All,
I have a guestbook feature on my site and I keep getting spammed. I'm doing validation on the front end with the jquery validator and asking a math question to ensure it's not a spamming tool. I also have a hidden field that generates a random number (a Form Key) in my POST request.
On the backend I verify the form key and I also check the values against some select words function and I also say if isset($_POST). I still keep getting spammed pretty bad and not sure how I can avoid this anymore. Other then making people register for the site, how can I prevent all the spam? Any additional suggestions are greatly appreciated!
Use a better captcha such as Re-Captcha by Google.
Create a honey pot field that you hide with CSS. Bots typically fill in all fields, so if this hidden field is filled in, you know it's a bot.
I haven't tested it in practice, but one thing you could do is to make use of the fact that the robots are posting the forms awfully fast. You could have a hidden field and adding a timestamp to it when you render the page. After the post, on the server-side, you check the timestamp and if it is less than say five seconds off, it is not likely that it is a human post.
I solved this problem with some forms I had but approached it differently, adding a form field that has to be empty to submit. I found that most of the bots presumed that they needed to fill in all text fields to be able to submit the form. What I do is add form fields that a real user should never see and make sure they stay empty in the $_POST.
http://aknosis.com/2009/04/17/zero-user-interaction-captcha/
Put recaptcha on it. http://www.google.com/recaptcha
Related
Currently
I am using captcha image
I created text field and hide it using javascript. i want its value to be empty on server side, because bots are supposed to fill all the fields on the form. if value isn't empty it it does not process comment.
I also use timestamps to check how long it took while submitting the comment. I supposed if the comment was submitted within 15 seconds, it comes from bot so i also stop processing the comment.
But still I couldn't control bots to submit my comments form.
Please help what should I do now?
Add a hidden field with a misleading id / name
<input type="hidden" id="Username" name="Username" value=""/>
If a bot comes along and fills out your form, they are likely to fill in the hidden field, which users should not be able to, so just disallow the submission if the hidden field has data.
Why not implement Akismet and let them handle it for you? They have a well documented API, and thousands of people rely on it for spam prevention on Wordpress blogs. I haven't seen a spam comment in probably 3 years now using Akismet on my wife's blog.
Lyuben Todorov has suggested a good solution to prevent BOT spammers. But if you still have spam and probably its human spam, then use Akismet anti spam system.
Use no-follow for all links in comments. This will not prevent the spam, but it will remove much of the incentive for spamming. ( see here how it works )
Require user authentication to be able to comment.
Use non-descriptive form elements ( don't name
the div "comment").
Try to create unique captcha to stop any standard bots (but if someone wants to get exactly you spammed it wouldn't work).
Another approach is to add verification by phone number.
On my website I have a couple of forms where someone (without registration) can send message to specified, registered user. The form is simple, and I want to keep that way. What is the best way to protect a contact form againts spam and bots if I don't want to use any captcha?
Your message:...
Your e-mail:...
[Send]
You can protect your form with the form keys technique:
When displaying the form to the user, generate a random ID ("form key") just for this single form submission. Store the form key in a session variable. Submit the "form key" in a hidden input field.
On the server side, check the submitted form key against the one stored in the session variable. Immediately invalidate it after use. (delete it from the session)
Without a captcha or something comparable, it is impossible to really protect a form from abuse.
However, using this technique a malicious spammer would have to
request for form via HTTP for each single form submission to obtain a valid unique forkey
parse the DOM tree / HTML code to obtain the form key
submit it in the correct format
This technique also protects your form from multiple accidential submissions.
Here is a code example:
<?php
session_start();
if (isset($_POST['form_submit'])) {
// do stuff
if (isset($_POST['formkey']) && isset($_SESSION['formkeys'][$_POST['formkey']])) {
echo "valid, doing stuff now ... "; flush();
// delete formkey from session
unset($_SESSION['formkeys'][$_POST['formkey']]);
// release session early - after committing the session data is read-only
session_write_close();
// do whatever you like with the form data here
send_contact_mail($_POST);
}
else {
echo "request invalid or timed out.";
}
}
else {
// show form with formkey
$formkey = md5("foo".microtime().rand(1,999999));
// put current formkey into list of valid form keys for the user session
if (!is_array($_SESSION['formkeys']) {
$_SESSION['formkeys'] = array();
]
$_SESSION['formkeys'][$formkey] = now();
?>
<html>
<head><title>form key</title></head>
<body>
<form method="POST">
<input type="hidden" name="PHPSESSID" value="<?=session_id()?>">
<input type="text" name="formkey"
value="<?= $formkey ?>">
<input type="submit" name="form_submit" value="Contact us!">
</form>
</body>
</html>
<?php } ?>
So the options:
Maximize query/IP
Add security question
Captcha (even if you don't like it)
Sending e-mail to validate it
Submitting data via JavaScript
Details on these and my opinion on them.
It works well to prevent sending many messages, but a few copies of them will still get in. If you think that's affordable, this might work. Note: a spammer can use proxies or dinamic IP, but that might be slow. Perhaps consider not blocking the user but adding a captcha if they send too many e-mails.
What is this exactly? These are questions like "10+1" or "ten plus 1" or "What day is it?". They might work well - if your website will be in only very few languages. Captchas are still better but this works well in case.
You don't like it, but I still say it's the best. Adding one reCAPTCHA isn't that hard but it will prevent 90% of the spammers - or more. But there are 2 problems with this: 1. sometimes human can't read it as well, 2. spammers could use people to solve it for a minimal (like $0.001/captcha) amount and sometimes they do. But that stands for case 2 as well.
Could be good, but if spammers note this, they can generate random email addresses and validate it via SMTP. But they usually go to the easiest target and leave.
Good, spammers can't make bots act like a click, but they can make codes which makes click non-required. But the easiest target rule stays.
In my opinion, the best is solution 3, then solution 2, then solution 1, then solution 4 and 5.
In my opinion, many sites (excepting ticket sellers, major sites like google, and other sites that will be targeted) can prevent comment/form spam without a captcha by using a number of different techniques in combination. I recently created an open source PHP project that implements the following tests to determine if the submission is likely legitimate, or spam.
Hidden Form Field - If hidden form field is filled in, this is an indicator of spam
Time Form Submission - If form is filled out too fast or too slow, this is an indicator of spam
Too many URLs - If the comment field has too many URLs (Number is configurable) this is an indicator of spam
Mouse Movement - If the user does not use their mouse, this is an indicator of spam
Used Keyboard - If the user does not use their keyboard, this is an indicator of spam
Validate Referer - If the HTTP referer does not match the form URL, we shouldn't accept the submission.
Validate Email - If the email address provided in the form is not valid from a syntax perspective, we shouldn't accept the submission.
Here is the URL of the project. I like Kaii's test above, would make a great additional test for phpFormProtect.
https://github.com/mccarthy/phpFormProtect
You can implement a time limit from an IP. So if a spam bot tries to send the form again and again (in a specific time interval, say 1 hour), the request should be rejected.
You'll have to do this on the Server-Side by checking and storing the IPs of the users. Then when they again send the form, check if the user is already in the blocked IPs for the time being.
This is also what StackOverflow implemented 2years back.
You can do something to prove the user is human. If you want to keep simple, maybe a field asking a math question, like "2 + 5?", for example. But that's not so secure as a captcha could be. But, if the possible spam doesn't botter you, it's ok to do that.
Use: iScramble
It basically takes a string (your form html stored as a string in PHP) and generates a block of obfuscated Javascript.
It can help hide those form keys you are using to secure your forms, or completely hide your form from bots all together.
I've been using this since the 90's (the page at the link above is clearly at least that old) and I don't get form spam ever.
Auto bot is registering dummy users to my website. Today, I have implemented Captcha with additions of two numbers and store the result in SESSION variable. Only human can understand it and proceed with registration process. But I'm really confused that same bot is parsing the SESSION variable and entering correct value of addition of two numbers and get registered in the website with dummy user.
Is there any other feasible method to stop this bot to register dummy users?
I'm using Zen cart.
Try using reCaptcha. It is most likely a more advanced solution to your CAPTCHA issue.
Use reCaptcha or other anti-bot solutions searchable by google
I once added some simple JavaScript code to add an additional parameter to the form wich is only executed when the client has JavaScript enabled. Bots often don't have JS support.
An other solution would be to add a number of seconds a user was on the page before sending the form. Bots will send it immediately after the first request without delay.
An other thing I did once was that I checked the clients IP address and if it was from an other country than my own the user has to solve the captcha.
Also changing the names of the parameter is helpful.
And sending an individual hash to each form GET request and checking it when the POST arrives.
For a system I'm working on I've got a bit of a problem: I'm messing with one of the basic rules of HTTP and I'm allowing users to post data through a GET request.
Don't get mad at me yet: I've got a reason for this: Users arrive in my application from an external environment and I can't prompt them for any extra input (so all necessary data is in the GET query). They should be able to close the browser window right after it opens and the input should be saved. And no, I can't do this through AJAX, an API or other under-the-hood method.
These requirements kind of rule out captcha, calculations, forms etc. So I'm left with the problem that I really do want some type of verification to prevent bots/crawlers from "accidentally" submitting something.
One of the solutions I am looking into is making a very lightweight landing page that submits itself through javascript onload but it would be the ugliest thing in my application so I'm trying to prevent it. Another is to let the landingpage not do any of the processing but instead use an AJAX-call to do this. This would however mean that older browsers (and many mobile phones) would have to use another solution.
Background: Application written in PHP5.3, built on Yii Framework, 100% cross-browser compatible (this includes pretty much every mobile phone out there).
Some more background: The "exteral environments" I'm talking about vary from e-mail clients to websites. Manipulation of our content at runtime isn't possible.
Update: Here's what I'm going to do: I'm probably going to combine solutions posted here in a fallback mechanism so that a chain of verifications will be attempted:
1. Ajax verification
2. Non-Ajax javascript verification (automatic form submission)
3. Prompt for user input (user has to click a confirm button)
Besides this I'm going to implement a bot trap as descripbed by http://www.kloth.net/internet/bottrap.php
After I'm done with building this I'll update the post if I did anything different.
Hard to understand where you app is and where external environment really are. But one simple bot-removal technique I use is to put an hidden field named 'login' or 'name' and give it an empty value.
Human people will never fill this hidden field, but spam bots are always filling it. So you can discard any request with that field being not empty.
Now you must prevent crawlers and not only spam bots. Never did it, but here are some thoughts. You could add a hidden 'human' hidden input in the form on first mouseMove events (but keyboard-only -- and think about blind people -- users will be considered as robots). So maybe if this field is not there you can launch a javascript 'confirm' where you ask "Confirm that you are a robot or click cancel if you are human".
You can make your anchor link containing a default value that this hidden field values will overwrite in js. Most crawlers will not overwrite the values, especially if you must cancel a confirmation to get the right behavior (and avoid confirmation with mouseMove event for most users).
If you are able to modify the place that your users are coming fro, you could try including a checksum. Calculate some kind of checksum or hash of all the fields in the GET request and add it to the GET request itself (i.e. through javascript, but do it in the place your users are coming from, not where they are landing). Then, in your application, reject all hits with an incorrect checksum.
well i have a form in which email and captcha validation was there but now i want to do some thing like if captcha is incorrect or left empty than my form must not reload the page i.e all those field which are already been filled out must not get blank.
You can either
A) Submit the form as you are doing right now, and fill the fields with the existing field data
B) Use a CAPTCHA library that supports AJAX submission, e.g. reCAPTCHA http://wiki.recaptcha.net/index.php/Overview#AJAX_API
I believe that (A) is a lot better because it allows you to deal seamlessly with all other kinds of validation. But depending on what you already have (B) might be trivial to implement. So YMMV.