bleggee
asked on
Web Form Spam - WHAT TO DO?
Hi all - I have several web clients that are getting Spam/Junk sent to them via the Web Form on their Website, several times a day. (See below for example). They all are using the Email Reply script from MSA (Matts Script Archive). Does anyone have a solution for this? I am thinking:
1. Use an Updated or more secure & recent web reply script?
2. Rename the html & the Script, just to slow them down a little?
2. Use CAPTCHA
3. ???
Any help is appreciated !
Thanks
- B
-------------------------- ---------- -
Name: rikky
Address_1: ldEtxTfhemVqY
Address_2: hLGsgvrBIEviBBCsc
City: New York
State: NY
Zipcode: 98143
Country: USA
Email: goodsam@gmail.com
Phone: 734
Fax: 630
Item_1: GZWlhmlzDn
Item_2: NzCnRKqamYViiyFb
Item_3: hwEoZpsTB
Net_price: 96
CA_sals_tax: siNzOqIuCdM
Total_invoice: 6
S1: Punk not dead <a href="
http://www.pinballvalencia.com/evento-futuro-6o-torneo-de...
a/ ">generic provera</a> body fluid contaminated with blood (saliva in
dental procedures), and, in emergency situations, <a href="
http://cursosinglesdublin.com/academia-ingles-dublin/ ">cefixime price</a>
Eligibility Clarification Code The Eligibility Clarification Code is used
to indicate:
<a href=" http://www.qzland.com/a/shichangfenxi/ ">where to buy
levothyroxine</a> spent participating in service learning activities.
<a href="
http://www.englishcoursesengland.net/courses-to-learn-eng...
">stromectol online</a> Check your software to make sure
Check: ON
Credit_Card_Type: Visa
Name_on_Card:
Expires: VoLIRVCNnYpLRg
B1: Submit
1. Use an Updated or more secure & recent web reply script?
2. Rename the html & the Script, just to slow them down a little?
2. Use CAPTCHA
3. ???
Any help is appreciated !
Thanks
- B
--------------------------
Name: rikky
Address_1: ldEtxTfhemVqY
Address_2: hLGsgvrBIEviBBCsc
City: New York
State: NY
Zipcode: 98143
Country: USA
Email: goodsam@gmail.com
Phone: 734
Fax: 630
Item_1: GZWlhmlzDn
Item_2: NzCnRKqamYViiyFb
Item_3: hwEoZpsTB
Net_price: 96
CA_sals_tax: siNzOqIuCdM
Total_invoice: 6
S1: Punk not dead <a href="
http://www.pinballvalencia.com/evento-futuro-6o-torneo-de...
a/ ">generic provera</a> body fluid contaminated with blood (saliva in
dental procedures), and, in emergency situations, <a href="
http://cursosinglesdublin.com/academia-ingles-dublin/ ">cefixime price</a>
Eligibility Clarification Code The Eligibility Clarification Code is used
to indicate:
<a href=" http://www.qzland.com/a/shichangfenxi/ ">where to buy
levothyroxine</a> spent participating in service learning activities.
<a href="
http://www.englishcoursesengland.net/courses-to-learn-eng...
">stromectol online</a> Check your software to make sure
Check: ON
Credit_Card_Type: Visa
Name_on_Card:
Expires: VoLIRVCNnYpLRg
B1: Submit
ASKER
Hi Dave - Thx - I went straight to update the script with NMS ... and you know what? I thought you had nailed it for me ... but it turns out I AM using NMS Formmail. Just never knew.
Any other suggestions?
Any other suggestions?
I would at least use the captcha. I don't know perl very well, but you may need to start a new question to modify the script to accept a captcha or use php. In either case, you can make sure to accept data only from the form, use the captcha. Another thing I do is to capture the IP and use a webservice to get the location of the IP and send that to the site owner as that can help weed out spam in their inbox. I have been using smart ip http://smart-ip.net/geoip-xml/xx.xxx.xxx.xxx but I notice the service has been down and need to find a new one.
Like I said, I never use Formmail, I write my own code. Formmail accepts virtually any variables you send to it. There is a line in the code that you can change to limit the referrers that post to it and that might help some.
instead of captcha, simple questions such as "root square of 9" in human language are quite efficient as well and much less annoying for the user.
also make sure the referral is on the original site, and corresponds actually to a page where there is a link to the mail stuff
one method is to use cookies : most automated tools don't handle them yet properly
same applies (more efficiently) to javascript. check that it is present and enabled.
one nice and easy way is to store the timestamp when the page was loaded. robots will submit the page instantaneously, humans will require at least 5 seconds to send an email.
more seriously, then there is a wide range of much more efficient methods
one of them is to generate a token in the link that points to the page (?token=12345) and check that one of the allowed tokens was used. you need quite a long validity duration for the token.
note that if you don't want to store and check the token, smartass methods based on the current timestamp work pretty well :
example generate a token that is the md5 encryption of "salt" concatenated with the timestamp corresponding to the current minute (timestamp - timestamp % 60)
on the remote side, you brute-force check that the token is allowed, if not, remove 60 to the current timestamp and try again. iterate let's say 30 times for a 30 minutes duration token
in would-be php code, try something like this
also make sure the referral is on the original site, and corresponds actually to a page where there is a link to the mail stuff
one method is to use cookies : most automated tools don't handle them yet properly
same applies (more efficiently) to javascript. check that it is present and enabled.
one nice and easy way is to store the timestamp when the page was loaded. robots will submit the page instantaneously, humans will require at least 5 seconds to send an email.
more seriously, then there is a wide range of much more efficient methods
one of them is to generate a token in the link that points to the page (?token=12345) and check that one of the allowed tokens was used. you need quite a long validity duration for the token.
note that if you don't want to store and check the token, smartass methods based on the current timestamp work pretty well :
example generate a token that is the md5 encryption of "salt" concatenated with the timestamp corresponding to the current minute (timestamp - timestamp % 60)
on the remote side, you brute-force check that the token is allowed, if not, remove 60 to the current timestamp and try again. iterate let's say 30 times for a 30 minutes duration token
in would-be php code, try something like this
# salt
$salt="yadaa";
# generation
$tok=time();$tok=$tok-$tok%60;
$tok=md5($salt.$tok);
# check
$i=0;
$trashthemail=true;
$tok=time();$tok=$tok-$tok%60;
while($i<30)
if($RECEIVED_TOKEN===md5($salt.$tok)){$trashthemail=false;break;}
else {$tok=$tok-60;$i++;}
ASKER
Dave - do you happen to have one of your PHP scripts that I can use, even as a starting point? I can modify an existing PHP script, but writing one from scratch for me would take me most of 2014 ...
Here is an article from Ray Paseur for Catpha with code https://www.experts-exchange.com/Programming/Languages/Scripting/PHP/A_9849-Making-CAPTCHA-Friendlier-with-PHP-Image-Manipulation.html
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
When I am writing the code, I create the original form in HTML and the response page in PHP where I can check and filter the submissions. It is possible to do that with Perl but you would have to be a decent Perl programmer to do that or to modify 'formmail.pl' to do that.