Spam Bots

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
REwingUK
Forum Commoner
Posts: 26
Joined: Wed Jul 29, 2009 8:46 pm

Spam Bots

Post by REwingUK »

Basically i have a form on my website that sumbits an email. I have a captcha on the form, but still they seem to send messages through it.

Setting the form into a <div> and setting the style to style='display:none', will this stop the spam bots?

Or can you suggest any better ways to protect my site from spam bots.

E.g of what they send:

Name: peplsvcxb
Email: ZlIonkQyfGPDm
Telephone Number: iuyLXiUjjSJxHYaf
Message: REQ5XN <a href=\"http://spam.com/\">ymgvinahvefl</a>, lpejzyspfayj, [link=http://spam.com/]udykuehlwkmo[/link], http://spam.com/
Last edited by Weirdan on Wed Aug 05, 2009 9:48 am, edited 1 time in total.
Reason: Removed actual links. No need to raise their pagerank.
User avatar
William
Forum Contributor
Posts: 332
Joined: Sat Oct 25, 2003 4:03 am
Location: New York City

Re: Spam Bots

Post by William »

REwingUK wrote:Basically i have a form on my website that sumbits an email. I have a captcha on the form, but still they seem to send messages through it.

Setting the form into a <div> and setting the style to style='display:none', will this stop the spam bots?

Or can you suggest any better ways to protect my site from spam bots.

E.g of what they send:

Name: peplsvcxb
Email: ZlIonkQyfGPDm
Telephone Number: iuyLXiUjjSJxHYaf
Message: REQ5XN <a href=\"http://spam.com/\">ymgvinahvefl</a>, lpejzyspfayj, [link=http://spam.com/]udykuehlwkmo[/link], http://spam.com/
Hiding the div via CSS won't matter. CSS Is for rendering, I highly doubt the bot actually renders your style sheet to submit your form.

Are you using your own custom captcha or a script?
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: Spam Bots

Post by Mordred »

User avatar
superdezign
DevNet Master
Posts: 4135
Joined: Sat Jan 20, 2007 11:06 pm

Re: Spam Bots

Post by superdezign »

There's also a sneaky trick that has gained widespread popularity on the internet. The hidden input element.

Code: Select all

<form>
  ...
  <input type="text" name="spam-catcher" id="spam-catcher" />
</form>

Code: Select all

#spam-catcher {
  display: none;
}

Code: Select all

if (empty($_POST['spam-catcher'])) {
  // Send e-mail
}
 
echo 'E-mail sent!'; // Even if it wasn't due to the spam catcher
Bots fill all form elements because they assume everything is required. If they fill your spam-catcher element, you'll know that they are not human. Quick and easy.
User avatar
jackpf
DevNet Resident
Posts: 2119
Joined: Sun Feb 15, 2009 7:22 pm
Location: Ipswich, UK

Re: Spam Bots

Post by jackpf »

That's quite clever :D

You've redeemed yourself regarding the "genii" incident :P
User avatar
superdezign
DevNet Master
Posts: 4135
Joined: Sat Jan 20, 2007 11:06 pm

Re: Spam Bots

Post by superdezign »

jackpf wrote:You've redeemed yourself regarding the "genii" incident :P
:mrgreen:
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Spam Bots

Post by kaisellgren »

The hidden form field works for bots that have no particular target. I bet your CAPTCHA is weak. Mordred suggested to use reCAPTCHA, which should eliminate 99% of automated queries you receive. Try using reCAPTCHA and see if there's a difference (should be).
Post Reply