Comments on: Contact Spam

By: Tibo

Tibo — Fri, 03 Feb 2006 14:29:56 +0000

A bit of documentation + solution

http://www.anders.com/cms/75/Crack.Attempt/Spam.Relay

http://www.anders.com/projects/sysadmin/formPostHijacking/

By: EoN604

EoN604 — Mon, 23 Jan 2006 00:13:59 +0000

Captchas ARE a perfectly acceptable solution. As the administrator of a very busy forum, my contact page gets absolutely flooded with spambot messages. I suspect that the people complaining about Captchas are people who have never been on the receiving end of spam such as this.

More importantly, and quite simply, you won’t find any more effective solution than Captchas.

By: Farheen

Farheen — Wed, 02 Feb 2005 11:45:04 +0000

I don’t understand, what’s the problem with the please type in the code image verification thing.

By: Stephan Segraves

Stephan Segraves — Thu, 30 Sep 2004 17:45:18 +0000

Matt, Have you thought about something along the lines of what you use to stop comment spam? When someone uses the form store their IP and timestamp in a temporary table (for a couple of hours) and if they try to contact you a certain amount of times in that given time period they are turned away. I guess the only downside to this would be legitimate users trying to contact you a lot. Simon does something interesting by having a form reveal his actual e-mail address. That's always an option I guess.

By: Chris Burkhardt

Chris Burkhardt — Thu, 30 Sep 2004 05:30:02 +0000

The way to make graphical captchas more accessible is to offer an audible alternative… but still not a very friendly solution.

By: Simon

Simon — Wed, 29 Sep 2004 12:11:47 +0000

Image based captchas (“type the number or word you see in the image above”) are not an acceptable solution.

They aren’t accessible, and if you make them accessible with an alt tag you lose the advantage. They’re also a big pita.

By: Mark Wubben

Mark Wubben — Wed, 29 Sep 2004 10:40:34 +0000

On a contact form you don’t care about manual spam, it’s just a funky e-mail. Spambots which post to the form directly will probably not do anything with the content you return. So, you could send out a unique hash every hour, if users wait too long to submit the form you can let them resubmit it with a new hash. Spambots won’t resubmit, nor is the chance big that they’ll have the unique value, as it changes often.

(Yes, this is very similar to the idea posted in the hackers mailing list some days ago.)

By: Ayush

Ayush — Wed, 29 Sep 2004 01:40:56 +0000

Try implementing this:
http://www.devshed.com/c/a/PHP/Security-Images-in-PHP/

It asks the user to type in what is displayed in a randomly generated image. Make it generate a two-letter word (small enough so people don’t get irritated) and say goodbye to the bots.

By: Dale

Dale — Wed, 29 Sep 2004 00:20:46 +0000

Tried to send a trackback here but it failed. Not sure if it is my problem or here

Anyway:
http://blog.dalegroup.net/archive/blog/newsid/142

By: Matt

Matt — Tue, 28 Sep 2004 22:51:23 +0000

Danny, the contact form goes to a whitelisted address that skips my spam filters specifically for people who are having trouble getting through otherwise. I’ve been getting so much spam lately my filters have become much more aggressive.

By: Jeff Minard

Jeff Minard — Tue, 28 Sep 2004 22:28:41 +0000

Captcha’s are annoying. Perhaps you could so something like include a timestamp on the generation of the form in a hidden field. This way you can say, if the form submission is older than 5-10 minutes, you could then present a captcha to the user to verify the submission.

This would be countered in the future, but it would last well for a time.

You could also try an array of rotating field names, or tying the fieldname in with a date/time stamp, etc etc.

By: Benjamin

Benjamin — Tue, 28 Sep 2004 22:25:36 +0000

The random image would deter visitors, at least on the comment form. It might be a good idea for the contact form, though.

By: Narada

Narada — Tue, 28 Sep 2004 20:17:42 +0000

I’m probably stating or restating the obvious here. Have a random image the text of which must be typed in to use the form. This would be good for the wordpress comment forms as well. What do you think of this solution?

By: Danny Howard

Danny Howard — Tue, 28 Sep 2004 19:27:34 +0000

Well, I get the impression this form sends an e-mail.

Which goes through e-mail.

Which goes through you spam filter.

Which filters out spam.

Which begs the question: who cares?

-danny

By: Sara

Sara — Tue, 28 Sep 2004 19:20:09 +0000

I’m sorry that’s happening to you Matt. I have been lucky with my contact form so far!

By: Abe

Abe — Tue, 28 Sep 2004 18:04:05 +0000

Hi Matt,

I’m curious: What do you see in the referer and user-agent fields of your access logs for spammer posts? Are they posting with some kind of bot, or are they manually entering the spam?

One preventative measure would be to verify that the referer page is what you expect – but of course this wouldn’t work if they’re actually visiting the page with a browser and hand pasting their message.

Abe

By: Bryan

Bryan — Tue, 28 Sep 2004 17:23:03 +0000

Could you perhaps create a self-contained PHP contact form? On my main site, I haven’t gotten hit. Sorry if you’ve already tried that – I’m just throwin’ stuff out.

By: Michael Moncur

Michael Moncur — Tue, 28 Sep 2004 17:17:49 +0000

This happens to me occasionally with my various contact forms. Spammers aren’t known for their brains, and apparently they think their message is reaching more than just me.

Once a spammer gets a hold of one, I change the names of the scripts and variables and they disappear. Sometimes I have to change the URL. In those cases it usually means I’ve showed up on a Google search for something like “contact” or “send email”.

I suppose it won’t be long before we start seeing CAPTCHAS on personal contact forms…

By: Mark Wubben

Mark Wubben — Tue, 28 Sep 2004 16:57:05 +0000

Which means we need a general solution for POST request spam.

Interesting.