Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 10 of 10
  1. #1
    Regular Coder
    Join Date
    Jun 2010
    Posts
    293
    Thanks
    63
    Thanked 8 Times in 8 Posts

    How to get rid of spam bots?

    have a "contact us" form on all the websites that I build.

    I have been using Google's ReCaptcha for a couple of years now, and until recently it has worked very well.

    About a couple of months back, I noticed more spam suddenly getting through ReCaptcha.

    I could only assume that this is because someone has cracked recaptcha and is now able to spam me via my websites.

    So I implemented further measures, as follows:

    1) Obfuscate the HTML of the "contact us" page using javascript (the browser sees it as HTML, the spam bot will hopefully just see it as a load of random gobbledigook).

    2) Include an invisible text field which, if filled in by a bot, causes the contents of the form to be silently discarded (i.e. silently not sen via email) and the offending IP address to be flagged.

    Nevertheless, I am STILL getting some spam, although much less than before I implemented the two further measures described above.

    How on earth are the bots getting through all that??!! What can I do to completely defend against them?
    Last edited by XmisterIS; 08-08-2013 at 11:13 AM.

  • #2
    Master Coder
    Join Date
    Jun 2003
    Location
    Cottage Grove, Minnesota
    Posts
    9,495
    Thanks
    8
    Thanked 1,089 Times in 1,080 Posts
    How important is the contact form? In many cases, the spammers are people not bots. Companies hire people to browse the internet and submit forms/emails.

  • #3
    God Emperor Fou-Lu's Avatar
    Join Date
    Sep 2002
    Location
    Saskatoon, Saskatchewan
    Posts
    16,987
    Thanks
    4
    Thanked 2,660 Times in 2,629 Posts
    Yep.
    People submitting = not a thing you can really do. You can pull term matches or look for specific things like links or garbage words, and then simply discard or moderate it. Or of course you can always just moderate all, but that would depend on amount of expected legit posts.

    Bots you can do a lot about. My personal approach is to use a form for which I randomly generate the actual input field names. Stack that with a few of the random hidden fields (visually blocked by css not by using the hidden input type) randomly ordered results in no spammage. Win.
    PHP Code:
    header('HTTP/1.1 420 Enhance Your Calm'); 

  • #4
    Master Coder felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, Australia
    Posts
    6,639
    Thanks
    0
    Thanked 649 Times in 639 Posts
    Quote Originally Posted by Fou-Lu View Post
    Or of course you can always just moderate all, but that would depend on amount of expected legit posts.
    An alternative to that would be to moderate the first post by each user. If their first post is legitimate then it is less likely that they would follow that up with spam posts than if the first post were also spam.
    Stephen
    Learn Modern JavaScript - http://javascriptexample.net/
    Helping others to solve their computer problem at http://www.felgall.com/

    Don't forget to start your JavaScript code with "use strict"; which makes it easier to find errors in your code.

  • #5
    Senior Coder
    Join Date
    Sep 2010
    Posts
    1,978
    Thanks
    15
    Thanked 229 Times in 229 Posts
    If you're getting multiple posts from the same party, and the other people are only making two or three posts at a time, you can set a session variable that increments with every post, and if the value exceeds say three, it will block posting for a time, or for that session.
    Welcome to http://www.myphotowizard.net

    where you can edit images, make a photo calendar, add text to images, and do much more.


    When you know what you're doing it's called Engineering, when you don't know, it's called Research and Development. And you can always charge more for Research and Development.

  • #6
    Regular Coder
    Join Date
    Jun 2010
    Posts
    293
    Thanks
    63
    Thanked 8 Times in 8 Posts
    I've done a little more research into this, following on from the replies here.

    I am not getting huge volumes of spam - may be one or two messages a day.

    I have checked out each of the I.P. addresses from which the spam originates, and every one of them is on a blacklist.

    I might use barracuda (http://www.barracudacentral.org/rbl/how-to-use) to do an automated ip check and silently ignore anything that is blacklisted.

    My worry here though is that legit I.P.s will get blocked and blacklisted!!

    P.S. being employed to do nothing all day except post spam must be a soul-destroying job, knowing that you are regarded as the scum of the earth and everyone hates what you do.

  • #7
    New Coder
    Join Date
    Jul 2013
    Posts
    39
    Thanks
    0
    Thanked 2 Times in 2 Posts
    Quote Originally Posted by vaibhav25 View Post
    Here is a list of free online virus scans Safety.Live.com (That one is Microsoft's) Symantec.com Housecall.TrendMicro.com Comodo.com...Comodo.com offers free manual disinfection and a free security suite from the makers of Comodo Firewall Pro...Avira.com now offers free antivirus and antispyware...besure to turn off onboard antivirus before starting online scanner
    are you serious? this is about spamming the website contact form...

  • #8
    New to the CF scene
    Join Date
    Aug 2013
    Posts
    5
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Hmm spam are really pain in the head. Is there an automatic spam rejection?

  • #9
    New Coder
    Join Date
    Aug 2013
    Posts
    25
    Thanks
    2
    Thanked 2 Times in 1 Post
    The Q&A verification has really worked well on my site. I went from about 100/day to 0 instantly.

    There's also a tip posted on Vbulletin.com about adding a second Q&A into the registration questions (in case you need more security on top of that).
    Reply With Quote

  • #10
    New Coder
    Join Date
    Jun 2013
    Posts
    28
    Thanks
    0
    Thanked 3 Times in 3 Posts
    Quote Originally Posted by XmisterIS View Post
    I might use barracuda (http://www.barracudacentral.org/rbl/how-to-use) to do an automated ip check and silently ignore anything that is blacklisted.

    My worry here though is that legit I.P.s will get blocked and blacklisted!!

    I would be wary of using barracuda for this. We have had a few runs in with barracuda firewalls in the past. Basically some default barracuda hardware firewalls used a default blacklist which was out of date and it did cause issues back then with some innocent IP's being blocked.

    Seems a bit extreme anyway. Its not always bots that are doing the spamming. Recently we saw evidence of manual contact form abuse. It always happened around about the same time of day from the same region. We suspect there are groups of organised spammers out there who are happy to put there rubbish into forms manually.


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •