Spammers using my contact form

caff

caff

caff

Soldato
Joined
8 Feb 2004
Posts
3,821
Location
London
I have a simple 'contact me' page coded in ASP, which I think is being used by spammers. The contact form asks for name, e-mail and query, and when you press 'submit', it e-mails it to me (and me only).

I'm only getting about 1 e-mail a day, so I don't think it's an automated bot, but I have no knowledge how this stuff works... all I know is that the 'your query' contain spam links to pr0n, and the e-mail addresses are normally something like '[email protected]' or something.

Is there any way I can prevent this? I've noticed some sign-ups use a number verification, but this seems a bit overkill for my needs.
 
Well if it's a human then you can't really do much about it, however if it's a bot then there are a few things you can do, although none are guaranteed to work 100%. One thing to do is rename your form fields to something more obscure so rather than:

<input type="text" name="email">

have:

<input type="text" name="field_01">

This can stop some bots because they read the page to figure out what information to put where. Another method is to get rid of form labels such as "Name:" and replace it with an image that looks identical as bots can't read images as easily.

Another solution I've heard working is to include a hidden input field which is not visible to the normal user, a bot will more than likely fill this in because it is scraping the page for information. If this form field is filled in simply get your script to reject the submission as it will be bot spam. This does cause issues if for some reason a browser displays this hidden field, but most don't.

Number-verficiation, called a 'captcha' is also a solution, it defeats most bots if you are not running a 'high-value' website. It does cause the user to do more work but they are quite effective at stopping casul spam bots (ones that are crawling google looking for anything with a form on).
 
Last edited:
With my own website form I just did a check to see if any of the fields contained an '<a href' and rejected them if they did. Its not foolproof, but most spammers put html links into the feedback forms, whereas its very rare for a legitimate entry to contain it.

Works for me anyway
 
My so-far-foolproof way of detecting spammers is to put an extra field in the form, call it something innocuous like 'website', and then hide it with CSS. That way, normal users shouldn't ever see it and it remains blank. Bots on the other hand will just see it as another form field and fill it out. Therefore, reject those entries where that field has been filled out.

You can stick some text next to it like "Don't fill this out" for those with CSS turned off. Works for me, and it's better than captchas.
 
that's a good idea growse.

The way I do it is send a verification email to the sender to confirm communication - this is also so-far-foolproof
 
there's a few scripts knocking around which are quite good. There was a guy who'd written one .. the guy who also wrote simplegal, i think that's the guy.

I use one that checks the referrer, so if it's not the website page that's started it, then it gets rejected. Secondly it cleans up all the data entry. Then it sends that out. Seems to work well, only get a couple of spam emails a day.

edit:forget all that .. i didn't read you're using ASP
 
growse said:
My so-far-foolproof way of detecting spammers is to put an extra field in the form, call it something innocuous like 'website', and then hide it with CSS. That way, normal users shouldn't ever see it and it remains blank. Bots on the other hand will just see it as another form field and fill it out. Therefore, reject those entries where that field has been filled out.

You can stick some text next to it like "Don't fill this out" for those with CSS turned off. Works for me, and it's better than captchas.
Click to expand...

this is what i do and it works a treat. aswell as other simple things like getting the user to type 9-1, have the enter the email twice thing for verifaction but instead of naming the fileds email1 and email2, name them email and url, then when they bot comes along asn sees email it will put email info in and when it sees url it will put url info in but as these wont match they wont be abel to pass.

also if it is a human and the stuff being sent is always the same or very similiar you could forbid the words and then get asp to check if the words is included and stop the form being sent
 
I take it you guys use the method above and then using form validation only send the contact forms that dont contain anything?

How do you hide the form entry with CSS?
 
Felix said:
How do you hide the form entry with CSS?
Click to expand...

As simple as putting the field in a div and marking it as hidden:

Code: 
<div style="display:none;visibility:hidden;"> Content Here </div>

Yes you would then use the server-side script to reject forms that have the field populated.
 
Thanks! I was about to use CAPTCHA but this seems easier for the users. Who would turn CSS off though? Or is it a case on nonenabled browsers?
 
Another easy way to solve is to have a field that asks a very simple question that humans can answer, e.g.

Anti-spammer question: Which animal is more dangerous, lion or chicken? (Just type lion or chicken in your answer)

You can then validate the form against the correct answer. This will put the bots off, if they ever custom attack your form (very unlikely) just change to another question.
 
You must log in or register to reply here.
Back
Top Bottom