Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 14 of 14
  1. #1
    Regular Coder
    Join Date
    Jan 2003
    Location
    West Virginia
    Posts
    110
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Stopping Spam Bots on Forms

    I recently read of a technique for stopping some of the spam bots that go around the web sending other people's forms, which of course they fill with their garbage.

    The idea is to put a "hidden" field in the form that the visitors would not see but the bot would fill out; then, use a script that would close the form and re-direct the bot to some other place whenever it filled anything into that hidden field (which presumably they would do every time).

    If anyone knows of such a js, please pass on the info, as the spam creeps are driving us nuts. Thanks...
    Reno CF

  • #2
    Master Coder felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, Australia
    Posts
    6,642
    Thanks
    0
    Thanked 649 Times in 639 Posts
    It would not involve any JavaScript, just HTML for the hidden field and a server side language to process the form.
    Stephen
    Learn Modern JavaScript - http://javascriptexample.net/
    Helping others to solve their computer problem at http://www.felgall.com/

    Don't forget to start your JavaScript code with "use strict"; which makes it easier to find errors in your code.

  • #3
    Regular Coder
    Join Date
    Jan 2003
    Location
    West Virginia
    Posts
    110
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Thanks Stephen. We've been using a perl-script contact form for a number of years that was originally written by The nms Project, so I have both the HTML and the script in place.

    But not being any kind of cgi wonk, I do not have the expertise to modify the perl in such a way that it would stop any bot that entered words or numbers into the hidden field. Thus, I was thinking that a javascript might be a work-around.

    If it's just a matter of entering a few lines of code onto the perl script itself -- and if you know that code -- we'd much appreciate your advice. As I said, these spam bots are a huge aggravation, so we are looking for some solutions to stop (or at least slow down!) the daily assault...
    Reno CF

  • #4
    Supreme Master coder! Philip M's Avatar
    Join Date
    Jun 2002
    Location
    London, England
    Posts
    18,313
    Thanks
    203
    Thanked 2,563 Times in 2,541 Posts
    As has been pointed out, a server-side filter would be best, but you might try something simple like:-

    <SCRIPT type = "Text/JavaScript">

    function foolBots() {
    if (document.formname.hiddenFieldName.value !="") {
    return false;
    }
    }
    </SCRIPT>

    <FORM ................ onsubmit = "foolBots()"

    You can find out if it works by experiment.

    I guess this is a variant of a simple CAPTCHA technique in which the user has to give the correct answer to a simple question before the form will submit, e.g.

    What is 10 times 5?

    if (answer != "50") {return false}

    But this may filter out some users as well!

    e.g. Recent TV quiz game:-

    Quizmaster: How many pins do you have to knock over in ten-pin bowling to score a strike?
    Contestant: All of them.
    Quizmaster: And how many is that?
    Contestant: Nine.
    Last edited by Philip M; 05-09-2007 at 08:53 AM.

  • #5
    Regular Coder
    Join Date
    Jan 2003
    Location
    West Virginia
    Posts
    110
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Thanks Philip for your suggestion. I tried it using the very simple form below, but either I did something wrong or the script is not quite right. For the purpose of this test I made the field visible, so I could enter some characters. The goal is to have the js not send the form if any characters are in the third field down, called "yourcomment". With my tests the form did send each time, so some tweak must be necessary. If anyone sees anything obvious, please jump in ... thanks:

    <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
    <html>
    <head>
    <title> Testing JS </title>

    <SCRIPT type = "Text/JavaScript">
    function foolBots() {
    if (document.bonk.yourcomment.value !="") {
    return false;
    }
    }
    </SCRIPT>

    </head>

    <body bgcolor="#333333" text="#000000">

    <form action="/cgi-bin/Form_Mail.pl" method="POST" name="bonk" onsubmit = "foolBots()">
    <input type="hidden" name="subject" value="Testing JS">

    <table bgcolor="#ffffff" align="center" width="450" border="1" cellspacing="0" cellpadding="7">

    <tr><td align="RIGHT"><font face="Verdana, Comic Sans MS, Arial, Helvetica" size="1">Your Name:</td>
    <td align="LEFT"><input type="text" name="realname" size="30"></td></tr>

    <tr><td align="RIGHT"><font face="Verdana, Comic Sans MS, Arial, Helvetica" size="1">Your Email:</font></td>
    <td align="LEFT"><input type="text" name="email" size="30"></td></tr>

    <tr><td align="RIGHT"><font face="Verdana, Comic Sans MS, Arial, Helvetica" size="1">Your Comment:</font></td>
    <td align="LEFT"><input type="text" name="yourcomment" size="25"></td></tr>

    <tr><td align="center" valign="TOP" colspan="2"><input type="submit" value="Send Now"></td></tr>

    </table>

    </form>
    </body>
    </html>
    Reno CF

  • #6
    Supreme Master coder! Philip M's Avatar
    Join Date
    Jun 2002
    Location
    London, England
    Posts
    18,313
    Thanks
    203
    Thanked 2,563 Times in 2,541 Posts
    Should be:-

    onsubmit = "return foolBots()"

  • #7
    Regular Coder
    Join Date
    Jan 2003
    Location
    West Virginia
    Posts
    110
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Eureka! That is what we wanted -- now the form just sits there and will not submit when anything is typed in that field. Thanks much!
    Reno CF

  • #8
    Supreme Master coder! Philip M's Avatar
    Join Date
    Jun 2002
    Location
    London, England
    Posts
    18,313
    Thanks
    203
    Thanked 2,563 Times in 2,541 Posts
    I shall be interested to learn in due course whether the idea is effective in defeating the bots, as some of these things are pretty clever and if Javascript is disabled obviously it does not work.

    If you are using Matt's FormMail.pl it would be easy to add a few lines to reject any form which had a value entered in the hidden field - you might post a request for advice about this in the Perl forum.

  • #9
    Regular Coder
    Join Date
    Jan 2003
    Location
    West Virginia
    Posts
    110
    Thanks
    0
    Thanked 0 Times in 0 Posts
    If you are using Matt's FormMail.pl it would be easy to add a few lines to reject any form which had a value entered in the hidden field
    I'm using a more secure version of Matt's script, so I'll take your suggestion and will post a question in the perl forum to see if anyone can offer that as a solution.
    Reno CF

  • #10
    New to the CF scene
    Join Date
    May 2007
    Posts
    2
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Hi, I tried this method, however, it didn't work. I suspect that it is because not only did the spam bot not look at the CSS, but it ignored the javascript.

    I have two ideas to get round this though.

    1: Change the post location in the javascript (preferable)
    2: Require that JS is enabled for the page to be displayed.

    However, I don't know how to do either. Can someone help?

    Thanks.

  • #11
    Senior Coder CFMaBiSmAd's Avatar
    Join Date
    Oct 2006
    Location
    Denver, Colorado USA
    Posts
    3,151
    Thanks
    2
    Thanked 335 Times in 327 Posts
    Because spam bot scripts submit data directly to the action="..." URL, nothing you do using javascript on the form page will help. This subject has been discussed many times on this Forum. Search and you will find a number of discussions on protecting forms and making sure that it is your form page that submits to your form processing code...

    For your two specific ideas -
    1: Change the post location in the javascript (preferable) - the javascript code is visible in the page content and the new post location can be determined by reading and parsing through the content by the bot script.

    2: Require that JS is enabled for the page to be displayed. - see the first part of this post.
    Last edited by CFMaBiSmAd; 05-21-2007 at 02:32 PM.
    If you are learning PHP, developing PHP code, or debugging PHP code, do yourself a favor and check your web server log for errors and/or turn on full PHP error reporting in php.ini or in a .htaccess file to get PHP to help you.

  • #12
    Supreme Master coder! Philip M's Avatar
    Join Date
    Jun 2002
    Location
    London, England
    Posts
    18,313
    Thanks
    203
    Thanked 2,563 Times in 2,541 Posts
    See for example:-
    http://www.codingforums.com/showthread.php?t=100069

    For what it is worth I have not had this problem for some years since I changed the name of formmail.pl to something like ekl6sn2d.pl

  • #13
    New to the CF scene
    Join Date
    May 2007
    Posts
    2
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Thats excellent, thanks. I shall try things out from that thread and let you know.

  • #14
    Supreme Master coder! Philip M's Avatar
    Join Date
    Jun 2002
    Location
    London, England
    Posts
    18,313
    Thanks
    203
    Thanked 2,563 Times in 2,541 Posts
    Another thing which seems to work is to obfuscate the form action using JavaScript, so:-

    <SCRIPT type="text/javascript">
    <!-- Javascript must be enabled!
    document.write(unescape("%3CFORM%20name%3D%22adinputform%22%20method%3D%22POST%22%0D%0A%20%20%20%20a ction%3D%22http%3A//www.mysite.co.uk/cgi-bin/classifieds.cgi%22%20onSubmit%3D%22return%20submitForm%28this.Submitbutton%29%22%3E"));
    //-->
    </SCRIPT>

    The data can be further obfuscated, e.g by changing the letter 'c' to %63 (and other letters to their corresponding hex values). E.g. www.mysite.%63o.uk/%63gi-bin/%63lassifieds.%63gi

    But I don't know how clever these bots are!
    Last edited by Philip M; 05-21-2007 at 05:48 PM.


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •