Hello,

I am starting to get about 20 SPAM emails submitted from my contact form everyday, I am trying to find out how to place those security code boxes to reduce these spammers, does anyone know of any links of places I can go to research how this can be done?

for website u can do 2 things:
1. add captcha
2. check submitter ip against some black lists

3. personally i use also aspell for language recognition (since i use same php code as pipe for my smtpd) if message/email contains text in different lang than my native lang + has images in message content then it is rejected

this 3 simple steps reduced for me spam via web forms to 0 and spam via smtpd (step 2,3) to less than 10 spam emails daily (i got hundreds of these before)

for website u can do 2 things:
1. add captcha
2. check submitter ip against some black lists

3. personally i use also aspell for language recognition (since i use same php code as pipe for my smtpd) if message/email contains text in different lang than my native lang + has images in message content then it is rejected

this 3 simple steps reduced for me spam via web forms to 0 and spam via smtpd (step 2,3) to less than 10 spam emails daily (i got hundreds of these before)

Thanks for the reply.

1. add captcha - what is a captcha?

image with text that needs to be written to some input field in order to submit form :)
http://en.wikipedia.org/wiki/CAPTCHA

ah and btw simple captchas can be hacked using any OCR software (text recognition soft)
this can be done even with such simple soft like opensource GOCR (i use it to read captchas from http://sms.orange.pl sms gateway for example -and theirs captcha might look pretty good for average user )
fortunately spammers do not use any captcha recognition tricks yet :D
but you should make sure your own captcha would be unique and very sophisticated.

image with text that needs to be written to some input field in order to submit form :)
http://en.wikipedia.org/wiki/CAPTCHA

Yes! My question to you is, how do you get these things to work? Do you have a link to a place with directions how to add and activate captcha with your contact form? Do I need to make my own captcha graphics?

making your own script that will generate captchas is the best way
however you will find already done addons for almost any popular software (like phpbb for examle)
if u need some examples or guides how to implement it, just google for: "captcha script" or "captcha php" or something similar :D

There are some PHP Classes already programmed and ready to add in your pre-existing / custom scripts.

Try the one at:
http://www.hotscripts.com/Detailed/49400.html

Or perhaps search HotScripts for others.

I usually add a "Confirmation" step before actually sending the mail:

1. Fill the from, press confirm button.
2. Validate form data and display form contents. Ask user "Please confirm the contents and press send button".
3. Revalidate form data and send email.

In the 2nd step, I am using some token variables to check if the user really comes from the form page. This prevented bots from sending spam mail almost 100%.

Use Captcha:

http://www.free-php-scripts.net/P/Contact_Form

or implement it on your already form:

http://www.phptricks.com/lesson.php?id=32

Peace,

ah and btw simple captchas can be hacked using any OCR software (text recognition soft)

I saw on one site they had about eight different pictures, and to submit the form you had to click the picture of the bunny. It wasn't a practical implementation of a new type of captcha test per se, but rather just a demonstration.

http://sam.zoy.org/pwntcha/

That is enough I think to *NOT* use captcha.

Instead a solution that was proposed on some blogs is to put a riddle.

IE: "Write this number in letter : 1" : then you have to write "one". This is sure that bots wont be able to understand this.

Bots are created by the same human being that is writing those tricks.

Spammers usually have a list in an array of websites and their corresponding break style.

I learnt that there is no way to stop spammers, but there are ways to reduce it to upto 95%.

Peace,

This forum also contains codings regarding CAPTCHA:

http://www.webhostingtalk.com/showpost.php?p=4289845&postcount=2

;)

Rather than obnoxious captchas, I used a combination of CSRF tokens, email address verification through callouts and form field name encryption (more like obfuscation really) in my contact forms and have never gotten a single spam message through them. I'm sure if it was a popular script being used by millions of people somebody would have written a script which can exploit it anyway, but it's not and that's another reason why it works so well.

The latter sections of this article might help:

http://shiflett.org/articles/foiling-cross-site-attacks

Ok, have to admit here - the post above provides a really good URL (especially regarding security issues).

Pose a question: "What is 1 plus 2?" that change randomly, maybe.

Not ... so sure if this question was being asked to me actually . . .