Page 1 of 1
Dealing with Spam Bots and Forms
Posted: Sat Mar 20, 2010 12:08 am
by webbiz
I have a form that you fill out with name and email address.
This form also contains a text box where you must enter an answer to a question shown.
Unless you enter the correct answer, SUBMIT will not proceed.
Simple, right?
I thought so, until I noticed that I'm still getting spam from bots that aren't filling in the text box with anything and still able to submit my form. I don't get it. How are they able to bypass the SUBMIT?
Thanks.
Webbiz
Re: Dealing with Spam Bots and Forms
Posted: Sat Mar 20, 2010 12:31 am
by s.dot
show us your code
Re: Dealing with Spam Bots and Forms
Posted: Sat Mar 20, 2010 12:50 am
by webbiz
Okay, here is the code:
Code: Select all
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Registration Request Form</title>
<script type="text/JavaScript" src="_nav.js"></script>
<link href="_screen.css" rel="stylesheet" type="text/css" />
<script type="text/javascript" language="JavaScript">
function TestAddr()
{
if ( document.keyform.id_products.value == 'CHOOSE ONE' )
{
return false;
}
var guessstr = document.keyform.guess.value;
if (guessstr.toLowerCase() == 'down')
{
return true;
}
else
{
return false;
}
}
</script>
</head>
<body onLoad="MM_preloadImages('images/services_o.gif','images/forcasting_o.gif','images/success_o.gif','images/resources_o.gif','images/articles_o.gif')">
<div id="container">
<div id="head">
<?php include("_head.php"); ?>
</div>
<div id="contentWrap">
<div id="imgRight"><img src="images/img_right_home.jpg" alt="image" width="307" height="246" /></div>
<div class="pageHeading"><img src="images/h_regkey.jpg" alt="Contact Us" width="943" height="76" title="Know in Advance" /></div>
<div class="clr"></div>
<div id="contentLeft">
<h1>Software Registration Request Form</h1>
<p>To receive a Registration Key, you must have purchased the software that you are requesting a key for.<br />
This form is NOT used to request free software. Please enter your name EXACTLY as was used to originally<br />
purchase the software for verification purposes.</p>
<br />
<table width="593" border="0" cellpadding="0" cellspacing="0">
<!-- STEP 1: Direct the form to the FormMail program (AAforms.php) and give the form a name. -->
<form method="post" action="http://www.wishanabie.com/ABforms.php" name="keyform" onSubmit="return TestAddr()" >
<!-- STEP 3: Provide the email address to send the results to. Email address has a modification to prevent spamming. -->
<input type="hidden" name="recipients" value="rickfy.com">
<!-- This provides a SUBJECT title in the email sent out. -->
<input type="hidden" name="subject" value="REGISTRATION-KEY REQ." />
<!-- STEP 4: Specify that a template is to be used and the name of the template. -->
<input type="hidden" name="mail_options" value="PlainTemplate=regkey.txt, TemplateMissing=" />
<!-- STEP 5: Create a derived field (such as Date) to be available for the template page -->
<input type="hidden" name="derive_fields" value="Date = %date%" />
<!-- STEP 6: Provide the redirect form that shows up when the form has been submitted without error. -->
<input type="hidden" name="good_url" value="http://wishanabie.com/secure/whitelist.php" />
<input type="hidden" name="requiredfields" value="Name, email, id_products, guess" />
<tr>
<td width="141" valign="top"><strong>Name:</strong></td>
<td colspan="2" valign="top">
<input type="text" name="Name" size="32" id="Name"/></td>
</tr>
<tr>
<td valign="top"><strong>Email:</strong></td>
<td colspan="2" valign="top"><input type="text" name="email" id="email"/></td>
</tr>
<tr>
<td valign="top"><strong>Hardware </strong></td>
<td width="232" valign="top">
<input type="text" name="id_HF" id="id_HF"/> </td>
<td width="220" valign="top"><a href="http://www.wishanabie.com/videos/hardware/hardware.html" target="_blank">How to find Hardware </a></td>
</tr>
<tr>
<td valign="top"><strong>Product:</strong></td>
<td colspan="2" valign="top"><select name="id_products" id="id_products">
<option value="CHOOSE ONE" selected="selected">CHOOSE ONE...</option>
<option value="Charting "> Charting (HF)</option>
<option value="FD v8">FD v8.x (HF)</option>
<option value="FD 2009">FD v2009 (HF)</option>
<option value="Cep">Cep (HF)</option>
<option value="Square ">Square v3.x</option>
<option value="Num">Num v2.x</option>
<option value="OnTop">OnTop</option>
<option value="Edge">Edge</option>
</select> </td>
</tr>
<tr>
<td valign="middle"> </td>
<td colspan="2" valign="top">
<tr>
<td valign="top"><div align="center">Please complete this saying before clicking Submit button.</div></td>
<td colspan="2" valign="top"><p>
<p>
<label>WHAT GOES UP MUST COME
<input name="guess" type="text" id="guess" value="" />
</label>
<p>
<input type="submit" value="Submit" name="Submit" class="submit" />
</form></td>
<td height="2"></tr>
</table>
<h2>ABOUT YOUR REGISTRATION-KEY and HARDWARE FINGERPRINT</h2>
</div>
<div id="contentRightWrap">
<div class="contentRight"><div class="quoteRight"><span>“</span> Wow! Cotton is cool!. Sweet! <span>”</span>
</div>
<p align="right"><a href="success-stories.php">read more success stories</a>
<span class="point">»</span></p>
</div>
<div class="clr"></div>
<div class="contentRightHR"></div>
<div class="contentRight">
<!--<h2>Lorem Ipsum Dolor!</h2>
<div class="formRight">
<?php //include("_form_right.php"); ?>
</div>//-->
</div>
<div class="clr"></div>
</div>
<div class="clr"></div>
</div>
<div id="contentBottom"></div>
<div class="clr"></div>
</div>
<div id="foot">
<?php include("_foot.php"); ?>
</div>
</body>
</html>
Re: Dealing with Spam Bots and Forms
Posted: Sat Mar 20, 2010 3:21 pm
by Weirdan
bots do not execute javascript, thus any javascript-only check (like yours) is useless.
Re: Dealing with Spam Bots and Forms
Posted: Sat Mar 20, 2010 4:53 pm
by webbiz
Ok, but that doesn't answer the question though.
How are bots able to execute the form without clicking on my SUBMIT button? Since the code is designed to kick off an email when the SUBMIT button is clicked with onclick=true, that in itself should turn the javascript check.
That's the question.

Re: Dealing with Spam Bots and Forms
Posted: Sat Mar 20, 2010 6:42 pm
by cpetercarter
They don't execute the form on your site. They just send a load of POST data direct to your script (
http://www.wishanabie.com/ABforms.php).
You need something at the server (ie in ABforms.php) which rejects POST data which does not meet certain criteria eg which lacks an answer to your secret question, or which does not contain a secure authorisation code.
Re: Dealing with Spam Bots and Forms
Posted: Sat Mar 20, 2010 9:18 pm
by ell0bo
Another way to deal with it is to put text inputs on the form, but mark them as 'display: none' so no human will see them. If that field is populated, then you reject the POST entirely. You can then use the javascript to populate another field with some data on submit. It's not fool proof, but it's a quick fix.
Re: Dealing with Spam Bots and Forms
Posted: Sat Mar 20, 2010 11:37 pm
by s.dot
Use javascript for convenience, ALWAYS have server-side checking.
How are bots able to execute the form without clicking on my SUBMIT button? Since the code is designed to kick off an email when the SUBMIT button is clicked with onclick=true, that in itself should turn the javascript check.
Turn javascript off in your browser, and submit the form. You will see what the bots do.

Re: Dealing with Spam Bots and Forms
Posted: Sun Mar 21, 2010 2:02 am
by webbiz
Yes, I tried the invisible text box trick but it didn't work because it also depended on the javascript.
What I did not know is that the bots go directly at the ABforms.php bypassing my mainform.php.
So the solution sounds like what was suggested, to add something in ABforms.php.
Could someone suggest what I could add to ABforms.php? I'm a programmer, but not yet fully versed on php. I can read the code and figure it out, but the tricks I could use suggestions for at this time.
Thanks for all the replies!
Webbiz
Re: Dealing with Spam Bots and Forms
Posted: Sun Mar 21, 2010 2:47 am
by cpetercarter
There are obviously several possible ways of tackling the problem. One would be to use the feature which is already on your form - the question to which humans know the answer but computers don't. You might add this at the beginning of the script which handles your form.
Code: Select all
$correct_answer = "down";
if (empty($_POST['guess']) || $_POST['guess'] != $correct_answer) {
die ("GET LOST YOU NASTY SPAMMING ROBOT");
}
Security experts will tell you that this is not security, it is obscurity. Someone could programme the correct answer into a bot, which could continue to send you spam. But probably they won't. And if they do, you can change your question.
Re: Dealing with Spam Bots and Forms
Posted: Sun Mar 21, 2010 3:09 pm
by webbiz
Thanks a bunch! This gives me a direction to go with.

Webbiz
Re: Dealing with Spam Bots and Forms
Posted: Sun Mar 21, 2010 5:36 pm
by s.dot
How about implementing a
CAPTCHA?
Re: Dealing with Spam Bots and Forms
Posted: Sun Mar 21, 2010 7:38 pm
by webbiz
Tried that and kept running into difficulty setting it up. So I gave up.
