By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
428,601 Members | 989 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 428,601 IT Pros & Developers. It's quick & easy.

How to stop spam email coming through my web form?

P: 97
I have a web form that keeps getting submission from what I'm guessing is a spambot. None of the data I'm getting in the emails matches the form on the website, not even the subject line which is a hidden input. I can't figure out how to stop them. I tried using recaptcha but couldn't make it work (kinda hate it anyway), I also tried using a honeypot trap and a couple of javascript scripts but nothing stops the emails.

This is the form:

Expand|Select|Wrap|Line Numbers
  1. <form name="form1" id= "form1" method="post" action="formmail.php" onsubmit="return trappetyTrap();" enctype="multipart/form-data">
  2.  
  3.       <input type="hidden" name="recipients" value="me@email">
  4.  
  5.       <input type="hidden" name="good_url" value="http://whatever/good_page.php">
  6.       <input type="hidden" name="bad_url" value="http://whatever/bad_page.php">
  7.  
  8.       <input type="hidden" name="subject" value="Sent from website">
  9.  
  10.       <label for="person">Your Name : </label>
  11.       <input type="text" name="person" id="person" size="39">
  12.  
  13.       <label for="email">Email : </label>
  14.       <input type="text" name="email" id="email" size="39">
  15.  
  16.       <label for="company">Company Name (if applicable):</label>
  17.       <input type="text" name="company" id="company" size="39">
  18.  
  19.       <label for="phone">Contact Phone :</label>
  20.       <input type="text" name="phone" id="phone" size="39">
  21.  
  22.       <!-- THIS IS TO KEEP THE B.O.T.S. AWAY-->
  23.       <!-- IT USES THE JS AT THE BOTTOM OF THE DOCUMENT TO STOP SUBMISSIONS -->
  24.       <!-- FROM ANYTHING WITH THIS FIELD FILLED IN -->
  25.       <label for="ruse" id="ruse_label">Keep this field blank</label>
  26.     <input type="text" name="ruse" id="ruse" class="ruse" />
  27.     <!-- END B.O.T. TRAP -->
  28.  
  29.       <label for="message">Talk to us:</label>
  30.       <textarea name="message" id="message" rows="10" cols="47"></textarea>
  31.  
  32.  
  33.     <button type="submit" class="submit">Submit</button>
  34.  </form>
  35.  
  36.  
I changed some of the data in there, like the email address and the url, to protect my clients anonymity. This is the script for the honeypot trap.

Expand|Select|Wrap|Line Numbers
  1. function trappetyTrap() {
  2.         // This is only here because jslint told me to put it here
  3.         "use strict";
  4.     // The field is empty, submit the form.
  5.         if (!document.getElementById("ruse").value) {
  6.             return true;
  7.         // If an 'author' input exists - it's a spam bot
  8.         } else if (document.getElementsByName("author")) {
  9.         return false;    
  10.         } else {
  11.     // the field has a value it's a spam bot
  12.             return false;
  13.     }
  14. }
  15.  
As you can see, I'm using a hidden field to trap the bots and I'm trying to pick out a field called author and block any submissions that contains it. You might be thinking there's no input with that name and you'd be right. I think it was part of an old form that was deleted a while ago. This is the data I'm receiving from the emails.

Expand|Select|Wrap|Line Numbers
  1. From: <pberman@srafoods.com>
  2.  Date: 7 Dec. 2017 3:50 am
  3.  Subject: Imaginary Worlds Submission
  4.  To: <me@email>
  5.  Cc: 
  6.  
  7. email: pberman@srafoods.com
  8. realname:
  9. author:
  10. phone:
  11. storyTitle:
  12. storyFile:
  13.  
  14.  
This is an alternate version of the js. It tries to use the subject line of the email to block the spambot.

Expand|Select|Wrap|Line Numbers
  1.  // Get the value of the subject line of the email - add to variable
  2.     var iws = document.getElementsByName("subject").value;
  3.     // start function
  4.     function trappetyTrap() {
  5.         // This is only here because jslint told me to put it here
  6.         "use strict";
  7.     // The field is empty, submit the form.
  8.         if (!document.getElementById("ruse").value) {
  9.             return true;
  10.     //} else if (iws === "Imaginary Worlds Submission") {    
  11.         return false;
  12.         } else {
  13.     // the field has a value it's a spam bot
  14.             return false;
  15.     }
  16. }
  17.  
None of this works. What can I do?
Dec 11 '17 #1
Share this Question
Share on Google+
3 Replies


P: 6
There are few things you can do,

Test their patience with powerful form field validation
Nuke 'em with the big one - CAPTCHA
Use data confirmation screen

You may also try addons like Web-form-buddy.
Dec 11 '17 #2

P: 97
Okay. Thanks. I tried the form field validation which didn't work. I'm now trying the data confirmation screen and we'll see how it goes. I'm also thinking the php script might be the hackers target rather than the web form, so I've got another idea there. Thanks again.
Dec 12 '17 #3

gits
Expert Mod 5K+
P: 5,293
well - to be honest - how could you be sure that it happens through your site. the easiest way for the spammer would be to just use your form-action as a target for a local script that submits whatever to it. he can look up what your fieldnames are - thus knowing what key/values your php script expects. so the only safe validation would be at the serverside - where you should check the content, headers like the origin header for example and such. you have a public entrypoint - which is the purpose of your form of course - thus you cant really avoid that data is sent to it because of its nature. using a local copy of your form and changing it locally will allow to send whatever the attacker wants to this entrypoint. So just validate at the server.
Dec 15 '17 #4

Post your reply

Sign in to post your reply or Sign up for a free account.