Dealing with Spam Bots and Forms
Moderator: General Moderators
Dealing with Spam Bots and Forms
I have a form that you fill out with name and email address.
This form also contains a text box where you must enter an answer to a question shown.
Unless you enter the correct answer, SUBMIT will not proceed.
Simple, right?
I thought so, until I noticed that I'm still getting spam from bots that aren't filling in the text box with anything and still able to submit my form. I don't get it. How are they able to bypass the SUBMIT?
Thanks.
Webbiz
This form also contains a text box where you must enter an answer to a question shown.
Unless you enter the correct answer, SUBMIT will not proceed.
Simple, right?
I thought so, until I noticed that I'm still getting spam from bots that aren't filling in the text box with anything and still able to submit my form. I don't get it. How are they able to bypass the SUBMIT?
Thanks.
Webbiz
Re: Dealing with Spam Bots and Forms
show us your code
Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.
Re: Dealing with Spam Bots and Forms
Okay, here is the code:
Code: Select all
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Registration Request Form</title>
<script type="text/JavaScript" src="_nav.js"></script>
<link href="_screen.css" rel="stylesheet" type="text/css" />
<script type="text/javascript" language="JavaScript">
function TestAddr()
{
if ( document.keyform.id_products.value == 'CHOOSE ONE' )
{
return false;
}
var guessstr = document.keyform.guess.value;
if (guessstr.toLowerCase() == 'down')
{
return true;
}
else
{
return false;
}
}
</script>
</head>
<body onLoad="MM_preloadImages('images/services_o.gif','images/forcasting_o.gif','images/success_o.gif','images/resources_o.gif','images/articles_o.gif')">
<div id="container">
<div id="head">
<?php include("_head.php"); ?>
</div>
<div id="contentWrap">
<div id="imgRight"><img src="images/img_right_home.jpg" alt="image" width="307" height="246" /></div>
<div class="pageHeading"><img src="images/h_regkey.jpg" alt="Contact Us" width="943" height="76" title="Know in Advance" /></div>
<div class="clr"></div>
<div id="contentLeft">
<h1>Software Registration Request Form</h1>
<p>To receive a Registration Key, you must have purchased the software that you are requesting a key for.<br />
This form is NOT used to request free software. Please enter your name EXACTLY as was used to originally<br />
purchase the software for verification purposes.</p>
<br />
<table width="593" border="0" cellpadding="0" cellspacing="0">
<!-- STEP 1: Direct the form to the FormMail program (AAforms.php) and give the form a name. -->
<form method="post" action="http://www.wishanabie.com/ABforms.php" name="keyform" onSubmit="return TestAddr()" >
<!-- STEP 3: Provide the email address to send the results to. Email address has a modification to prevent spamming. -->
<input type="hidden" name="recipients" value="rickfy.com">
<!-- This provides a SUBJECT title in the email sent out. -->
<input type="hidden" name="subject" value="REGISTRATION-KEY REQ." />
<!-- STEP 4: Specify that a template is to be used and the name of the template. -->
<input type="hidden" name="mail_options" value="PlainTemplate=regkey.txt, TemplateMissing=" />
<!-- STEP 5: Create a derived field (such as Date) to be available for the template page -->
<input type="hidden" name="derive_fields" value="Date = %date%" />
<!-- STEP 6: Provide the redirect form that shows up when the form has been submitted without error. -->
<input type="hidden" name="good_url" value="http://wishanabie.com/secure/whitelist.php" />
<input type="hidden" name="requiredfields" value="Name, email, id_products, guess" />
<tr>
<td width="141" valign="top"><strong>Name:</strong></td>
<td colspan="2" valign="top">
<input type="text" name="Name" size="32" id="Name"/></td>
</tr>
<tr>
<td valign="top"><strong>Email:</strong></td>
<td colspan="2" valign="top"><input type="text" name="email" id="email"/></td>
</tr>
<tr>
<td valign="top"><strong>Hardware </strong></td>
<td width="232" valign="top">
<input type="text" name="id_HF" id="id_HF"/> </td>
<td width="220" valign="top"><a href="http://www.wishanabie.com/videos/hardware/hardware.html" target="_blank">How to find Hardware </a></td>
</tr>
<tr>
<td valign="top"><strong>Product:</strong></td>
<td colspan="2" valign="top"><select name="id_products" id="id_products">
<option value="CHOOSE ONE" selected="selected">CHOOSE ONE...</option>
<option value="Charting "> Charting (HF)</option>
<option value="FD v8">FD v8.x (HF)</option>
<option value="FD 2009">FD v2009 (HF)</option>
<option value="Cep">Cep (HF)</option>
<option value="Square ">Square v3.x</option>
<option value="Num">Num v2.x</option>
<option value="OnTop">OnTop</option>
<option value="Edge">Edge</option>
</select> </td>
</tr>
<tr>
<td valign="middle"> </td>
<td colspan="2" valign="top">
<tr>
<td valign="top"><div align="center">Please complete this saying before clicking Submit button.</div></td>
<td colspan="2" valign="top"><p>
<p>
<label>WHAT GOES UP MUST COME
<input name="guess" type="text" id="guess" value="" />
</label>
<p>
<input type="submit" value="Submit" name="Submit" class="submit" />
</form></td>
<td height="2"></tr>
</table>
<h2>ABOUT YOUR REGISTRATION-KEY and HARDWARE FINGERPRINT</h2>
</div>
<div id="contentRightWrap">
<div class="contentRight"><div class="quoteRight"><span>“</span> Wow! Cotton is cool!. Sweet! <span>”</span>
</div>
<p align="right"><a href="success-stories.php">read more success stories</a>
<span class="point">»</span></p>
</div>
<div class="clr"></div>
<div class="contentRightHR"></div>
<div class="contentRight">
<!--<h2>Lorem Ipsum Dolor!</h2>
<div class="formRight">
<?php //include("_form_right.php"); ?>
</div>//-->
</div>
<div class="clr"></div>
</div>
<div class="clr"></div>
</div>
<div id="contentBottom"></div>
<div class="clr"></div>
</div>
<div id="foot">
<?php include("_foot.php"); ?>
</div>
</body>
</html>
Re: Dealing with Spam Bots and Forms
bots do not execute javascript, thus any javascript-only check (like yours) is useless.
Re: Dealing with Spam Bots and Forms
Ok, but that doesn't answer the question though.
How are bots able to execute the form without clicking on my SUBMIT button? Since the code is designed to kick off an email when the SUBMIT button is clicked with onclick=true, that in itself should turn the javascript check.
That's the question.
How are bots able to execute the form without clicking on my SUBMIT button? Since the code is designed to kick off an email when the SUBMIT button is clicked with onclick=true, that in itself should turn the javascript check.
That's the question.
-
cpetercarter
- Forum Contributor
- Posts: 474
- Joined: Sat Jul 25, 2009 2:00 am
Re: Dealing with Spam Bots and Forms
They don't execute the form on your site. They just send a load of POST data direct to your script (http://www.wishanabie.com/ABforms.php).
You need something at the server (ie in ABforms.php) which rejects POST data which does not meet certain criteria eg which lacks an answer to your secret question, or which does not contain a secure authorisation code.
You need something at the server (ie in ABforms.php) which rejects POST data which does not meet certain criteria eg which lacks an answer to your secret question, or which does not contain a secure authorisation code.
Re: Dealing with Spam Bots and Forms
Another way to deal with it is to put text inputs on the form, but mark them as 'display: none' so no human will see them. If that field is populated, then you reject the POST entirely. You can then use the javascript to populate another field with some data on submit. It's not fool proof, but it's a quick fix.
Re: Dealing with Spam Bots and Forms
Use javascript for convenience, ALWAYS have server-side checking.

Turn javascript off in your browser, and submit the form. You will see what the bots do.How are bots able to execute the form without clicking on my SUBMIT button? Since the code is designed to kick off an email when the SUBMIT button is clicked with onclick=true, that in itself should turn the javascript check.
Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.
Re: Dealing with Spam Bots and Forms
Yes, I tried the invisible text box trick but it didn't work because it also depended on the javascript.
What I did not know is that the bots go directly at the ABforms.php bypassing my mainform.php.
So the solution sounds like what was suggested, to add something in ABforms.php.
Could someone suggest what I could add to ABforms.php? I'm a programmer, but not yet fully versed on php. I can read the code and figure it out, but the tricks I could use suggestions for at this time.
Thanks for all the replies!
Webbiz
What I did not know is that the bots go directly at the ABforms.php bypassing my mainform.php.
So the solution sounds like what was suggested, to add something in ABforms.php.
Could someone suggest what I could add to ABforms.php? I'm a programmer, but not yet fully versed on php. I can read the code and figure it out, but the tricks I could use suggestions for at this time.
Thanks for all the replies!
Webbiz
-
cpetercarter
- Forum Contributor
- Posts: 474
- Joined: Sat Jul 25, 2009 2:00 am
Re: Dealing with Spam Bots and Forms
There are obviously several possible ways of tackling the problem. One would be to use the feature which is already on your form - the question to which humans know the answer but computers don't. You might add this at the beginning of the script which handles your form.
Security experts will tell you that this is not security, it is obscurity. Someone could programme the correct answer into a bot, which could continue to send you spam. But probably they won't. And if they do, you can change your question.
Code: Select all
$correct_answer = "down";
if (empty($_POST['guess']) || $_POST['guess'] != $correct_answer) {
die ("GET LOST YOU NASTY SPAMMING ROBOT");
}
Re: Dealing with Spam Bots and Forms
Thanks a bunch! This gives me a direction to go with.

Webbiz
Webbiz
Re: Dealing with Spam Bots and Forms
How about implementing a CAPTCHA?
Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.
Re: Dealing with Spam Bots and Forms
Tried that and kept running into difficulty setting it up. So I gave up. 