Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Page 1 of 2 12 LastLast
Results 1 to 15 of 27
  1. #1
    Regular Coder
    Join Date
    Jan 2003
    Location
    West Virginia
    Posts
    110
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Stopping Spam Bots

    I read recently that one possible way of blocking spam bots from exploiting cgi mail forms is to have a hidden field that the visitor cannot see but the spam bot will fill out; then, set the cgi script to reject any attempt to send a message where anything is placed into that hidden field.

    At first I received some help from folks in the Coding Forums javascript section to achieve that goal, but it was pointed out that if the botcreeps had javascript turned off, then using js to foil the little monsters would not work.

    So can anyone with perl expertise provide the additional lines of code that we would need to add to the nms Form Mail script?

    Again, the goal is to make sure that any bot adding any thing to the hidden field would find that the form would not send. I don't care whether we just close the form down at that point, or, re-direct them over to some site that sells this kind of malicious code.

    Thanks for any advice...
    Reno CF

  2. #2
    Senior Coder
    Join Date
    Mar 2006
    Posts
    1,274
    Thanks
    2
    Thanked 39 Times in 38 Posts
    do you know any perl at all or is this a wish list?

  3. #3
    Regular Coder
    Join Date
    Jan 2003
    Location
    West Virginia
    Posts
    110
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Hi Kevin,

    I wish I had perl expertise but find it to be a real challenge for my old brain. Mostly we just use basic "public domain" type scripts such as the nms "FormMail.pl" (which of course I renamed), and tend to go with their format as it is provided in the default download. If it wasn't for the spamcreeps, there'd be no need to mess with it, as it works perfectly well otherwise.

    I hasten to add that if adding the code to detect a populated hidden field is anything other than a fairly straightforward addition to the nms script, then it may be beyond my marginal capabilities.

    I read a posting by mlseim in another thread that says "This topic (of form mailing) is the most discussed topic on just about any scripting forum", so I was hoping that perhaps a solution to this has been covered in the past (I could not find it however with my CF search).

    So to answer your question, if it's just a matter of inserting a few lines of code at some point in this very popular form mail script, then I can do that; however if it requires a full scale modification, then I guess we'll have to put up with the daily spam assault.
    Reno CF

  4. #4
    Senior Coder
    Join Date
    Mar 2006
    Posts
    1,274
    Thanks
    2
    Thanked 39 Times in 38 Posts
    I am sure its just a few lines of code, thats not the problem. I suggest you hire a programmer, I am sure you can get a job like this done for under $50 USD. Or maybe someone here will do it gratis, so check back.

  5. #5
    Super Moderator
    Join Date
    May 2005
    Location
    Southern tip of Silicon Valley
    Posts
    3,345
    Thanks
    2
    Thanked 233 Times in 226 Posts
    It sounds like you have configured the script incorrectly. The NMS FormMail script is one of the more secure scripts of this type.

    Have you tried the NMS support page?
    http://nms-cgi.sourceforge.net/support.html

  6. #6
    Regular Coder
    Join Date
    Jan 2003
    Location
    West Virginia
    Posts
    110
    Thanks
    0
    Thanked 0 Times in 0 Posts
    I've been using the nms script for years without a problem but for whatever reason in the past couple months I've been getting spammed. When it first started I added a question that only humans should be able to answer ("How much is 2 + 2?"), and that did cut it down, but that approach depends on javascript so I'm assuming that the ones getting through must have js disabled.

    I spent a couple hours tonight researching this issue using various search queries, and one thing is for sure -- this is one seriously huge problem.

    ..............................................
    Reno CF

  7. #7
    Supreme Master coder!
    Join Date
    Jun 2003
    Location
    Cottage Grove, Minnesota
    Posts
    10,191
    Thanks
    10
    Thanked 1,166 Times in 1,157 Posts
    Reno ...

    I have a suggestion for you that is easy to try.

    I know others will scoff at this, but this actually works.

    In your HTML, somewhere before your "real" contact form,
    create another contact form, but comment out this form.

    Like this:

    <!--
    <form action="./cgi-bin/email.cgi" method="post">
    <input type="hidden" name="recipient" value="bill1234@aol.com">
    Email: <input type="text" name="email" value=""><br />
    Name: <input type="text" name="name" value=""><br />
    <input type="submit" name="submit" value="submit"><br />
    </form>
    -->

    In fact, you can copy that and use it like it is.
    The action part is fake, the recipient is fake, etc.

    What happens is, the spamming robots view your HTML source and
    see that form. They process it and exit. That means they don't
    see the "real" form further down in your HTML.

  8. #8
    Regular Coder
    Join Date
    Jan 2003
    Location
    West Virginia
    Posts
    110
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Thank you mlseim! In all the reading I've done about this problem in the past few days -- on forums, blogs, and white papers -- I've not seen this suggestion anywhere, so I'll be eager to see how it flies. Even a small reduction will be welcomed -- I appreciate your assistance...
    Reno CF

  9. #9
    Senior Coder
    Join Date
    Mar 2006
    Posts
    1,274
    Thanks
    2
    Thanked 39 Times in 38 Posts
    Most bots are really quite simple and just about anything will trip up the majority of them so it should help. It's the bots that are written to target a specific site and do a specific thing that are harder to defeat. I never saw that suggestion either.

  10. #10
    Regular Coder
    Join Date
    Feb 2005
    Posts
    679
    Thanks
    0
    Thanked 16 Times in 15 Posts
    The nms script has a little section towards the top of the script set aside for
    your own code.

    If you want to check a form field for a value, and if it exists exit the script before sending, then you could do:
    Code:
    # USER CUSTOMISATION SECTION
    # --------------------------
    # Place any custom code here
    
    use CGI;
    sub spam {
    my $q = new CGI;
    my $spamcheck = $q->param('inputName') || '';
    if ($spamcheck ne '') {
    print "Location: http://www.farfaraway.com\n\n";
     exit;
     }
    }
    spam();
    
    # USER CUSTOMISATION << END >>
    # ----------------------------
    # (no user serviceable parts beyond here)
    The nms script evokes CGI.pm farther down in the script, find it and comment it out:
    Code:
    # use CGI;
    use POSIX qw(locale_h strftime);
    use CGI::NMS::Charset;
    Add the input with the inputName you want to use in the form HTML.

  11. #11
    Regular Coder
    Join Date
    Jan 2003
    Location
    West Virginia
    Posts
    110
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Thanks very much rwedge. I must be away from my computer for awhile, but when I return in a day or so I'll definitely give this a try -- much appreciated.
    Reno CF

  12. #12
    New to the CF scene
    Join Date
    May 2007
    Posts
    5
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Hi: Many thanks for this code. I added it to my NMS formmail script and with an associated form field requiring enty of the eq value. The comment spam stopped abruptly. Before that I was getting 5-20 a day via the form.

    If you would be interested in writing a similar code section that would kill submissions with html code (like <A HREF and </A>) from a specific field, I would be interested in that. If you are interested. Please contact me and we can work out the details.

    Again, thanks for this entry. George

  13. #13
    Regular Coder
    Join Date
    Feb 2005
    Posts
    679
    Thanks
    0
    Thanked 16 Times in 15 Posts
    kill submissions with html code (like <A HREF and </A>) from a specific field
    What specific field? Post the relevant form input you want to check, mainly the name of the field.

  14. #14
    New to the CF scene
    Join Date
    May 2007
    Posts
    5
    Thanks
    0
    Thanked 0 Times in 0 Posts
    I call the field "Comments" and it is a textarea on the form for the submittor to use for that purpose. Thus far it is the only area the spam bots seem interested in filling out. I believe that if the input could be checked for " < " and if it appears anywhere in the submission the input killed that would do the trick. George

  15. #15
    Regular Coder
    Join Date
    Feb 2005
    Posts
    679
    Thanks
    0
    Thanked 16 Times in 15 Posts
    For a textarea with the name of 'Comments' you could try:
    Code:
    use CGI;
    sub spam {
    my $q = new CGI;
    my $spamcheck = $q->param('hidval') || '';
    my $comcheck = $q->param('Comments') || '';
    if ($spamcheck ne '') {
    print "Location: http://www.farfaraway.com/\n\n";
     exit;
     }
    elsif ($comcheck =~ /<(.|\n)*>/) {
    print "Location: http://www.endoftheroad.com/\n\n";
     exit;
     }
    }
    spam();
    To take a shot at stripping HTML from the body of the message using a regex, you can add a line to this sub:
    Code:
    sub build_main_email_field {
      my ($self, $name, $value) = @_;
      $value =~ s/<(?:[^>'"]*|(['"]).*?\1)*>/ /gs;
      return ("$name: ", $value);
    }
    using a module like HTML::FormatText or HTML::Parser would be better but more extra code
    Last edited by rwedge; 05-22-2007 at 12:08 AM.


 
Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •