Protecting Forms from spam

#1

When we redid our web site we removed all email links and instead are
sending all email inquiries via a form on the site.

This has reduced email harvesting by spammers, but now we're getting spam
via the form itself. Are there any methods for preventing this automated
spam-bots submitting via forms?

One thought was to restrict the submissions to one per IP address per minute
or something...I'm trying to think of some alternative options as well.

-Darrel

#2

On Thu 04 Nov 2004 12:22:40p, darrel wrote in macromedia.dreamweaver:

Quote:

When we redid our web site we removed all email links and instead are
sending all email inquiries via a form on the site.

This has reduced email harvesting by spammers, but now we're getting
spam via the form itself. Are there any methods for preventing this
automated spam-bots submitting via forms?

One thought was to restrict the submissions to one per IP address per
minute or something...I'm trying to think of some alternative options
as well.

What script are you using? If it's a well-known one, they may be
exploiting the script itself, rather than using the form.

#3

Hi Darrel,
Did you try to use a text box within the form where the user would would
have to enter a particular string of characters.
If the string doesn't exist or doesn't match the form wouldn't submit.

Thierry

darrel wrote:

Quote:

When we redid our web site we removed all email links and instead are
sending all email inquiries via a form on the site.

This has reduced email harvesting by spammers, but now we're getting
spam via the form itself. Are there any methods for preventing this
automated spam-bots submitting via forms?

One thought was to restrict the submissions to one per IP address per
minute or something...I'm trying to think of some alternative options
as well.

-Darrel

#4

On Thu 04 Nov 2004 12:29:34p, Joe Makowiec wrote in macromedia.dreamweaver:

Quote:

What script are you using? If it's a well-known one, they may be
exploiting the script itself, rather than using the form.

And further - is it one of those scripts which puts the 'To' address in a
hidden field?

#5

Quote:

What script are you using? If it's a well-known one, they may be
exploiting the script itself, rather than using the form.

It's our own script done via .net. It's pulling pertinent info from a
database and formatting and sending the email all on the server. From what I
can tell, it's simply an auto-submission.

-Darrel

#6

Quote:

And further - is it one of those scripts which puts the 'To' address in a
hidden field?

Nope. Here's the form:

http://www.courts.state.mn.us/contact

If you view the source, there's nothing that would allow any sort of
submisison of data without using the page itself, so I don't think it's
anything circumventing the form itself, but rather submitting the form
automatically.

-Darrel

#7

Quote:

Hi Darrel,
Did you try to use a text box within the form where the user would would
have to enter a particular string of characters.
If the string doesn't exist or doesn't match the form wouldn't submit.

Yea, I could do that, but that's such a pain for the end user. Plus, this is
a public web site and needs to be as accessible as possible, so I really
want to avoid having to do this. I'd rather resort to email filtering on my
end before having to add more hurdles for the end user.

That said, our IT group is still unable to install spam filtering for us
(don't get me started on that one!) so that solution might be slow in
coming.

-Darrel

#8

.oO(darrel)

Quote:

When we redid our web site we removed all email links and instead are
sending all email inquiries via a form on the site.

This has reduced email harvesting by spammers, but now we're getting spam
via the form itself. Are there any methods for preventing this automated
spam-bots submitting via forms?

One thought was to restrict the submissions to one per IP address per minute
or something...I'm trying to think of some alternative options as well.

Forget IP-blocking, it makes no sense and might block the wrong people
(hint: proxy servers). Another idea:

Use a challenge. When requesting the form a script generates a random
key (MD5-hash for example), stores it in a database with a timestamp and
also in a hidden field in the form. After receiving some form data the
processing script checks the submitted challenge against the stored ones
in the database if it's (still) valid. If yes the submission is accepted
and the key removed from the db, if not the data is ignored. One key is
valid for exactly one submission. Make sure the form-page is not
cacheable by the browser.

But even this is no 100% protection.

Micha

#9

Quote:

Use a challenge.

I really don't want to do this. I admit, this would work, but I'd rather put
up with the Spam that introduce a new hurdle for the end user.

DAMN YOU SPAMMERS!

;o)

-Darrel

#10

On Thu 04 Nov 2004 12:51:20p, darrel wrote in macromedia.dreamweaver:

Quote:

Nope. Here's the form:

http://www.courts.state.mn.us/contact

If you view the source, there's nothing that would allow any sort of
submisison of data without using the page itself, so I don't think it's
anything circumventing the form itself, but rather submitting the form
automatically.

Are you sure it's coming from the form, and not just from the spammer
guessing addresses? Do you have log excerpts?

Try changing the address that webmaster sends to on the form to, say,
xy7zzy49 (AT) example (DOT) invalid and see if that starts getting spam.