Preventing spammers from using mail form

MikeB wrote:

I created a small website for a friend. On this website he has a
contact page where people can send him email. When I wrote this page I
checked some tutorial pages and they warned about certain precautions
to take to avoid spammers using the mail form to spam multiple
people.

I believe I did most of that, such as making sure that the header
fields does not include multiple addresses, etc.

Now it does seem some spammer has discovered this website and he is
spamming my friend. 20 emails today.

So I figure I need to add more things to the script to stop him. One
obvious thought that came to my mind is to use a captcha. Will that be
the way to go or are there other things that I need to do?

The website is (owen pool care [dot] com), (remove all spaces)if
anyone is interested in looking at the sitet.

I guess I can also post it somewhere, but I don't know exactly where.

Thanks for any advice.

One simple trick that has worked well for me is to build the Submit
button in JavaScript (loaded from a *.js file) instead of HTML. It
doesn't stop determined humans, so you occasionally get advertising from
Chinese firms that use slave labor to do their spamming, but it stops
robots cold. Naturally you need a <NOSCRIPTwarning about this.

Other than that, the usual method is to use a CAPTCHA.

--
John W. Kennedy
"Compact is becoming contract,
Man only earns and pays."
-- Charles Williams. "Bors to Elayne: On the King's Coins"

"John W Kennedy" <jw*****@attglobal.netwrote in message
news:48***********************@cv.net...

MikeB wrote:

>I created a small website for a friend. On this website he has a
contact page where people can send him email. When I wrote this page I
checked some tutorial pages and they warned about certain precautions
to take to avoid spammers using the mail form to spam multiple
people.

I believe I did most of that, such as making sure that the header
fields does not include multiple addresses, etc.

Now it does seem some spammer has discovered this website and he is
spamming my friend. 20 emails today.

So I figure I need to add more things to the script to stop him. One
obvious thought that came to my mind is to use a captcha. Will that be
the way to go or are there other things that I need to do?

The website is (owen pool care [dot] com), (remove all spaces)if
anyone is interested in looking at the sitet.

I guess I can also post it somewhere, but I don't know exactly where.

Thanks for any advice.

One simple trick that has worked well for me is to build the Submit button
in JavaScript (loaded from a *.js file) instead of HTML. It doesn't stop
determined humans, so you occasionally get advertising from Chinese firms
that use slave labor to do their spamming, but it stops robots cold.
Naturally you need a <NOSCRIPTwarning about this.

Other than that, the usual method is to use a CAPTCHA.

good point, jon. you've made it impossible to for some people to submit now
though. js-disabled browser, i mean. yes, there are still some who don't
allow js. :)

captcha stuff is good. don't forget the parsing we still need to do to
insure no one is putting in other directives - other than to whom (usually a
single individual) the email is intended to be sent. for this op, parsing
and captcha should take care of the problem. there should be no 'to' for the
user to fill out, so, the body (probably textarea) of the email is all there
is to parse.

cheers

Message-ID:
<ed**********************************@w7g2000hsa.g ooglegroups.comfrom
MikeB contained the following:

>So I figure I need to add more things to the script to stop him. One
obvious thought that came to my mind is to use a captcha. Will that be
the way to go or are there other things that I need to do?

Personally I hate captchas and I think they are over the top for a
simple enquiry form like this. I like captchas when they are there for
/my/ security but this one isn't, it's for your client's benefit alone.
Besides accessibility issues, they are just another obstacle for
potential customers - never a good idea. So I'd look for other ways
first and use CAPTCHA as a last, rather than first resort.

One of my client's forms was being spammed by a bot that filled all
fields with garbage. One simple way to stop this is to have an extra
field, hidden by CSS

<label for='secret_field' style='display:none'>Please leave blank <input
name='secret_field'id='secret_field'></label>

The bot will either fill the field with garbage or omit it entirely,
both easily detectable.

--
Geoff Berrow 0110001001101100010000000110
001101101011011001000110111101100111001011
100110001101101111001011100111010101101011
http://slipperyhill.co.uk

On Jul 21, 12:43*am, MikeB <MPBr...@gmail.comwrote:

I created a small website for a friend. On this website he has a
contact page where people can send him email. When I wrote this page I
checked some tutorial pages and they warned about certain precautions
to take to avoid spammers using the mail form to spam multiple
people.

I believe I did most of that, such as making sure that the header
fields does not include multiple addresses, etc.

Now it does seem some spammer has discovered this website and he is
spamming my friend. 20 emails today.

So I figure I need to add more things to the script to stop him. One
obvious thought that came to my mind is to use a captcha. Will that be
the way to go or are there other things that I need to do?

The website is (owen pool care [dot] com), (remove all spaces)if
anyone is interested in looking at the sitet.

I guess I can also post it somewhere, but I don't know exactly where.

Thanks for any advice.

How about reporting the Email sender for spamming, NOT SURE but I
think you take the domain name and send an email to the ISP something
like this "ab***@isp-domain-name.com" I may be wrong but someone else
will be able add more. Or just google report spammers for more info.

VoodooJai

Geoff Berrow wrote:

Message-ID:
<ed**********************************@w7g2000hsa.g ooglegroups.comfrom
MikeB contained the following:

>So I figure I need to add more things to the script to stop him. One
obvious thought that came to my mind is to use a captcha. Will that be
the way to go or are there other things that I need to do?

Personally I hate captchas and I think they are over the top for a
simple enquiry form like this. I like captchas when they are there for
/my/ security but this one isn't, it's for your client's benefit alone.
Besides accessibility issues, they are just another obstacle for
potential customers - never a good idea. So I'd look for other ways
first and use CAPTCHA as a last, rather than first resort.

One of my client's forms was being spammed by a bot that filled all
fields with garbage. One simple way to stop this is to have an extra
field, hidden by CSS

<label for='secret_field' style='display:none'>Please leave blank <input
name='secret_field'id='secret_field'></label>

I like that. I assume that you actually have some value in the
"secret_field" or you'd never know it was omitted. I know that's the
case in perl, can you tell a blank posted field from an omitted field in
php?

Jeff

>
The bot will either fill the field with garbage or omit it entirely,
both easily detectable.

..oO(Jeff)

>Geoff Berrow wrote:

>One of my client's forms was being spammed by a bot that filled all
fields with garbage. One simple way to stop this is to have an extra
field, hidden by CSS

<label for='secret_field' style='display:none'>Please leave blank <input
name='secret_field'id='secret_field'></label>

I like that.

Many refer to it as "honeypot".

>I assume that you actually have some value in the
"secret_field" or you'd never know it was omitted. I know that's the
case in perl, can you tell a blank posted field from an omitted field in
php?

Yes, empty input fields are considered "successful controls" and
submitted. It doesn't matter which language you use on the server.

Micha

Voodoo Jai wrote:

On Jul 21, 12:43 am, MikeB <MPBr...@gmail.comwrote:

>I created a small website for a friend. On this website he has a
contact page where people can send him email. When I wrote this page I
checked some tutorial pages and they warned about certain precautions
to take to avoid spammers using the mail form to spam multiple
people.

I believe I did most of that, such as making sure that the header
fields does not include multiple addresses, etc.

Now it does seem some spammer has discovered this website and he is
spamming my friend. 20 emails today.

So I figure I need to add more things to the script to stop him. One
obvious thought that came to my mind is to use a captcha. Will that be
the way to go or are there other things that I need to do?

The website is (owen pool care [dot] com), (remove all spaces)if
anyone is interested in looking at the sitet.

I guess I can also post it somewhere, but I don't know exactly where.

Thanks for any advice.

How about reporting the Email sender for spamming, NOT SURE but I
think you take the domain name and send an email to the ISP something
like this "ab***@isp-domain-name.com" I may be wrong but someone else
will be able add more. Or just google report spammers for more info.

VoodooJai

How do you know who the ISP is? Spammers often use proxies, for
instance, so you don't know their original IP.

And even if you do, many ISP's don't care their users are spamming and
will do nothing about it. Only better ones will take any action, and
that will almost always just be a "don't do this again" to the spammer.

It's not like hosting companies who will kill a spammer's account.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attglobal.net
==================

Message-ID: <AZ******************************@earthlink.comfro m Jeff
contained the following:

I like that. I assume that you actually have some value in the
"secret_field" or you'd never know it was omitted. I know that's the
case in perl, can you tell a blank posted field from an omitted field in
php?

if(!isset($_POST['secret_field'])||$_POST['secret_field']!=""){
//mail is spam
}
else{
//send mail
}
--
Geoff Berrow 0110001001101100010000000110
001101101011011001000110111101100111001011
100110001101101111001011100111010101101011
http://slipperyhill.co.uk

On Jul 21, 1:55 am, Geoff Berrow <blthe...@ckdog.co.ukwrote:

Message-ID:
<edcd4a73-d3b9-4e52-b186-e891b95a3...@w7g2000hsa.googlegroups.comfrom
MikeB contained the following:

So I figure I need to add more things to the script to stop him. One
obvious thought that came to my mind is to use a captcha. Will that be
the way to go or are there other things that I need to do?

Personally I hate captchas and I think they are over the top for a
simple enquiry form like this. I like captchas when they are there for
/my/ security but this one isn't, it's for your client's benefit alone.
Besides accessibility issues, they are just another obstacle for
potential customers - never a good idea. So I'd look for other ways
first and use CAPTCHA as a last, rather than first resort.

One of my client's forms was being spammed by a bot that filled all
fields with garbage. One simple way to stop this is to have an extra
field, hidden by CSS

<label for='secret_field' style='display:none'>Please leave blank <input
name='secret_field'id='secret_field'></label>

The bot will either fill the field with garbage or omit it entirely,
both easily detectable.

--
Geoff Berrow 0110001001101100010000000110
001101101011011001000110111101100111001011
100110001101101111001011100111010101101011http://slipperyhill.co.uk

This is a nice idea. I'll look into it. For now, last night I
implemented a captcha and it stopped the spam. That is a great help.

Thanks for all the advice.

On Jul 21, 4:14 am, Voodoo Jai <voodoo...@btinternet.comwrote:

How about reporting the Email sender for spamming, NOT SURE but I
think you take the domain name and send an email to the ISP something
like this "ab...@isp-domain-name.com" I may be wrong but someone else
will be able add more. Or just google report spammers for more info.

Not sure it would work in this instance. The guy isn't a run of the
mill spammer, he must have some bot that fills in the email submission
page on my friend's website. So the email headers etc. all points to
my friend's web hosting company.

I did modify hte script to track the IP addresses of who is filing in
the form and it was all over the map - Germany, Latvia, etc.

But still, I only have an IP address. It will be an enormous pain to
track down the ISP and the particular user for each and every IP
address. And then the guy may have used a proxy or something.

So all in all, I'm just glad I stopped him. Reporting him isn't
something I'm going to waste energy on.

MikeB wrote:

On Jul 21, 1:55 am, Geoff Berrow <blthe...@ckdog.co.ukwrote:

>Message-ID:
<edcd4a73-d3b9-4e52-b186-e891b95a3...@w7g2000hsa.googlegroups.comfrom
MikeB contained the following:

>>So I figure I need to add more things to the script to stop him. One
obvious thought that came to my mind is to use a captcha. Will that be
the way to go or are there other things that I need to do?

Personally I hate captchas and I think they are over the top for a
simple enquiry form like this. I like captchas when they are there for
/my/ security but this one isn't, it's for your client's benefit alone.
Besides accessibility issues, they are just another obstacle for
potential customers - never a good idea. So I'd look for other ways
first and use CAPTCHA as a last, rather than first resort.

One of my client's forms was being spammed by a bot that filled all
fields with garbage. One simple way to stop this is to have an extra
field, hidden by CSS

<label for='secret_field' style='display:none'>Please leave blank <input
name='secret_field'id='secret_field'></label>

The bot will either fill the field with garbage or omit it entirely,
both easily detectable.

--
Geoff Berrow 0110001001101100010000000110
001101101011011001000110111101100111001011
100110001101101111001011100111010101101011http://slipperyhill.co.uk

This is a nice idea. I'll look into it. For now, last night I
implemented a captcha and it stopped the spam. That is a great help.

Thanks for all the advice.

I typically use a word-based captcha, i.e. "How much is 2 + 5?", or "how
much is 30 divided by 6?"

Most hackers won't bother to decode it to send spam - it's not worth it
for a small list. And, of course, you can always change the wording,
i.e. "what do you get when you add two to five?"

Other ideas include "Which comes first - January or July?" and similar
questions which can easily be answered by a person (even a disabled
user), but not so easy for many computers.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attglobal.net
==================

"Jerry Stuckle" <js*******@attglobal.netwrote in message
news:g6**********@registered.motzarella.org...

<snip>

>This is a nice idea. I'll look into it. For now, last night I
implemented a captcha and it stopped the spam. That is a great help.

Thanks for all the advice.

I typically use a word-based captcha, i.e. "How much is 2 + 5?", or "how
much is 30 divided by 6?"

what's sad is that once you've enabled this on your sites, you've locked
yourself out of them...till you get someone who can do math. :)