Results 1 to 13 of 13
  1. #1
    Join Date
    May 2006
    Location
    Canada
    Posts
    307

    Killing those form bots

    I`m looking for some tips on combatting feedback form bots.

    I use a pretty standard html form with the usual fields for filling out, and this then is sent through the form2email script.

    Problem is I`m being inundated by spam, usually insurance and porn junk that is filling out all the required fields and submitting them.

    I have limited scripting knowledge and these captcha modules look quite tricky to install, or are they?

    Any tips to share would be great received whether a captcha is the way to go or something easier?

    Thanks.

  2. #2
    Join Date
    May 2004
    Location
    Pflugerville, TX
    Posts
    11,222
    Forget captcha. It's become too easily defeated by spammers anyway.

    How are you for programming? I would suggest a Q/A challenge script, where someone has to answer an easy question picked at random out of questions you write.

    Q. What color is green?
    A. Green

    - email sent -
    Studio1337___̴ı̴̴̡̡̡ ̡͌l̡̡̡ ̡͌l̡*̡̡ ̴̡ı̴̴̡ ̡̡͡|̲̲̲͡͡͡ ̲▫̲͡ ̲̲̲͡͡π̲̲͡͡ ̲̲͡▫̲̲͡͡ ̲|̡̡̡ ̡ ̴̡ı̴̡̡ ̡͌l̡̡̡̡.__Web Design

  3. #3
    Join Date
    May 2006
    Location
    Canada
    Posts
    307
    Thanks PM.

    Yeah I looked at some of those ideas by googling. I`m fine with html / css but my scripting skills are practically limited to `copy and paste`!!

    Did you send me an email? I never got it. Better check see what email I have registered.

  4. #4
    Join Date
    May 2004
    Location
    Pflugerville, TX
    Posts
    11,222
    Oh no, I didn't email you

    I was demonstrating how the script might work, with "email sent" as the result of answering the question properly. Sorry about that

    Yeah, I could script it up in JavaScript just fine, but there would be people who might not able to use it because they have JS turned off. Someone with decent PHP skills might be able to whip up something better for you.
    Studio1337___̴ı̴̴̡̡̡ ̡͌l̡̡̡ ̡͌l̡*̡̡ ̴̡ı̴̴̡ ̡̡͡|̲̲̲͡͡͡ ̲▫̲͡ ̲̲̲͡͡π̲̲͡͡ ̲̲͡▫̲̲͡͡ ̲|̡̡̡ ̡ ̴̡ı̴̡̡ ̡͌l̡̡̡̡.__Web Design

  5. #5
    Join Date
    May 2006
    Location
    Canada
    Posts
    307
    Google is my friend. I`ll do some searching later. Thanks for your help

  6. #6
    Join Date
    Sep 2005
    Location
    India
    Posts
    750
    Here is a working (although very basic) Q/A challenge script:

    Create table to store questions and answers:
    PHP Code:
    CREATE TABLE `qa` (
      `
    question_idint(10unsigned NOT NULL auto_increment,
      `
    questionvarchar(255NOT NULL default '',
      `
    answervarchar(255NOT NULL default '',
      
    PRIMARY KEY  (`question_id`)
    );

    INSERT INTO `qaVALUES ('1''What is 2 plus 2 equal to?''4');
    INSERT INTO `qaVALUES ('2''What is 2 plus 2 minus 1 equal to?''3');
    INSERT INTO `qaVALUES ('3''What is 6 divided by 2 equal to?''3'); 
    Code for form
    PHP Code:
    <?php
        
    //Start session
        
    session_start();
        
        
    //Connect to mysql server
        
    $link=mysql_connect("localhost","username","password");
        if(!
    $link) {
            die(
    'Failed to connect to server: ' mysql_error());
        }
        
    //Select database
        
    $db=mysql_select_db("temp");
        if(!
    $db) {
            die(
    "Unable to select database");
        }
        
        
    //Query the database
        
    $rs mysql_query('SELECT * FROM qa ORDER BY RAND()');
        
    $qa mysql_fetch_assoc($rs);
    ?>
    <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
    <html xmlns="http://www.w3.org/1999/xhtml">
    <head>
    <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
    <title>Login Form</title>
    <link href="loginmodule.css" rel="stylesheet" type="text/css" />
    </head>
    <body>
    <p><?php echo isset($_SESSION['msg'])?$_SESSION['msg']:''?></p>
    <form id="loginForm" name="loginForm" method="post" action="form-exec.php">
    <input type="hidden" name="qa" id="qa" value="<?php echo $qa['question_id'];?>" />
      <table width="300" border="0" align="center" cellpadding="2" cellspacing="0">
        <tr>
          <td width="112"><b>Name</b></td>
          <td width="188"><input name="pname" type="text" class="textfield" id="pname" /></td>
        </tr>
        <tr>
          <td><b>Email</b></td>
          <td><input name="email" type="password" class="textfield" id="email" /></td>
        </tr>
        <tr>
          <td valign="top"><b>Comments</b></td>
          <td><textarea name="comments" cols="30" class="textfield" id="comments"></textarea></td>
        </tr>
        <tr>
          <td><b>Question</b></td>
          <td><?php echo $qa['question'];?></td>
        </tr>
        <tr>
          <td><b>Answer</b></td>
          <td><input name="ans" type="text" class="textfield" id="ans" /></td>
        </tr>
        <tr>
          <td>&nbsp;</td>
          <td><input type="submit" name="Submit" value="Submit" /></td>
        </tr>
      </table>
    </form>
    </body>
    </html>
    Code for form handler
    PHP Code:
    <?php
        
    //Start session
        
    session_start();
        
        
    //Connect to mysql server
        
    $link mysql_connect("localhost","username","password");
        if(!
    $link) {
            die(
    'Failed to connect to server: ' mysql_error());
        }
        
    //Select database
        
    $db=mysql_select_db("temp");
        if(!
    $db) {
            die(
    "Unable to select database");
        }

        if(!
    get_magic_quotes_gpc()) {
            
    $qa mysql_real_escape_string($_POST['qa']);
        }else {
            
    $qa $_POST['qa'];
        }

        
    //Create query
        
    $qry "SELECT * FROM qa WHERE question_id='$qa'";
        
    $rs mysql_query($qry);
        
    $qa mysql_fetch_assoc($rs);
        
        if(
    strcasecmp($_POST['ans'],$qa['answer']) == 0) {
            echo 
    "Correct answer!";
            
    //Send email
        
    }
        else {
            
    $_SESSION['msg'] = 'Incorrect answer!';
            
    session_write_close();
            
    header('location: form.php');
            exit();
        }
    ?>
    Hope this is enough to get you started.
    Last edited by the_pm; 12-17-2006 at 03:14 PM.
    Darsh Web Solutions : Web Design, PHP Development, E-Commerce Solutions

    PHP Tutorials : Tutorials and scripts for beginners

  7. #7
    Join Date
    Jul 2006
    Posts
    1,078
    Are we forgetting simple GD Image verification

    Yes my PHP is no good so cant right the code but im sure itl be much simpler than relying on mysql

  8. #8
    Join Date
    Oct 2002
    Location
    State of Disbelief
    Posts
    22,951
    On one site I'm using a PERL mailing script and it was getting a lot of these. I added one line to the top, and most of it stopped cold.
    Code:
    die unless($ENV{HTTP_REFERER}=~m/http:\/\/(www\.)?domain\.tld\//);
    Just change "domain" and "tld" to the actual domain and tld (duh) and add it to the PERL script near the top.

    This won't stop the ones that actually use the form on the page, but it does stop remote submission pretty well.

  9. #9
    Join Date
    May 2004
    Location
    Pflugerville, TX
    Posts
    11,222
    Quote Originally Posted by Linuxtechie
    Are we forgetting simple GD Image verification

    Yes my PHP is no good so cant right the code but im sure itl be much simpler than relying on mysql
    See above (discussion about CAPTCHA). Spammers are destroying those anymore
    Studio1337___̴ı̴̴̡̡̡ ̡͌l̡̡̡ ̡͌l̡*̡̡ ̴̡ı̴̴̡ ̡̡͡|̲̲̲͡͡͡ ̲▫̲͡ ̲̲̲͡͡π̲̲͡͡ ̲̲͡▫̲̲͡͡ ̲|̡̡̡ ̡ ̴̡ı̴̡̡ ̡͌l̡̡̡̡.__Web Design

  10. #10
    Join Date
    Dec 2002
    Location
    chica go go
    Posts
    11,858
    i found that most of them try to use html in their spam, so i just do

    PHP Code:
    if(eregi('a href'$_POST['something'])){ die('hahahea, yeah right'); } 
    and that does a decent job of cutting a lot of it out.

  11. #11
    Join Date
    Sep 2005
    Location
    India
    Posts
    750
    i found that most of them try to use html in their spam, so i just do

    PHP Code:
    if(eregi('a href', $_POST['something'])){ die('hahahea, yeah right'); }

    and that does a decent job of cutting a lot of it out.
    Spammers may also try to use your contact us forms to send spam to others by injecting mail headers. That is, they will be using your server to send spam.

    CAPTCHA or Challenge/Response is the first line of defense. Input validation is the second line of defense. You can't rely on only one technique.
    Darsh Web Solutions : Web Design, PHP Development, E-Commerce Solutions

    PHP Tutorials : Tutorials and scripts for beginners

  12. #12
    Join Date
    Sep 2004
    Location
    Vancouver, BC Canada
    Posts
    122
    i was thinking of change Captcha's a bit to do simple math. Or even a little more advance math, you know the ones where us Canadians have to answer a skill testing question?

    (5+5) / 2 - 2 = 3

    Easy enough to do with PHP's GD Library.
    SharkBait
    Web Dev: php, MySQL, HTML, XHTML, JS, CSS
    www.DyanmicShark.com - Coming Soon!
    My Blog:www.tyleringram.com

  13. #13
    Join Date
    Nov 2004
    Location
    Toronto
    Posts
    238
    Quote Originally Posted by Jatinder
    Spammers may also try to use your contact us forms to send spam to others by injecting mail headers.
    That's true and we learned our lesson the hard way. The simplest work around is to make sure you do not include any submitted fields in the mail headers.

    This is not good:
    PHP Code:
    $mail_header .= "From: {$_POST['name']} <{$_POST['email']}>\r\n";
    //...
    mail($mail_to$mail_subject$mail_body$mail_header); 
    This is fine:
    PHP Code:
    $mail_header .= "From: [email protected]\r\n";
    //...
    mail($mail_to$mail_subject$mail_body$mail_header); 
    Although that won't stop the spam emails coming in, it will surely prevent spammers using your forms to send spam.

    We do have a script that does some basic checks. If it's spam, it's sent to another mailbox (or you can just not send it). If it's ok, then it's submitted to the original recipient.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •