Page 1 of 1

form spam

Posted: Fri Mar 09, 2007 10:32 pm
by kippy
I went in and created a mini captcha version for a quote form I have on my site. I hoped this would prevent the incoming spam entries, but it has not. I am thinking that they are using a different version of my send_form.php...any suggestions to secure a script from outsiders? I am hoping there is a way to lock down scripts for only my site to access...may just be me dreaming, but I would love to stop spam. Look forward to any suggestions.....

Posted: Fri Mar 09, 2007 10:35 pm
by aaronhall
Are you certain that the spammer isn't human? CAPTCHA tests are good at deterring robots as long as they're set up correctly, but they can't determine if the person behind the monitor intends to solicit you.

Posted: Fri Mar 09, 2007 10:43 pm
by kippy
well i guess there is no way for me to know for sure...but based on the frequency of the spam entries(emails) it has to be a bot. is it possible for some one to go around and send emails through the mail($to, $subject, $msg, $mailheaders); functionality?

Posted: Fri Mar 09, 2007 10:50 pm
by feyd
If your script leaves the hole, it can be exploited.

Posted: Fri Mar 09, 2007 10:56 pm
by kippy
what about storing the script(s) in the cgi-bin folder? Also, is there a preferred permission setting for this folder?

Posted: Fri Mar 09, 2007 11:06 pm
by feyd
Where you store the script and how you store it rarely affect holes that are in the script itself.

Posted: Fri Mar 09, 2007 11:10 pm
by kippy
so if i validate all input fields, it should prevent this sort of thing from happening?

Posted: Fri Mar 09, 2007 11:33 pm
by feyd
It'll certainly help prevent such things.

Posted: Sat Mar 10, 2007 3:13 am
by louie35
I wrote few things about preventing spam through your forms. might be use to it to have a look.

Prevent Spam

Posted: Sat Mar 10, 2007 9:03 am
by kippy
here is my concern...i watched the entries come in last night and the bot/person has to be using another form. The reason i say this is because i placed a maxlength limit on all of the fields(the spammer(s)) are using to insert links. These fields are not being restricted to the maxlength set. when i use the form, it appears to work prpoerly with the capthca system i setup, plus the fields follow the maxlength set. any thoughts?

Posted: Sat Mar 10, 2007 10:53 am
by louie35
use php to get the lenght of the string and if bigger then the one setup reject the email

Code: Select all

if(strlen($field_name) > 100){//your limit
  //do your rejection here
  echo "<fieldset><legend style='color:red;background-color:yellow'>Attention</legend>
            Probably you are an automated x-mailer, so keep away. Thanks.
            </fieldset>";
}