Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed last year.
Improve this question
What is the most secure way to fight spam? Any algorithm?O r way to fight back spammers?
Get a captcha dude, it's probably the best way to defeat spam. Here is a great one called reCaptcha. It's pretty easy to integrate with PHP and is mighty effective. Here is how you do it.
Mollom is a more user-friendly alternative to reCaptcha. It can be set to only require CAPTCHA validation if the content of the submission looks "spammy", so it doesn't interfere with users entering safe submissions.
3 simple methods that I use on my employer's website contact form that really help out:
Set a serverside timestamp when the contact page loads, and check the
time again when it posts. If your form was submitted in under 5 seconds (or
whatever minimal time is reasonable for your form) then you know its a bot since
humans aren't that fast.
Check for multiple tag types in the message. Much of spam we see spam tries to mix html and
bulletin board style tags, so you get <a> and [url=] [link=] in the
same message, this is an easy to check red flag
Create a hidden text input field called email and name the visible
email field something different. Human visitors won't see that field, so if it has a
value its a bot(technically could be a
blind person with a screen reader but highly unlikely)
Related
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 6 years ago.
Improve this question
I'm in the process of learning more PHP. I've not really done any PHP before, only enough for basic emailing on contact forms. In the past when I've made such forms I've occasionally had spam emails come through via that script. From the frequency of the emails and the content it is very much apparent that it isn't someone coming on the website and spamming via the form but rather they know the url of the php file and are submitting data to it via that in some way; what is the best way to prevent this sort of thing happening.
If you're in your very early stages of PHP (or programming in general) I would recommend that you create an input in your form which you hide or move off screen using css.
This would mean that no real user would fill this, but when when a bots comes to your page and submit the form, they would fill it in with some garbage data.
In your php code handling the submission, simply check to see if this field has been submitted or not. If it has then you know it was not a real person, so discard the submission and do not proceed further with sending the email.
Note: I'm only recommending the approach above for learning purposes and for tiny projects that are not really in production use. If you need a more robust solution, then look into some sort of capcha solution or some javascript that adds some csrf type of checks to your form.
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 8 years ago.
Improve this question
I am creating a form that users will use to register for an event. However, I just discovered that there are some really tight security limitations due to policies due to the site's hosting and also policies the organization has about external-facing scripts (such as PHP) that are seen as an unneeded vulnerability.
I haven't been told flat-out that all PHP is completely banned, but I think that I won't be able to create a file and send email with it. However, I do want to be able to have an online registration form that can be filled out and emailed in as low-tech a way as possible.
I'm aware that you can use mailto: to prepopulate the subject and body of an email sent through the users normal email client:
mailto:my#addy.com?subject=subject+here&body=body+of+email
This is not the best solution because not everyone will be able to use mailto in this way, and for those that do, they must be relied upon not to mess up the formatting of the email. It isn't very consistent. Is there anything better than mailto: but which is still less of a security risk than PHP?
If you don't have the ability to run server side code, then sending an email is pretty much out of the question. Unless of course, you can make javascript calls to some other website that emails or store the form information for you.
Your best bet might be outsourcing it entirely, and using a Google Doc form or something.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 9 years ago.
Improve this question
I have a various joomla and static websites and messages from the contact form on those sites will be send to my mail.lately i received various spams flooded my mail then i add captcha with those forms.now my mail is free from spammers.
But my question is how do they compromised my site? its like 100 of mails within few minutes. so it cannot be done manually
they must have added some kind of script. how do they do it? i searched google i cannot come up with good result.
Your site is not compromised. The captcha simply prevents a bot from submitting the form over and over again. It's the same as if a human quickly filled out the form and clicked submit and did this over and over again. There's not any kind of a security breach. Captchas are pretty good at preventing bot spam.
One clever thing you could do is make a hidden input field and make it very appealing for bots to fill it out, no validation or anything and label and name like "Last Name", something that is common, but that you aren't already using. When the form is submitted that value will be sent to the server. Since a person couldn't have seen the input, the only way it will be filled out is if a bot found it in the document and filled it out. So, if you find this value, don't send the mail. More on this here (click).
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about programming within the scope defined in the help center.
Closed 9 years ago.
Improve this question
Hello I have a custom simple contact form where users can send emails, I get a email when this contact form is used.
But now i got like 400 mails in 1 hour from 3 contact forms from my website. And the mails contain strange data I have attached a image showing the emails i got
i also got mails with things like \\\\\\\' oR \\\\\\%\\\\\'=\\\\\\2 in it or stuf like 2=7 etc...
what is this ?
Whenever you expose a form over the web, it is going to be found by bots. The bots will dump rubbish into your form and see if they can post it. Sometimes it is just garbage and other times it will contain links or other spam.
Most basic bots can be defeated by having a form element that fails validation if anything is entered - as bots normally put garbage in all fields. In your case, you could discard forms that don't contain a valid email address and it would solve quite a lot of the problem.
You could add a Captcha / Recaptcha - but they are a real problem for humans using your form - so think carefully before you go down this route.
The most reliable and hassle free way to go is normally to ask people to create a basic account with your website. That way, if they start spamming you, you can hell-ban them (i.e. make them think they can still submit the form, but discard it from spam user accounts).
The spam problem won't simply go away if you defeat the bots - as search-engine-optimisation consultants are happy to hand-crank entries thinking you'll then hand them money for their dodgy servies.
Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 10 years ago.
Improve this question
My site has a PHP contact form which emails me the form data. It is works well when I test it. Also I have received lots of emails from site visitors via that form but ocassionally I receive very strange emails from the form like the one below:
v0lMO8 tqiptnoljxnt,
[url=http://fqnyptgpiqbp.com/]fqnyptgpiqbp[/url],
[link=http://atmsirfurmic.com/]atmsirfurmic[/link],
http://uoaxeaumrkvo.com/
I have no clue whether there something wrong with the form or this is something deliberately sent to me as spam?
Thanks
It's spam. You need to add some kind of spam protection to your website to avoid such situations - simple question or rewritting code from the image. It should reduce number of this kind of mails.
It looks like spam since the URL is typed in different ways so that one may work for you to click it.
I think you need to secure your form by adding random hidden inputs that are stored in sessions and checked while sending to protect your script from cross-site scripting along with better way of human verification.
It's spam. You options are either:
a) Just live with it if the number of emails is manageable
b) Implement some kind of 'human check'. Google recaptcha is free + easy to implement one, but bear in mind that it can be annoying for legitimate users, so only do this if you think you can't easily cope with the amount of spam email you receive.