My contact form, which sends mail to a whitelisted address so I don’t miss any messages, is getting absolutely hammered by spambots. They’re not hitting my comments and the contact form is something I wrote from scratch, but it has received over 200 spams in the past hour. The more they do stupid stuff like this the more data I have to block them in the future.
Which means we need a general solution for POST request spam.
Interesting.
This happens to me occasionally with my various contact forms. Spammers aren’t known for their brains, and apparently they think their message is reaching more than just me.
Once a spammer gets a hold of one, I change the names of the scripts and variables and they disappear. Sometimes I have to change the URL. In those cases it usually means I’ve showed up on a Google search for something like “contact” or “send email”.
I suppose it won’t be long before we start seeing CAPTCHAS on personal contact forms…
Could you perhaps create a self-contained PHP contact form? On my main site, I haven’t gotten hit. Sorry if you’ve already tried that – I’m just throwin’ stuff out. π
Hi Matt,
I’m curious: What do you see in the referer and user-agent fields of your access logs for spammer posts? Are they posting with some kind of bot, or are they manually entering the spam?
One preventative measure would be to verify that the referer page is what you expect – but of course this wouldn’t work if they’re actually visiting the page with a browser and hand pasting their message.
Abe
I’m sorry that’s happening to you Matt. I have been lucky with my contact form so far!
Well, I get the impression this form sends an e-mail.
Which goes through e-mail.
Which goes through you spam filter.
Which filters out spam.
Which begs the question: who cares?
-danny
I’m probably stating or restating the obvious here. Have a random image the text of which must be typed in to use the form. This would be good for the wordpress comment forms as well. What do you think of this solution?
The random image would deter visitors, at least on the comment form. It might be a good idea for the contact form, though.
Captcha’s are annoying. Perhaps you could so something like include a timestamp on the generation of the form in a hidden field. This way you can say, if the form submission is older than 5-10 minutes, you could then present a captcha to the user to verify the submission.
This would be countered in the future, but it would last well for a time. π
You could also try an array of rotating field names, or tying the fieldname in with a date/time stamp, etc etc.
Danny, the contact form goes to a whitelisted address that skips my spam filters specifically for people who are having trouble getting through otherwise. I’ve been getting so much spam lately my filters have become much more aggressive.
Tried to send a trackback here but it failed. Not sure if it is my problem or here π
Anyway:
http://blog.dalegroup.net/archive/blog/newsid/142
Try implementing this:
http://www.devshed.com/c/a/PHP/Security-Images-in-PHP/
It asks the user to type in what is displayed in a randomly generated image. Make it generate a two-letter word (small enough so people don’t get irritated) and say goodbye to the bots.
On a contact form you don’t care about manual spam, it’s just a funky e-mail. Spambots which post to the form directly will probably not do anything with the content you return. So, you could send out a unique hash every hour, if users wait too long to submit the form you can let them resubmit it with a new hash. Spambots won’t resubmit, nor is the chance big that they’ll have the unique value, as it changes often.
(Yes, this is very similar to the idea posted in the hackers mailing list some days ago.)
Image based captchas (“type the number or word you see in the image above”) are not an acceptable solution.
They aren’t accessible, and if you make them accessible with an alt tag you lose the advantage. They’re also a big pita.
The way to make graphical captchas more accessible is to offer an audible alternative… but still not a very friendly solution.
Matt,
Have you thought about something along the lines of what you use to stop comment spam? When someone uses the form store their IP and timestamp in a temporary table (for a couple of hours) and if they try to contact you a certain amount of times in that given time period they are turned away. I guess the only downside to this would be legitimate users trying to contact you a lot.
Simon does something interesting by having a form reveal his actual e-mail address. That’s always an option I guess.
I don’t understand, what’s the problem with the please type in the code image verification thing.
Captchas ARE a perfectly acceptable solution. As the administrator of a very busy forum, my contact page gets absolutely flooded with spambot messages. I suspect that the people complaining about Captchas are people who have never been on the receiving end of spam such as this.
More importantly, and quite simply, you won’t find any more effective solution than Captchas.
A bit of documentation + solution
http://www.anders.com/cms/75/Crack.Attempt/Spam.Relay
http://www.anders.com/projects/sysadmin/formPostHijacking/
http://ryanduff.net/?p=369