Preventing spammers from using mail form

MikeB wrote:

I created a small website for a friend. On this website he has a
contact page where people can send him email. When I wrote this page I
checked some tutorial pages and they warned about certain precautions
to take to avoid spammers using the mail form to spam multiple
people.

I believe I did most of that, such as making sure that the header
fields does not include multiple addresses, etc.

Now it does seem some spammer has discovered this website and he is
spamming my friend. 20 emails today.

So I figure I need to add more things to the script to stop him. One
obvious thought that came to my mind is to use a captcha. Will that be
the way to go or are there other things that I need to do?

The website is (owen pool care [dot] com), (remove all spaces)if
anyone is interested in looking at the sitet.

I guess I can also post it somewhere, but I don't know exactly where.

Thanks for any advice.

One simple trick that has worked well for me is to build the Submit
button in JavaScript (loaded from a *.js file) instead of HTML. It
doesn't stop determined humans, so you occasionally get advertising from
Chinese firms that use slave labor to do their spamming, but it stops
robots cold. Naturally you need a <NOSCRIPTwarnin g about this.

Other than that, the usual method is to use a CAPTCHA.

--
John W. Kennedy
"Compact is becoming contract,
Man only earns and pays."
-- Charles Williams. "Bors to Elayne: On the King's Coins"

"John W Kennedy" <jw*****@attglo bal.netwrote in message
news:48******** *************** @cv.net...

MikeB wrote:

>I created a small website for a friend. On this website he has a
contact page where people can send him email. When I wrote this page I
checked some tutorial pages and they warned about certain precautions
to take to avoid spammers using the mail form to spam multiple
people.

I believe I did most of that, such as making sure that the header
fields does not include multiple addresses, etc.

Now it does seem some spammer has discovered this website and he is
spamming my friend. 20 emails today.

So I figure I need to add more things to the script to stop him. One
obvious thought that came to my mind is to use a captcha. Will that be
the way to go or are there other things that I need to do?

The website is (owen pool care [dot] com), (remove all spaces)if
anyone is interested in looking at the sitet.

I guess I can also post it somewhere, but I don't know exactly where.

Thanks for any advice.

One simple trick that has worked well for me is to build the Submit button
in JavaScript (loaded from a *.js file) instead of HTML. It doesn't stop
determined humans, so you occasionally get advertising from Chinese firms
that use slave labor to do their spamming, but it stops robots cold.
Naturally you need a <NOSCRIPTwarnin g about this.

Other than that, the usual method is to use a CAPTCHA.

good point, jon. you've made it impossible to for some people to submit now
though. js-disabled browser, i mean. yes, there are still some who don't
allow js. :)

captcha stuff is good. don't forget the parsing we still need to do to
insure no one is putting in other directives - other than to whom (usually a
single individual) the email is intended to be sent. for this op, parsing
and captcha should take care of the problem. there should be no 'to' for the
user to fill out, so, the body (probably textarea) of the email is all there
is to parse.

cheers

Message-ID:
<ed************ *************** *******@w7g2000 hsa.googlegroup s.comfrom
MikeB contained the following:

>So I figure I need to add more things to the script to stop him. One
obvious thought that came to my mind is to use a captcha. Will that be
the way to go or are there other things that I need to do?

Personally I hate captchas and I think they are over the top for a
simple enquiry form like this. I like captchas when they are there for
/my/ security but this one isn't, it's for your client's benefit alone.
Besides accessibility issues, they are just another obstacle for
potential customers - never a good idea. So I'd look for other ways
first and use CAPTCHA as a last, rather than first resort.

One of my client's forms was being spammed by a bot that filled all
fields with garbage. One simple way to stop this is to have an extra
field, hidden by CSS

<label for='secret_fie ld' style='display: none'>Please leave blank <input
name='secret_fi eld'id='secret_ field'></label>

The bot will either fill the field with garbage or omit it entirely,
both easily detectable.

--
Geoff Berrow 011000100110110 0010000000110
001101101011011 001000110111101 100111001011
100110001101101 111001011100111 010101101011
http://slipperyhill.co.uk

On Jul 21, 12:43*am, MikeB <MPBr...@gmail. comwrote:

I created a small website for a friend. On this website he has a
contact page where people can send him email. When I wrote this page I
checked some tutorial pages and they warned about certain precautions
to take to avoid spammers using the mail form to spam multiple
people.

I believe I did most of that, such as making sure that the header
fields does not include multiple addresses, etc.

Now it does seem some spammer has discovered this website and he is
spamming my friend. 20 emails today.

So I figure I need to add more things to the script to stop him. One
obvious thought that came to my mind is to use a captcha. Will that be
the way to go or are there other things that I need to do?

The website is (owen pool care [dot] com), (remove all spaces)if
anyone is interested in looking at the sitet.

I guess I can also post it somewhere, but I don't know exactly where.

Thanks for any advice.

How about reporting the Email sender for spamming, NOT SURE but I
think you take the domain name and send an email to the ISP something
like this "ab***@isp-domain-name.com" I may be wrong but someone else
will be able add more. Or just google report spammers for more info.

VoodooJai

Geoff Berrow wrote:

Message-ID:
<ed************ *************** *******@w7g2000 hsa.googlegroup s.comfrom
MikeB contained the following:

>So I figure I need to add more things to the script to stop him. One
obvious thought that came to my mind is to use a captcha. Will that be
the way to go or are there other things that I need to do?

Personally I hate captchas and I think they are over the top for a
simple enquiry form like this. I like captchas when they are there for
/my/ security but this one isn't, it's for your client's benefit alone.
Besides accessibility issues, they are just another obstacle for
potential customers - never a good idea. So I'd look for other ways
first and use CAPTCHA as a last, rather than first resort.

One of my client's forms was being spammed by a bot that filled all
fields with garbage. One simple way to stop this is to have an extra
field, hidden by CSS

<label for='secret_fie ld' style='display: none'>Please leave blank <input
name='secret_fi eld'id='secret_ field'></label>

I like that. I assume that you actually have some value in the
"secret_fie ld" or you'd never know it was omitted. I know that's the
case in perl, can you tell a blank posted field from an omitted field in
php?

Jeff

>
The bot will either fill the field with garbage or omit it entirely,
both easily detectable.

..oO(Jeff)

>Geoff Berrow wrote:

>One of my client's forms was being spammed by a bot that filled all
fields with garbage. One simple way to stop this is to have an extra
field, hidden by CSS

<label for='secret_fie ld' style='display: none'>Please leave blank <input
name='secret_f ield'id='secret _field'></label>

I like that.

Many refer to it as "honeypot".

>I assume that you actually have some value in the
"secret_fiel d" or you'd never know it was omitted. I know that's the
case in perl, can you tell a blank posted field from an omitted field in
php?

Yes, empty input fields are considered "successful controls" and
submitted. It doesn't matter which language you use on the server.

Micha

Voodoo Jai wrote:

On Jul 21, 12:43 am, MikeB <MPBr...@gmail. comwrote:

>I created a small website for a friend. On this website he has a
contact page where people can send him email. When I wrote this page I
checked some tutorial pages and they warned about certain precautions
to take to avoid spammers using the mail form to spam multiple
people.

I believe I did most of that, such as making sure that the header
fields does not include multiple addresses, etc.

Now it does seem some spammer has discovered this website and he is
spamming my friend. 20 emails today.

So I figure I need to add more things to the script to stop him. One
obvious thought that came to my mind is to use a captcha. Will that be
the way to go or are there other things that I need to do?

The website is (owen pool care [dot] com), (remove all spaces)if
anyone is interested in looking at the sitet.

I guess I can also post it somewhere, but I don't know exactly where.

Thanks for any advice.

How about reporting the Email sender for spamming, NOT SURE but I
think you take the domain name and send an email to the ISP something
like this "ab***@isp-domain-name.com" I may be wrong but someone else
will be able add more. Or just google report spammers for more info.

VoodooJai

How do you know who the ISP is? Spammers often use proxies, for
instance, so you don't know their original IP.

And even if you do, many ISP's don't care their users are spamming and
will do nothing about it. Only better ones will take any action, and
that will almost always just be a "don't do this again" to the spammer.

It's not like hosting companies who will kill a spammer's account.

--
=============== ===
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attgl obal.net
=============== ===

Message-ID: <AZ************ *************** ***@earthlink.c omfrom Jeff
contained the following:

I like that. I assume that you actually have some value in the
"secret_fiel d" or you'd never know it was omitted. I know that's the
case in perl, can you tell a blank posted field from an omitted field in
php?

if(!isset($_POS T['secret_field'])||$_POST['secret_field']!=""){
//mail is spam
}
else{
//send mail
}
--
Geoff Berrow 011000100110110 0010000000110
001101101011011 001000110111101 100111001011
100110001101101 111001011100111 010101101011
http://slipperyhill.co.uk

On Jul 21, 1:55 am, Geoff Berrow <blthe...@ckdog .co.ukwrote:

Message-ID:
<edcd4a73-d3b9-4e52-b186-e891b95a3...@w7 g2000hsa.google groups.comfrom
MikeB contained the following:

So I figure I need to add more things to the script to stop him. One
obvious thought that came to my mind is to use a captcha. Will that be
the way to go or are there other things that I need to do?

Personally I hate captchas and I think they are over the top for a
simple enquiry form like this. I like captchas when they are there for
/my/ security but this one isn't, it's for your client's benefit alone.
Besides accessibility issues, they are just another obstacle for
potential customers - never a good idea. So I'd look for other ways
first and use CAPTCHA as a last, rather than first resort.

One of my client's forms was being spammed by a bot that filled all
fields with garbage. One simple way to stop this is to have an extra
field, hidden by CSS

<label for='secret_fie ld' style='display: none'>Please leave blank <input
name='secret_fi eld'id='secret_ field'></label>

The bot will either fill the field with garbage or omit it entirely,
both easily detectable.

--
Geoff Berrow 011000100110110 0010000000110
001101101011011 001000110111101 100111001011
100110001101101 111001011100111 010101101011htt p://slipperyhill.co .uk

This is a nice idea. I'll look into it. For now, last night I
implemented a captcha and it stopped the spam. That is a great help.

Thanks for all the advice.