We've used the latest nms-formmail (FQ approved) script to collect feedback from our visitors for years with no problems.

However lately we are getting too much spam from .kz and .it through bots targeting our feedback pages. More sophisticated than usual. Quickly varying the proxy IP and mail contents. I've used the FQ Spam email filters, but I'd prefer to stop the forms being hammered.

So we are reluctantly considering implementing a Captcha method.

Loathe to because, well... you know how dense users can be.

Before we take that step, is there a simple way to add a required field in the nms script/feedback form. Something along the lines of a simple question, with required answer?

What colour are lemons?
Or what is two times ten?

How would we do this in the form?

No ideas eh?

Well how about this perl script as a replacement for nms-formmail?

It requires the visitor to answer a simple maths question before the form is forwarded.

Could FQ Staff have a gander at the script and comment on whether it would be allowed at FQ? (I don't want to install it and discover its exploitable.)

I found it here: (Not tried it yet).

http://www.fourmilab.ch/webtools/feedbackform/

I've set up the above FeedbackForm script from http://www.fourmilab.ch/webtools/feedbackform/ on our site as a trial. Not on our main /contact.htm page yet, but on our /feedback.htm and /answer.htm pages.

I'd be grateful if FQ Staff could check out its security. Your verdict will help others in future, because this is a growing problem.

To my amateur eye it seems as robust as nms-formmail. Let me know if you think it is suspect, and I'll remove it.

I like the script because it's perl, and instead of a graphic Captcha, it uses a randomly generated 'solve this equation' test. So screen readers can facilitate blind people contacting us, and it is legal in the UK and Europe.

I've cranked the coefficients right down, so it doesn't take much brainpower to solve them. ie. 3x+4=10 x=?

You can even set a time-limit to solve the equation. (Two hours long enough Mr. President?)

In addition, it facilitates white-listing genuine submitters, and blacklists any nasties.
So goodies only have to solve an equation once, and baddies get permanently dropped. It stores its own green and black-lists, so it doesn't involve htaccess.

And you can choose to keep a complete log of all traffic and IPs attempting to use the script.

I've also renamed our nms-formmail script; so for the time-being, we have those new .kz .ru .it spam-bots canned.

FutureQuest isn't able to provide script reviewing services upon request (you can imagine how busy that would keep the technical staff)...and we wouldn't be able to ensure that any scripts you choose would remain secure (it's recommended to sign up for mailings from the script author and monitor the scripts you're using for any security updates)...

Certain staff members may be able to comment if time permits, however quite a bit of information on what to look for has been posted here in the forums, such as in the following discussions:
http://www.aota.net/forums/showthread.php?t=20076
http://www.aota.net/forums/showthread.php?t=15740

I believe that there are also links that have been previously posted in the forums to external sites that give information on what to look for and how to ensure a script is properly secured.

You might also want to look for independent, third party reviews of the script, as well as asking the author about precautions that have been taken.

Possibly other site owners will comment as well if they have had experience with this particular script, or are willing to audit it for you.

Thanks Melissa, I understand. It was nice to see in those old threads how helpful Staff were in 2003. (I know, I know:)

Just thought I'd use the script and let Staff comment publicly to help others.
I'll stick with it, and re-post here if it gets exploited.

And if Staff do find time/enthusiasm, to have a look at it, I think we'd all benefit.

It was nice to see in those old threads how helpful Staff were in 2003.
And still are.

Hardly a day goes by that we do not have staff posting in these forums assisting Site Owners.

Dec. 14th:
http://www.aota.net/forums/showthread.php?p=154512#post154512
http://www.aota.net/forums/showthread.php?p=154508#post154508

Dec. 13th:
http://www.aota.net/forums/showthread.php?p=154484#post154484
http://www.aota.net/forums/showthread.php?p=154465#post154465
http://www.aota.net/forums/showthread.php?p=154463#post154463

Dec. 12th:
http://www.aota.net/forums/showthread.php?p=154450#post154450

Dec. 11th:
http://www.aota.net/forums/showthread.php?p=154430#post154430
http://www.aota.net/forums/showthread.php?p=154414#post154414

Dec. 10th:
OK, I couldn't find a post from Staff on this date.

Dec. 9th:
http://www.aota.net/forums/showthread.php?p=154368#post154368
http://www.aota.net/forums/showthread.php?p=154356#post154356

Dec. 8th:
http://www.aota.net/forums/showthread.php?p=154326#post154326
http://www.aota.net/forums/showthread.php?p=154335#post154335

Dec. 7th:
http://www.aota.net/forums/showthread.php?p=154320#post154320
http://www.aota.net/forums/showthread.php?p=154311#post154311
http://www.aota.net/forums/showthread.php?p=154308#post154308
http://www.aota.net/forums/showthread.php?p=154323#post154323

Dec. 6th:
http://www.aota.net/forums/showthread.php?p=154279#post154279
http://www.aota.net/forums/showthread.php?p=154269#post154269

and so on.
(Note that I left out posts by Staff that were just visiting and chit-chat on the above days. I also did not post more than one link to any given thread, although staff may have posted to the thread multiple times.)

I'm sorry that your particular request doesn't seem to be one for which our staff is able to provide direct assistance, but Melissa has pointed you in the direction of some resources and given some very useful advice.

We do try to assist where we can. Honest.

Sorry Sheila, it wasn't intended as a slight, I do understand :) and especially appreciate your excellent help.

Maybe one day Staff might even cast a glance at this script...

It's hard to find someone to review an entire script. The best source for that is the community of users of the script.