Prevent Spambots in contact form?

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
LDM2009
Forum Newbie
Posts: 5
Joined: Thu Jun 04, 2009 2:11 pm

Prevent Spambots in contact form?

Post by LDM2009 »

I have a client that does not want to use CAPTCHA but keeps getting spam emails from his contact page. I have written a script that checks for email validation (checksdnsrr), for a hidden text field, for html injection, etc... but emails are still coming through that the script should stop. When I try to enter the exact information that is in the spam emails, the email will not go through! What is causing this??? Anyone??

Thanks!
User avatar
McInfo
DevNet Resident
Posts: 1532
Joined: Wed Apr 01, 2009 1:31 pm

Re: Prevent Spambots in contact form?

Post by McInfo »

The spammers could be bypassing your script somehow. Is the email address exposed anywhere on the site? Are the headers of the spam emails different from the headers of legitimate emails (are they not being sent by the script)? Is your hidden text field static?

Edit: This post was recovered from search engine cache.
Last edited by McInfo on Tue Jun 15, 2010 10:10 pm, edited 1 time in total.
LDM2009
Forum Newbie
Posts: 5
Joined: Thu Jun 04, 2009 2:11 pm

Re: Prevent Spambots in contact form?

Post by LDM2009 »

The email address is not visible on the website anywhere. It is only specified in the PHP script.
The email is being sent by the script so it is somehow just skipping to the mail command and ignoring my if/else statement to send the email.
I use a hidden text field and check if it is filled in. Logic is that if it is, it would be spam as the spambot would fill in all fields of the form and a human could not fill in the hidden field.

The script does the following:
-check for valid email format and existing domain
-check that a hidden text field was not filled in by a robot
-check that all fields are not the same content and/or empty
-check that the form is posted from my server
-detect spam-like content within submitted form elements (header injection)

Uses if statements and if any of those are caught, a boolean $isspam is set to true. If/else statement determines to send the email or not (and then returns with an error code on the screen).

Any other suggestions??

Thanks!
User avatar
mikemike
Forum Contributor
Posts: 355
Joined: Sun May 24, 2009 5:37 pm
Location: Chester, UK

Re: Prevent Spambots in contact form?

Post by mikemike »

And you can't have any sort of CAPTCHA at all? Not even a basic one you're made yourself like 'What number is on the dice?' or something?

The only real way to prevent most spam is to use visible CAPTCHAs, which is why all of the big sites out there use them (Google, MSN, Yahoo,...). As far as I see it there's two kind of spam bots out there (and I'm generalising greatly here):
- The ones that look for forms, fill them with crap, and post them. These are easily sorted with how you've dealt with the problem by hiding an input and checking it's value to see if it has changed - although I suggest using a normal text input with a CSS class that hides it, a lot of the dumb spam bots just ignore hidden inputs - this may be causing some of your grief.
- Copying bots. These are a bit cleverer. From information I've gathered it seems that a few people have noticed that the spam begins when a human first visits the site and posts spam on their form. They're obviously recording some sort of macro and then create a bot from it that repeats their actions.

One way I can think of to fix this (I may be over-complicating here) is to regularly change the field names. Set up a cron job that updates a database of random characters say once a day. Use these characters as pre/suffixes on your form names. That way your form names are constantly changing so should defeat a lot of the spam and remove the need for a visible CAPTCHA.

Another method (similar to the above) may be to use the systems time() as the suffix, or some other random string. Whack that into a hidden field (or a display:none; <input type="text" />) and then use it to read the other field names.

These are just suggestions for invisible CAPTCHAs that I've come up with on the spot, they may spark some better idea from other forum users.
User avatar
jayshields
DevNet Resident
Posts: 1912
Joined: Mon Aug 22, 2005 12:11 pm
Location: Leeds/Manchester, England

Re: Prevent Spambots in contact form?

Post by jayshields »

How do you know for sure that the spam emails are being sent from the form?

How do you know for sure that the spam emails that are still being received haven't been sent before the changes you've already made to the form? Emails can take a while to get delivered, especially when sent in bulk.

What type of spam messages are being received? If they are all in a similar vein (ie. <span style='color:red;text-decoration:blink' title='Alert a moderator!'>grilled spam</span>) then just make a blacklist of keywords, which, if present in the message body, the email will not be sent.
LDM2009
Forum Newbie
Posts: 5
Joined: Thu Jun 04, 2009 2:11 pm

Re: Prevent Spambots in contact form?

Post by LDM2009 »

I have static content in the body (i.e. You received an email from: ) and then the information is filled in with the form's content, that's how I know that the emails are being sent by the form.

I have changed the field names now. On the form, there was actually an option to carbon copy the user, which would then give the user the company email that it sends to so maybe that was a problem too (and then they would have the body content). I changed it to Bcc the company email address.

I will see if that helps, but can't really stop them if they already have the email address right? If there are spambots that regularly just send to the email address now... This form has been up on the website for a long time and I was asked to modify it so that they stop getting these spam emails, but if the email address is already part of a spambot's list, then I can't really help that right...

Thanks for your replies!
LDM2009
Forum Newbie
Posts: 5
Joined: Thu Jun 04, 2009 2:11 pm

Re: Prevent Spambots in contact form?

Post by LDM2009 »

We looked at the header of the spam email being sent and it seems that it is being sent by our server.... therefore from the form.

How can this still be happening? Even when I put as a check that '<' can't be in the content (just to test) and there are still emails coming through that have '<a href' links in them?? I can't send them myself manually through the form....

Can spam robots actually skip conditional code and go straight to the 'mail' command?

Any help would be appreciated. I am v. confused with this!
User avatar
mikemike
Forum Contributor
Posts: 355
Joined: Sun May 24, 2009 5:37 pm
Location: Chester, UK

Re: Prevent Spambots in contact form?

Post by mikemike »

What's the conditional check in? PHP or JS? If it's in JS then there is your problem...
LDM2009
Forum Newbie
Posts: 5
Joined: Thu Jun 04, 2009 2:11 pm

Re: Prevent Spambots in contact form?

Post by LDM2009 »

No, it is in PHP.
The form page goes to a separate handler PHP page that will either send the mail or return to the form page with an error message. No JS is used.
User avatar
mikemike
Forum Contributor
Posts: 355
Joined: Sun May 24, 2009 5:37 pm
Location: Chester, UK

Re: Prevent Spambots in contact form?

Post by mikemike »

try renaming the php page, or even taking it offline for a few hours to see if you still get emails
Post Reply