Thread: How do you stop form spamming?

Hiya all

I've been getting so much form spam in the last few weeks. I'm not sure what to do. I have a certain count in my text area, however somehow the spam is getting past that.

Any suggestions?

Hi if you would like to contact us .. we can help rid you of your spam problem...

Originally Posted by LadyEye

Hi if you would like to contact us .. we can help rid you of your spam problem...

You can't do it on here?

No, sorry ... the person I had in mind to do so does not work these boards ... but perhaps someone else can ...

Use ABVFP, or add a captcha validation, or use a session in your form / script. There are many ways of doing it.

Please note that manual spamming can NOT be avoided. If they manually submit through your form there is nothing you can do. If however this is a bot spamming, you can stop it.

Originally Posted by navaldesign

Use ABVFP, or add a captcha validation, or use a session in your form / script. There are many ways of doing it.

Please note that manual spamming can NOT be avoided. If they manually submit through your form there is nothing you can do. If however this is a bot spamming, you can stop it.

Hi Navaldesign

This is what I keep getting. I'm assuming its bots. Sorry to paste this long garbage.
I'm not sure what part of the form they're typing all this stuff in...



Values submitted from web site form:
sms
Input : Edited by moderator

Region : Pefferlaw
name : Nikbtye
email : nedpmq******.com
telephone : Unknown
count : Unknown

Not necessarily. Can also be manual submission (though it would be strange). Do as advised, ABVFP, or captcha, or sessions or a combination of the above.

Originally Posted by navaldesign

Not necessarily. Can also be manual submission (though it would be strange). Do as advised, ABVFP, or captcha, or sessions or a combination of the above.

Thnx navaldesign

I'll attempt one of your following suggestions.

Mike-

You said you had max length values set. Were these set in the php script or in the form itself?

Reason: If the max length is set in the form, a hacker can duplicate your form removing the max length and submit the form. For that reason, it is important to have max length built into the php script.

Andy

Originally Posted by Andy128

Mike-

You said you had max length values set. Were these set in the php script or in the form itself?

Reason: If the max length is set in the form, a hacker can duplicate your form removing the max length and submit the form. For that reason, it is important to have max length built into the php script.

Andy

Hi Andy


It is built into the php script. That's the reason I found it strange that all this garbage was coming through.

Not seeing your script- it is hard to tell. If this is happening frequently, and if you desire to do so- post the script and we'll have a look and come up with something to combat it. Or e-mail it to me via my contact page on my site - www.netisopen.com

Cheers

Andy

Originally Posted by Andy128

Not seeing your script- it is hard to tell. If this is happening frequently, and if you desire to do so- post the script and we'll have a look and come up with something to combat it. Or e-mail it to me via my contact page on my site - www.netisopen.com

Cheers

Andy

Thnx Andy

• Actually, my bad. As far as the count goes. it is an html script that I have embedded in my form. This is my script that I'm using for the form.

<?php
$name = $HTTP_POST_VARS['name'];
$email = $HTTP_POST_VARS['email'];
$comments = $HTTP_POST_VARS['comments'];
if (strlen($name) == 0)
{
header("Location: /nameerror.php");
exit;
}
if (strlen($name) >=30)
{
header("Location: /nameerror.php");
exit;
}
if (strlen($email) == 0)
{
header("Location: /emailerror.php");
exit;
}
if (strlen($email) >= 45)
{
header("Location: /emailerror.php");
exit;
}
if (! ereg('[A-Za-z0-9_-]+\@[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+', $email))
{
header("Location: /emailerror.php");
exit;
}
if (strlen($telephone) >= 15)
{
header("Location: /telephoneerror.php");
exit;
}
if (strlen($comments) >= 501)
{
header("Location: /commenterror.php");
exit;
}
if (substr_count($comments , '@') > "2")
{
header("Location: /commenterror.php");
exit;
}
//SEND MAIL
$mailto = "name@mydomain.com";
$mailsubj = "Inquiry";
$mailhead = "From: $email\n";
reset ($HTTP_POST_VARS);
$mailbody = "Values submitted from web site form:\n";
while (list ($key, $val) = each ($HTTP_POST_VARS))
{
$mailbody .= "$key : $val\n";
}
mail($mailto,$mailsubj,$mailbody,$mailhead);
header("Location: http://mydomain.com/confirm.php");
?>

• And this is the html script that I'm using for the count.

<form NAME="xxxxxx">

<input type="text" name="count" value="500" size="3" onFocus="this.blur" readonly>

<br>

<textarea rows="7" cols="36" name="smsInput" wrap
onKeyUp="
val = this.value;
if (val.length > 500) {
alert('Sorry, you are over the limit of 500 characters');
this.value = val.substring(0,500);
smsInput.focus()
}
this.form.count.value=500-parseInt(this.value.length);
"></textarea>

</form>


</body>

Well-it is definetly comming from the comments section. Most likely- your form has been targeted by a bot. However- it is also possible that some one is manually doing the injection (but less likely).

So- if it were me, I would do something simple to start out. Change the name of the comments area on the form to something else like- tell_me
Then change it in the appropriate areas in the php scritp (see areas below in blue).

<?php
$name = $HTTP_POST_VARS['name'];
$email = $HTTP_POST_VARS['email'];
$tell_me = $HTTP_POST_VARS['tell_me'];
if (strlen($name) == 0)
{
header("Location: /nameerror.php");
exit;
}
if (strlen($name) >=30)
{
header("Location: /nameerror.php");
exit;
}
if (strlen($email) == 0)
{
header("Location: /emailerror.php");
exit;
}
if (strlen($email) >= 45)
{
header("Location: /emailerror.php");
exit;
}
if (! ereg('[A-Za-z0-9_-]+\@[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+', $email))
{
header("Location: /emailerror.php");
exit;
}
if (strlen($telephone) >= 15)
{
header("Location: /telephoneerror.php");
exit;
}
if (strlen($tell_me) >= 501)
{
header("Location: /commenterror.php");
exit;
}
if (substr_count($tell_me , '@') > "2")
{
header("Location: /commenterror.php");
exit;
}
//SEND MAIL
$mailto = "name@mydomain.com";
$mailsubj = "Inquiry";
$mailhead = "From: $email\n";
reset ($HTTP_POST_VARS);
$mailbody = "Values submitted from web site form:\n";
while (list ($key, $val) = each ($HTTP_POST_VARS))
{
$mailbody .= "$key : $val\n";
}
mail($mailto,$mailsubj,$mailbody,$mailhead);
header("Location: http://mydomain.com/confirm.php");
?>

Then save and publish. Here's my reasoning. Usually a bot crawls the web finding forms by key words associated with forms. Once a form is found the bot tests to see if it is vulnerable. It then logs the webaddress of the form and sends this info back to the hacker and then goes on it's merry way. The hacker then programs another bot to visit and inject the form. Sometimes these are done simlutaneously- but most often it is a two step process. So by changing the name of the field, the programmed bot will arrive and be unable to achieve its goal as it was programmed to inject the "comments" field and not "tell_me" field.

If it is a person who is manually doing the injection- nothing will change. If it is a bot- it will likely stop for some time until a research bot discovers it again. Could stop for a few days, months. But that is one way to test.

If if is a person doing it- we can capture their IP address and try blocking it.

Naval has the best solution- us captcha or ABVFP. But you can try what I said as a short term solution until your up to speed with the captcha or ABVFP.

Let me know what happens-

Andy

Thank you very much Andy


I have changed it as you recommended. Hopefully that will do the trick for now.

I have asked navaldesign to make me a secure form so I don't run into this problem again. This spam is truly a pain the the neck.

You're welcome. Good luck.

Andy

[quote=Andy128;165391]Well-it is definetly comming from the comments section. Most likely- your form has been targeted by a bot. However- it is also possible that some one is manually doing the injection (but less likely).

So- if it were me, I would do something simple to start out. Change the name of the comments area on the form to something else like- tell_me
Then change it in the appropriate areas in the php scritp (see areas below in blue).




Hey Andy

For the record, this simple technique worked very effectively. It must have been bots. I received zero spam since I changed the comments area to something else.

Great suggestion

Thnx again

No, it has only been a coincidence. Yourtext area was NEVER "comments" and it never became "tell_me".

In fact, the text area in your form was called "smsInput" as coded by the html code, and not "comments" which was checked by the script for max length. However, now i have text length, text content, referer and session authentication installed on your form/script, so there should be no problem any more.

I don't understand. The smsInput was from the javascript that counted the amount of text entered in the form as specified by "form name".

So- are you saying that adding a javascript such as this now makes the text area smsInput and then overrides the php handling?

Andy

Hi Andy,

Mike did NOT have a real (i mean one he created) textarea in his form. He had this script to count the characters and show them in a editbox called "count". If you take a look at the code in his post above, the comments area was called "smsInput" as it was defined by this code:

<form NAME="xxxxxx">

<input type="text" name="count" value="500" size="3" onFocus="this.blur" readonly>

<br>

<textarea rows="7" cols="36" name="smsInput" wrap
onKeyUp="
val = this.value;
if (val.length > 500) {
alert('Sorry, you are over the limit of 500 characters');
this.value = val.substring(0,500);
smsInput.focus()
}
this.form.count.value=500-parseInt(this.value.length);
"></textarea>

</form>


</body>

So, the textarea field name was "smsInput" and that is what was passed over to the php script. As you understand, the php script never validated the field (there was no validation for a field named "smsInput").

So it could also have been a submission directly from the form.

I had not paid attention at the begining, but i discovered this when i made a test submission after installing ABVFP on Mike's site and the field that got back to me was titled "smsInput". I did change it after that.

What i also would like to state is that a BOT submission does not necessarily go directly to the processing script. MANY times it submits through the form. There are bots capable of filling in the form fields and submitting. And that is where captchas are usefull (though even a captcha image can be "read" by a specialized bot).

Some good ideas (but not 100% efficient) for protection would be:

1. Establish an authentication session.
2. Use a captcha (in that case step 1 is not needed anymore, as the captcha value is sent from the form to the script through both POST and SESSION. Then the two are compared to see if that is a legal submission)
3. Strip tags in the script
4. Check the user input for @, http://, www. and ANY other character combination useful to spammers, and deny processing if more than 0 or 1 or 2 or whatever you decide are found in the input.
5. Set lenght limits to avoid also simple harvesting with long text (manually) by simply idiots that want to "play".
6. Set, if you have a specific problem, a IP or email address blocker.

or, use a combination of some or all of the above.

Makes sense now. I thought it was simply a javascript that you add after the form is made regularly that simply counts the text in a specific field and displays it realtime as they type. Something like e-bay's comment field where it counts down the characters as you type.

I did not notice that it had defined it as smsInput. Thanks for the heads up. Still lots and lots to learn..........................

Andy

The visual effect is that of a normal textare filed. In the page code view it also appears as the textarea was done directly in the page.

I have seen the problem when Mike sent me the .bvp file, as well as when i recieved the test submission. It was not important to me, as i created a custom script that took care of it, but i thought i should let you know, just because you were worried on how the script was not able to validate the input.

Originally Posted by navaldesign

No, it has only been a coincidence. Yourtext area was NEVER "comments" and it never became "tell_me".

In fact, the text area in your form was called "smsInput" as coded by the html code, and not "comments" which was checked by the script for max length. However, now i have text length, text content, referer and session authentication installed on your form/script, so there should be no problem any more.

navaldesign

Thank you for the incredible & secure script you made me. Also Thnx for the added touch on the enhancments you made such as the count in BV. Very very cool.

He is the GrandMaster!

Andy