469,086 Members | 1,203 Online
Bytes | Developer Community
New Post

Home Posts Topics Members FAQ

Post your question to a community of 469,086 developers. It's quick & easy.

How to stop spam email coming through my web form?

97 64KB
I have a web form that keeps getting submission from what I'm guessing is a spambot. None of the data I'm getting in the emails matches the form on the website, not even the subject line which is a hidden input. I can't figure out how to stop them. I tried using recaptcha but couldn't make it work (kinda hate it anyway), I also tried using a honeypot trap and a couple of javascript scripts but nothing stops the emails.

This is the form:

Expand|Select|Wrap|Line Numbers
  1. <form name="form1" id= "form1" method="post" action="formmail.php" onsubmit="return trappetyTrap();" enctype="multipart/form-data">
  2.  
  3.       <input type="hidden" name="recipients" value="me@email">
  4.  
  5.       <input type="hidden" name="good_url" value="http://whatever/good_page.php">
  6.       <input type="hidden" name="bad_url" value="http://whatever/bad_page.php">
  7.  
  8.       <input type="hidden" name="subject" value="Sent from website">
  9.  
  10.       <label for="person">Your Name : </label>
  11.       <input type="text" name="person" id="person" size="39">
  12.  
  13.       <label for="email">Email : </label>
  14.       <input type="text" name="email" id="email" size="39">
  15.  
  16.       <label for="company">Company Name (if applicable):</label>
  17.       <input type="text" name="company" id="company" size="39">
  18.  
  19.       <label for="phone">Contact Phone :</label>
  20.       <input type="text" name="phone" id="phone" size="39">
  21.  
  22.       <!-- THIS IS TO KEEP THE B.O.T.S. AWAY-->
  23.       <!-- IT USES THE JS AT THE BOTTOM OF THE DOCUMENT TO STOP SUBMISSIONS -->
  24.       <!-- FROM ANYTHING WITH THIS FIELD FILLED IN -->
  25.       <label for="ruse" id="ruse_label">Keep this field blank</label>
  26.     <input type="text" name="ruse" id="ruse" class="ruse" />
  27.     <!-- END B.O.T. TRAP -->
  28.  
  29.       <label for="message">Talk to us:</label>
  30.       <textarea name="message" id="message" rows="10" cols="47"></textarea>
  31.  
  32.  
  33.     <button type="submit" class="submit">Submit</button>
  34.  </form>
  35.  
  36.  
I changed some of the data in there, like the email address and the url, to protect my clients anonymity. This is the script for the honeypot trap.

Expand|Select|Wrap|Line Numbers
  1. function trappetyTrap() {
  2.         // This is only here because jslint told me to put it here
  3.         "use strict";
  4.     // The field is empty, submit the form.
  5.         if (!document.getElementById("ruse").value) {
  6.             return true;
  7.         // If an 'author' input exists - it's a spam bot
  8.         } else if (document.getElementsByName("author")) {
  9.         return false;    
  10.         } else {
  11.     // the field has a value it's a spam bot
  12.             return false;
  13.     }
  14. }
  15.  
As you can see, I'm using a hidden field to trap the bots and I'm trying to pick out a field called author and block any submissions that contains it. You might be thinking there's no input with that name and you'd be right. I think it was part of an old form that was deleted a while ago. This is the data I'm receiving from the emails.

Expand|Select|Wrap|Line Numbers
  1. From: <pberman@srafoods.com>
  2.  Date: 7 Dec. 2017 3:50 am
  3.  Subject: Imaginary Worlds Submission
  4.  To: <me@email>
  5.  Cc: 
  6.  
  7. email: pberman@srafoods.com
  8. realname:
  9. author:
  10. phone:
  11. storyTitle:
  12. storyFile:
  13.  
  14.  
This is an alternate version of the js. It tries to use the subject line of the email to block the spambot.

Expand|Select|Wrap|Line Numbers
  1.  // Get the value of the subject line of the email - add to variable
  2.     var iws = document.getElementsByName("subject").value;
  3.     // start function
  4.     function trappetyTrap() {
  5.         // This is only here because jslint told me to put it here
  6.         "use strict";
  7.     // The field is empty, submit the form.
  8.         if (!document.getElementById("ruse").value) {
  9.             return true;
  10.     //} else if (iws === "Imaginary Worlds Submission") {    
  11.         return false;
  12.         } else {
  13.     // the field has a value it's a spam bot
  14.             return false;
  15.     }
  16. }
  17.  
None of this works. What can I do?
Dec 11 '17 #1
4 4036
There are few things you can do,

Test their patience with powerful form field validation
Nuke 'em with the big one - CAPTCHA
Use data confirmation screen

You may also try addons like Web-form-buddy.
Dec 11 '17 #2
tdrsam
97 64KB
Okay. Thanks. I tried the form field validation which didn't work. I'm now trying the data confirmation screen and we'll see how it goes. I'm also thinking the php script might be the hackers target rather than the web form, so I've got another idea there. Thanks again.
Dec 12 '17 #3
gits
5,390 Expert Mod 4TB
well - to be honest - how could you be sure that it happens through your site. the easiest way for the spammer would be to just use your form-action as a target for a local script that submits whatever to it. he can look up what your fieldnames are - thus knowing what key/values your php script expects. so the only safe validation would be at the serverside - where you should check the content, headers like the origin header for example and such. you have a public entrypoint - which is the purpose of your form of course - thus you cant really avoid that data is sent to it because of its nature. using a local copy of your form and changing it locally will allow to send whatever the attacker wants to this entrypoint. So just validate at the server.
Dec 15 '17 #4
Seneltali
1 Bit
Well...I have this problem and I really don't know what and why is happening. If someone knows how to stop spam email coming through my web form please help me. I also have some friend who have the same problem with spam email and they found a solution for a short period and again started those spam emails. One of them told me once that email deliverability is the ability to deliver emails to subscribers’ inboxes and some specialists use to gauge the likelihood of their email campaigns reaching their subscribers’ inboxes related to actual delivery–like ISPs, throttling, bounces, spam issues, and bulking.
Jul 13 '21 #5

Post your reply

Sign in to post your reply or Sign up for a free account.

Similar topics

16 posts views Thread by ThunderMusic | last post: by
2 posts views Thread by stew dean | last post: by
2 posts views Thread by Sebarry | last post: by
4 posts views Thread by =?Utf-8?B?YzY3NjIyOA==?= | last post: by
2 posts views Thread by Ammu | last post: by
1 post views Thread by CARIGAR | last post: by
reply views Thread by kglaser89 | last post: by
By using this site, you agree to our Privacy Policy and Terms of Use.