Solved

stop bots from submitting forms

Posted on 2006-10-24
7
774 Views
Last Modified: 2012-06-22
some bots have found my site which accepts a form from users for posting of classified ads.  Now I get at least 1 every five minutes from adamn bot.

How do I prevent this?
0
Comment
Question by:alivemedia
7 Comments
 
LVL 8

Expert Comment

by:Rytmis
ID: 17796363
For a site of mine we implemented a fairly simple solution.

We had two fields, name and message, so we introduced two new fields with mangled names, and use those instead. We use CSS to hide the old fields, and just in case CSS is disabled, both hidden fields have labels saying "please do not fill this field" next to them.

Every time a comment is posted, we check if either of the hidden fields have text in them. If they do, we mark the message as spam. Messages marked as spam are not displayed.

Every now and then I manually clean up the accumulated spam messages, but the end users don't see any of it any more.
0
 
LVL 2

Author Comment

by:alivemedia
ID: 17796506
I guess this assumes that the bots don't use css or have it disabled?
0
 
LVL 17

Expert Comment

by:akshah123
ID: 17796530
There are two solutions.

1. Use image with text in it for verification similar to what yahoo and hotmail does while signing up.  
http://www.finalwebsites.com/snippets.php?id=39
or
http://www.phpclasses.org/browse/package/1569.html

2. Usually, these bots leave a message that has a certain pattern to it.  Such as they will always have <a href="somelink">somelink</a>[url]somelink[/url]

If so, you can update the script that processes the form submission to look for this pattern using some regular expression.  If it matches that regular expression, you can mark it as spam.  However, this is risky as you may get a false positive from time to time.  

The best solution is of course to use the CAPTCHA logic where user has to provide text that matches a randomly generated image as show in above link.  This method is used by big sites that have a great deal of hits from all kinds of bots.

0
Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

 
LVL 8

Expert Comment

by:Rytmis
ID: 17796544
Well basically the bot can't tell *why* the field is hidden (lots of ajaxy things keep stuff hidden via CSS rules). Anyways I'm not saying this is the be-all end-all solution, but 100% of the spam we've been getting has been caught in it.

I'm thinking that if this filtering stops being effective at some point, I'll probably start changing the field name on every page load. I'm pretty sure that the bots don't load the page as often as they post to it.
0
 
LVL 16

Expert Comment

by:HackneyCab
ID: 17799385
If you're sure that the bot is not loading the page before submitting, add a session variable to the form page. If this session variable is not set when the form processor script is reached, send a thank you message as though you're happy with their rubbish, but silently discard the submission. No legitimate user should be posting to your processor script without using your form first.
0
 
LVL 2

Accepted Solution

by:
_delas earned 500 total points
ID: 17942092
try some logical questions, like http://it.php.net/manual/add-note.php?sect=function.fopen&redirect=http://it.php.net/manual/it/function.fopen.php
or try populating an hidden field with javascript... it seems that bots haven't js iterpreter
0
 
LVL 8

Expert Comment

by:Rytmis
ID: 17942155
As a curiosity: during the last two weeks our simplistic filtering has stop some ~400 spam comments (and amazingly, not a single one has yet come through). YMMV though.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
PHP Healthcheck 2 81
Why isnt it sending mail from my php but is from my server 10 33
Echo images using file system 2 29
Download a website to hdd 2 47
Part of the Global Positioning System A geocode (https://developers.google.com/maps/documentation/geocoding/) is the major subset of a GPS coordinate (http://en.wikipedia.org/wiki/Global_Positioning_System), the other parts being the altitude and t…
Nothing in an HTTP request can be trusted, including HTTP headers and form data.  A form token is a tool that can be used to guard against request forgeries (CSRF).  This article shows an improved approach to form tokens, making it more difficult to…
The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.
The viewer will learn how to create and use a small PHP class to apply a watermark to an image. This video shows the viewer the setup for the PHP watermark as well as important coding language. Continue to Part 2 to learn the core code used in creat…

939 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

4 Experts available now in Live!

Get 1:1 Help Now