular HTML text), so it's probably not a solution....just a hunch...

lansing
08-25-2006, 04:55 PM
I don't know how they did that & can't find anything anywhere on how to replicate that for my own sites.

Didn't think about the bots using the alt text so that would be a bad idea.

Anthony2oo4
08-25-2006, 06:08 PM
might sound dumb, but i suppose it could work, possibly but how about a random question that the user has to complete for the mail to be sent. For example, at the end of your form get PHP to choose a random question from a list you made such as:

is the title of this site called MYWEBPAGE?

yes / no

because its random and it changes, the bots cant answer it, on the next page you simply validate the question.

another question could be, is today monday?

Just a thought.

Fumigator
08-25-2006, 06:28 PM
Yes/no questions would be way too easy to answer correctly without knowing the question.

Here's my favorite solution by far:

http://www.hotcaptcha.com/

I'm thinking about putting in a system similar to that but it displays a handful of random images and asks the user to pick the image that contains a dog, for example. Someone could write an OCR algorithm to defeat it sure, but for my purposes it wouldn't be worth doing.

chump2877
08-25-2006, 07:26 PM
Hate to burst your bubble but how would a visually impaired person be able to differentiate between small CAPTCHA-like images (a picture of a dog versus a picture of a cat, let's say)....."Disabled" people like this really only have a couple of options: 1) increase the HTML font size of web content to something huge so they can see it, or 2) I guess there are ways to deliver/translate web content into an audible format.

Unless you made the picture of the cat and dog REALLY big...lol...:D...but then your image validation starts to look like a children's picture book...

Edit: by the way, I'm referring to Error 404's post in this thread..

mlseim
08-25-2006, 08:50 PM
The biggest problem people make is naming the
form script something like "formmail" or "email" or "mail" ....
spamming robots pick up on that right
away. Call your script something like:
<form action='df87ek.php' method='post'>

Anthony2oo4
08-25-2006, 11:12 PM
well seen as its only your form that the bots look for how about this:


%3Cform%20method%3D%22POST%22%20action%3D%22--WEBBOT-SELF--%22%3E%0D%0A%09%3Cp%3E%3Cinput%20type%3D%22text%22%20name%3D%22T1%22%20size%3D%2220%22%3E%3Cinput%20 type%3D%22submit%22%20value%3D%22Submit%22%20name%3D%22B1%22%3E%3Cinput%20type%3D%22reset%22%20value %3D%22Reset%22%20name%3D%22B2%22%3E%3C%2Fp%3E%0D%0A%3C%2Fform%3E

They cant read that and wont be able to input anything to the form:

http://www.yuki-onna.co.uk/html/encode.html

NancyJ
08-26-2006, 12:06 AM
Hate to burst your bubble but how would a visually impaired person be able to differentiate between small CAPTCHA-like images (a picture of a dog versus a picture of a cat, let's say)....."Disabled" people like this really only have a couple of options: 1) increase the HTML font size of web content to something huge so they can see it, or 2) I guess there are ways to deliver/translate web content into an audible format.

Unless you made the picture of the cat and dog REALLY big...lol...:D...but then your image validation starts to look like a children's picture book...

Edit: by the way, I'm referring to Error 404's post in this thread..

Aside from my dyslexia I am completely able, both in body and mind - I do however have trouble with a lot of captcha images - and thats not entirely due to dyslexia, some of them are just down right bad, in order to distort it so that robots cant read it they make it so that humans can just about make it out. But I'm pretty sure I can tell a dog from a cat. Without having to increase text sizes to be huge - dont be so narrow minded - there are more disabilities than visual impairments that would affect someone's ability to decipher captchas.

Fumigator
08-26-2006, 12:11 AM
Maybe I'll include a blurb for the visually impaired that have an interest in my site (all 3 of them):

"If you are having trouble telling the difference between a dog and a cat, call me and I will personally validate your registration."

Intermezzo
08-26-2006, 04:43 AM
I've got a very easy idea to prevent spam ONLY from bots. Just insert a hidden checkbox on the form. If a user presses "SEND" or whatever the checkbox goes "true" per javascript. A spam-bot won't check it ;)

However, after that, you can check per PHP if the checkbox was marked or not. If not there was a bot :D

This has to work.. Or not? :P

chump2877
08-26-2006, 05:33 AM
Aside from my dyslexia I am completely able, both in body and mind - I do however have trouble with a lot of captcha images - and thats not entirely due to dyslexia, some of them are just down right bad, in order to distort it so that robots cant read it they make it so that humans can just about make it out. But I'm pretty sure I can tell a dog from a cat. Without having to increase text sizes to be huge - dont be so narrow minded - there are more disabilities than visual impairments that would affect someone's ability to decipher captchas.

Okay...my intention wasn't to offend anyone...:eek: ...Error 404's post referred to "blind" or "almost blind" people....would a blind or almost blind person be able to differentiate between a smallish picture of a cat and dog? I don;t know for sure, but I wouldn;t bet on it...

I don;t think I was being narrow-minded -- quite the contrary rather...Sure, there are all kinds of disabilities out there, and we all have our own problems and opinions...but any single solution needs to encompass and cater to all forms of disability, including blind (or almost blind) people...surely, you see what I'm saying?

marek_mar
08-26-2006, 06:11 AM
hotcaptcha told me that I'm a robot and should die. This opinion might be a bit subjective but I think that it is one of the worst captchas made, not only becouse it would be easy to crack it just like most of the suggested image captchas suggested.

gsnedders
08-26-2006, 12:53 PM
Okay...my intention wasn't to offend anyone...:eek: ...Error 404's post referred to "blind" or "almost blind" people....would a blind or almost blind person be able to differentiate between a smallish picture of a cat and dog? I don;t know for sure, but I wouldn;t bet on it...
The W3C article did not just refer to blind people, but also those with other disabilities (such as dyspraxia and dyslexia). Logic puzzles are a possible problem for people with learning disabilities like the two mentioned above.

Both dyspraxia and dyslexia can cause language development to be slow, and therefore can make it easy for spelling mistakes to be made (as anyone who has ever spoken to me on IM will know well), which makes language puzzles equally difficult.


I've got a very easy idea to prevent spam ONLY from bots. Just insert a hidden checkbox on the form. If a user presses "SEND" or whatever the checkbox goes "true" per javascript. A spam-bot won't check it ;)

However, after that, you can check per PHP if the checkbox was marked or not. If not there was a bot :D

This has to work.. Or not? :P
Bots can be built upon graphical UAs, with Javascript enabled. Also, users can have Javascript disabled.

IMO, there is no real way to avoid spam apart from having someone manually checking it. There are a few complex automated systems that are quite accurate, but there will be times when they get it wrong.

guvenck
08-26-2006, 04:53 PM
I did not know that I'd get so much responses when I asked the question, many thanks, helpful people of this great forum!

Apart from using images or audio, I'd like to know if it will help if I let the visitor confirm his message such as:

Please review your feedback message and press OK if the information is true:

Name: Mr. Jones
Email: mrjones@ms.com
Subject: Hello
Message: Just wanted to say hello, keep up the good work!

OK | Modify

What do you think?

mlseim
08-26-2006, 10:02 PM
confirm message wouldn't be a bad idea ...

Whether or not it stops spammers is not known, but
it does show the visitor that their message has done something.



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum