html forms and spam-bots

**Jerry Stuckle** · Sep 27 '08, 06:35 PM

Re: html forms and spam-bots

William Gill wrote:

I am getting a lot of phony form submissions. I assume they are not
being done manually because of the volume, but by some sort of spam-bot.
I thought of putting some code in the php processing script to trash
the bot generated responses, but was surprised to see the referrer is my
form, not some clone or such. Any ideas on a quick way to eliminate
these time wasters early in the process?
>

Some type of CAPTCHA routine (it doesn't necessarily have to be an image).

--
=============== ===
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attgl obal.net
=============== ===

**Gordon Burditt** · Sep 27 '08, 08:35 PM

Re: html forms and spam-bots

>I am getting a lot of phony form submissions. I assume they are not

>being done manually because of the volume, but by some sort of spam-bot.
I thought of putting some code in the php processing script to trash
>the bot generated responses, but was surprised to see the referrer is my
>form, not some clone or such. Any ideas on a quick way to eliminate
>these time wasters early in the process?

Don't assume that submissions are really coming from your form;
referer is trivially easy to fake. It's a fixed value and it's not
even necessary to fetch your form to fake it.

If you include some hidden fields with random but checked values, the
spambot may not have the ability to fully parse the form (and may not
even fetch your form) so they won't include those variables.

Randomly changing up the field names in the form (with each set
usable only once a week or so) requires the spambot to parse your form.

For really advanced filtering, use CAPTCHA or instructions that
humans can read and interpret but simple bots can't (Uncheck box
3 and check box 4 before submitting) that change each time.

**William Gill** · Sep 27 '08, 08:35 PM

Re: html forms and spam-bots

Gordon Burditt wrote:

>I am getting a lot of phony form submissions. I assume they are not
>being done manually because of the volume, but by some sort of spam-bot.
> I thought of putting some code in the php processing script to trash
>the bot generated responses, but was surprised to see the referrer is my
>form, not some clone or such. Any ideas on a quick way to eliminate
>these time wasters early in the process?

>
Don't assume that submissions are really coming from your form;
referer is trivially easy to fake. It's a fixed value and it's not
even necessary to fetch your form to fake it.
>
If you include some hidden fields with random but checked values, the
spambot may not have the ability to fully parse the form (and may not
even fetch your form) so they won't include those variables.

That's what I was looking to do, but when it looked like the bot was
actually filling the form it seemed to defeat the idea.

>
Randomly changing up the field names in the form (with each set
usable only once a week or so) requires the spambot to parse your form.
>
For really advanced filtering, use CAPTCHA or instructions that
humans can read and interpret but simple bots can't (Uncheck box
3 and check box 4 before submitting) that change each time.
>

Another possibility.

thanks

**William Gill** · Sep 27 '08, 08:35 PM

Re: html forms and spam-bots

Jerry Stuckle wrote:

William Gill wrote:

>I am getting a lot of phony form submissions. I assume they are not
>being done manually because of the volume, but by some sort of
>spam-bot. I thought of putting some code in the php processing script
>to trash the bot generated responses, but was surprised to see the
>referrer is my form, not some clone or such. Any ideas on a quick way
>to eliminate these time wasters early in the process?
>>

>
Some type of CAPTCHA routine (it doesn't necessarily have to be an image).
>

I hadn't thought about non-image CAPTCHA this is easy enough to do.

Thanks

**C. (http://symcbean.blogspot.com/)** · Sep 28 '08, 09:45 AM

Re: html forms and spam-bots

On 27 Sep, 19:25, William Gill <nore...@exampl e.comwrote:

I am getting a lot of phony form submissions. I assume they are not
being done manually because of the volume, but by some sort of spam-bot.
I thought of putting some code in the php processing script to trash
the bot generated responses, but was surprised to see the referrer is my
form, not some clone or such.

Did you check your logs for the previous hit from the client or just
check the referer? The latter is easily faked - but if there is no
protection on the form then they don't need to bother.

Any ideas on a quick way to eliminate
these time wasters early in the process?

Use a capcha or required a validated email address before publishing
posts (this can be automated by e.g. requiring the email address at
the time of the post and quarantining the post until the user releases
it with a cryptic URL sent to their email address, quarantined posts
expire after 2 days) - both the capcha and email validation will not
prevent abuse but should cut it down.

C.

**Jeff** · Sep 28 '08, 01:15 PM

Re: html forms and spam-bots

William Gill wrote:

Jerry Stuckle wrote:

>William Gill wrote:

>>I am getting a lot of phony form submissions. I assume they are not
>>being done manually because of the volume, but by some sort of
>>spam-bot. I thought of putting some code in the php processing
>>script to trash the bot generated responses, but was surprised to see
>>the referrer is my form, not some clone or such. Any ideas on a
>>quick way to eliminate these time wasters early in the process?
>>>

>>
>Some type of CAPTCHA routine (it doesn't necessarily have to be an
>image).
>>

I hadn't thought about non-image CAPTCHA this is easy enough to do.
>

As long as you do something that no one else is doing you will
probably be OK. I have a dumb little bit that killed the SPAM from my
forms, but it would be easy to figure out if you took a bit of time.

Jeff

Thanks

**Manuel Lemos** · Sep 29 '08, 04:35 AM

Re: html forms and spam-bots

Hello,

on 09/27/2008 03:25 PM William Gill said the following:

I am getting a lot of phony form submissions. I assume they are not
being done manually because of the volume, but by some sort of spam-bot.
I thought of putting some code in the php processing script to trash
the bot generated responses, but was surprised to see the referrer is my
form, not some clone or such. Any ideas on a quick way to eliminate
these time wasters early in the process?

You may want to try this forms class that comes with a CAPTCHA
validation plug-in.

Shortcut to PHP Forms Class with HTML Generator and JavaScript Validation package page - PHP Classes

http://www.phpclasses.org/formsgeneration

Here is a live example:

http://www.meta-language.net/forms-examples.html?example=test_captcha_input

Here you can watch a tutorial video:

Tutorial video: PHP Forms Generation and Validation tutorial - PHP Classes

http://www.phpclasses.org/browse/video/1/package/1/section/plugin-captcha.html

This CAPTCHA plug-in also avoids Cross-site request forgery (CSRF)
attacks because the CAPTCHA text is only valid for a given period of time.

--

Regards,
Manuel Lemos

Find and post PHP jobs

Remote PHP Jobs August 2025 Openings - PHP Classes

http://www.phpclasses.org/jobs/

PHP Classes - Free ready to use OOP components written in PHP

Welcome to the PHP Classes Repository - PHP Classes

http://www.phpclasses.org/

Free PHP Classes and Objects 2025 Versions with PHP Example Scripts, PHP Tutorials, Download PHP Scripts, PHP articles, Remote PHP Jobs, Hire PHP Developers, PHP Book Reviews, PHP Language OOP Materials

**=?ISO-8859-13?Q?Kristaps_K=FBlis?=** · Sep 29 '08, 10:55 AM

Re: html forms and spam-bots

On Sep 27, 9:25 pm, William Gill <nore...@exampl e.comwrote:

I am getting a lot of phony form submissions. I assume they are not
being done manually because of the volume, but by some sort of spam-bot.
I thought of putting some code in the php processing script to trash
the bot generated responses, but was surprised to see the referrer is my
form, not some clone or such. Any ideas on a quick way to eliminate
these time wasters early in the process?

You can also use javascript, as most of spam bots cannot parse it.
For example,
<form method="post" action="iamspam mer" name="myForm">
[..]
</form>
<script type="text/javascript>
document.myForm .action = "therealaction" ;
</script>
You can randomize action url with help of mod_rewrite .

If it doesnt help, you can use recaptcha, which provides both audio
and image captcha.
I recommend Zend_Captcha with recaptcha adapter.

500 Internal Server Error

http://framework.zend.com/manual/en/zend.captcha.adapters.html#zend.captcha..adapters.recaptcha

**Jerry Stuckle** · Sep 29 '08, 11:05 AM

Re: html forms and spam-bots

Manuel Lemos wrote:

Hello,
>
on 09/27/2008 03:25 PM William Gill said the following:

>I am getting a lot of phony form submissions. I assume they are not
>being done manually because of the volume, but by some sort of spam-bot.
> I thought of putting some code in the php processing script to trash
>the bot generated responses, but was surprised to see the referrer is my
>form, not some clone or such. Any ideas on a quick way to eliminate
>these time wasters early in the process?

>
You may want to try this forms class that comes with a CAPTCHA
validation plug-in.
>

Shortcut to PHP Forms Class with HTML Generator and JavaScript Validation package page - PHP Classes

http://www.phpclasses.org/formsgeneration

>
Here is a live example:
>

http://www.meta-language.net/forms-examples.html?example=test_captcha_input

>
Here you can watch a tutorial video:
>

Tutorial video: PHP Forms Generation and Validation tutorial - PHP Classes

http://www.phpclasses.org/browse/video/1/package/1/section/plugin-captcha.html

>
This CAPTCHA plug-in also avoids Cross-site request forgery (CSRF)
attacks because the CAPTCHA text is only valid for a given period of time.
>
>

That is one of the worst CAPTCHA routines the internet. He will be much
better off with almost anything else.

You should at least be truthful and tell people it's YOUR crap your
trying to push on them, rather than lead them to think you are a
disinterested third party.

--
=============== ===
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attgl obal.net
=============== ===

**Michael Fesser** · Sep 29 '08, 11:45 AM

Re: html forms and spam-bots

..oO(Kristaps Kûlis)

>On Sep 27, 9:25 pm, William Gill <nore...@exampl e.comwrote:

>I am getting a lot of phony form submissions. I assume they are not
>being done manually because of the volume, but by some sort of spam-bot.
> I thought of putting some code in the php processing script to trash
>the bot generated responses, but was surprised to see the referrer is my
>form, not some clone or such. Any ideas on a quick way to eliminate
>these time wasters early in the process?

>
>You can also use javascript, as most of spam bots cannot parse it.

Many visitors can't use it either. Really bad idea.

Micha

**Tree*Rat** · Sep 29 '08, 12:55 PM

Re: html forms and spam-bots

William Gill <noreply@exampl e.comwrote in news:dUuDk.1497 $073.28
@fe99.usenetser ver.com:

I am getting a lot of phony form submissions. I assume they are not
being done manually because of the volume, but by some sort of spam-bot.
I thought of putting some code in the php processing script to trash
the bot generated responses, but was surprised to see the referrer is my
form, not some clone or such. Any ideas on a quick way to eliminate
these time wasters early in the process?

CAPTCHA is the way. I use a simple method which stores a 4 digit number in
the database. Then using 4 drop down boxes they have to select the
coresponding numbers. on submit the numbers are checked. simple but so
effective.

**Michael Fesser** · Sep 29 '08, 01:05 PM

Re: html forms and spam-bots

..oO(Tree*Rat)

>William Gill <noreply@exampl e.comwrote in news:dUuDk.1497 $073.28
>@fe99.usenetse rver.com:
>

>I am getting a lot of phony form submissions. I assume they are not
>being done manually because of the volume, but by some sort of spam-bot.
> I thought of putting some code in the php processing script to trash
>the bot generated responses, but was surprised to see the referrer is my
>form, not some clone or such. Any ideas on a quick way to eliminate
>these time wasters early in the process?

>
>CAPTCHA is the way.

Not really.

>I use a simple method which stores a 4 digit number in
>the database. Then using 4 drop down boxes they have to select the
>coresponding numbers. on submit the numbers are checked. simple but so
>effective.

Every CAPTCHA creates obstacles for the visitors. One could even say
that you abuse _them_ to solve _your_ spam problem. There are other
totally transparent methods to fight spam without forcing the visitors
to do your work. Google "honeypot" for example.

Micha

**William Gill** · Sep 29 '08, 02:25 PM

Re: html forms and spam-bots

C. (http://symcbean.blogspot.com/) wrote:

Did you check your logs for the previous hit from the client or just
check the referer? The latter is easily faked - but if there is no
protection on the form then they don't need to bother.

A quick scan shows a GET followed by a POST, so it looks (at least to
me) like their bots are actually "filling out the form"

**William Gill** · Sep 29 '08, 02:35 PM

Re: html forms and spam-bots

William Gill wrote:

C. (http://symcbean.blogspot.com/) wrote:

>Did you check your logs for the previous hit from the client or just
>check the referer? The latter is easily faked - but if there is no
>protection on the form then they don't need to bother.

A quick scan shows a GET followed by a POST, so it looks (at least to
me) like their bots are actually "filling out the form"

I may have spoke too soon. A closer look reveals some oddities like a
GET followed by a POST several minutes later from a different IP. I
will have to watch closely and compare timepoints w/actual spammed
submissions.

html forms and spam-bots

html forms and spam-bots

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment