I asked this several months ago in another thread, and didn't get a response.

Is there something newer and more robust to take the place of NMS formmail, which has not been updated in years (2004)? Any recommendations from the FQ staff? Is NMS still the best answer?

I have seen an increase lately of robots posting to the forms, and of course would like to do what I can to alleviate this.

Any suggestions?

Thanks!

John

Form spam almost always has one string you can search on: "http://"
Count those up and score it, it's really easy. False positives are possible, but how many people are going to put 10 http://'s in the message and one in the "first name" field too?

I use NMS's TFMail, mainly for the ability to hide the 'to' address. My form spam volume goes up and down, depending on the spammer, day of week, whatever. The spammers have focused on just 1 of 8 forms, and just load up ALL the form fields with the same web address over and over. I've played the game of renaming all the pieces more than once, with only a coupla days relief. I recently reset my FQ built-in spam filters to exclude all executable content (as well as attachments), and have seen a major reduction in spam, with no impact on legitimate form submissions - could be the filter, could be the boys are on vacation, could be they aren't seeing any response and have moved on - who knows???

I stumbled across a suggestion to place a 'honey-pot' field in the form, using CSS to make it really tiny and hidden. The idea being no customer could see it or fill it in, but the spam-bot would - so you error-page any form with that field filled. Of course, you need to know enuff coding to add that to your form script.


Shelia has a similar script, Gypsy-Mail. I've asked her in the past about the possibility of adding a honey-pot field, but no response. Maybe she has some answers.

Yeah, I have a few other techniques, but counting those "http://"s is <edit>very good</edit> I tell you.

Are you doing this (looking for http://'s) in the form, or with a email filter, or how? Any examples?

I also have a reCAPTCHA key for vBulletin 3.7.0 Beta that I guess I could also start using on the forms on the web site.

Thanks.

My scripts are custom, so I don't know how helpful I will be. Do you know how to modify NMSFormmail? Or have you seen any good plugins for it?

I scan the content in the form processing script. Form spam is where "http://" seems to be the best test by far. I mean, somebody could be emailing you a bunch of links. But if multiple links are in the name field, or whatever, that is wrong!

I add score, "[spam 6]" or whatever, to the beginning of the subject line, like SpamAssassin does. Then I can filter and sort them in my email client: Eudora, Thunderbird, Outlook, etc. In other words, they go into a spam folder and I check it for false positives every so often.

If you have a point in NMSFormmail you want to modify, post the line number and version here. The scanning code that counts http:// is easy.

No, I do not know how to modify NMS Formmail - It looks like there is a spot for custom code, but have not gotten to trying anything yet.

Anyone ever look into using reCAPTCHA with NMS Formmail?

I am interested in this route - have looked at it briefly, it sounds like many people want to do this, as they are using NMS Formmail, but no one has published a working example yet (at least that I could find).

One posting I saw made it sound like you need reCAPTCHA.pm in the Perl Library, not sure if this is the case on the FutureQuest servers.

John

Ok, so I need the following Pearl Modules, that are not installed on the FQ servers:

CGI::Simple
Captcha::reCAPTCHA

Can I install these in my cgi-bin, or other folder in my account, and do I need to do something in the script to identify these as being somewhere else? Or do they need to be installed for the whole server, which I assume is not likely to happen?

Any help would be appreciated.

Thanks!

John

Bueller?... Bueller?... Bueller?

Shelia has a similar script, Gypsy-Mail. I've asked her in the past about the possibility of adding a honey-pot field, but no response. Maybe she has some answers.

I'm sorry...
I don't recall receiving that from you, but maybe I did and it was a long time ago and I've simply forgotten? Truly sorry...

The state of the situation with GypsyMail is that I haven't done any development on it in a very, very long time (a few years). There's certainly stuff that could be done to it to improve it. However, I'm occupied with other things. So, honestly, I don't see that I would be doing any coding on it any time in the foreseeable future.

If someone else wanted to add that functionality to the script and contribute the code, I would be happy to post the update on my site. As it is, the way GypsyMail is currently, I was even thinking of taking it down off my site (due to the lack of recent updates and the fact that it doesn't prevent spam from being sent to the addresses coded into the template...).

Ok, so I need the following Pearl Modules, that are not installed on the FQ servers:

CGI::Simple
Captcha::reCAPTCHA

Can I install these in my cgi-bin, or other folder in my account, and do I need to do something in the script to identify these as being somewhere else? Or do they need to be installed for the whole server, which I assume is not likely to happen?


I'm not familiar with these Perl modules, but if they will work for a local installation (some Perl modules do), then you are welcome to install them yourself locally.

If you find that they must be installed server-wide, then send an email to the Service Desk requesting that we review and consider this request.

Ok, so I need the following Pearl Modules, that are not installed on the FQ servers:

CGI::Simple
Captcha::reCAPTCHA


These two modules have now been installed across all servers.

Hope that helps. :)

Thanks Sheila!!!

I'll have time after tomorrow to try and figure out the implementation into NMS Formmail. If I can get it all working, I will post for others.

John

I'm sorry...
I don't recall receiving that from you, but maybe I did and it was a long time ago and I've simply forgotten? Truly sorry...


Sheila, my bad! 'Twas not a criticism or complaint! Merely a query...
Besides, was a LONG time back, posted thru your website, and maybe I didnt keep up, myself.
Michael

So far so good (I guess). I have the response checking working (valid or not valid reCaptcha response), but it is messing up the Recipient part of the NMS script for some reason, and I am trying to figure out. None of the variables are the same names, so that shouldn't be it.

Does anyone know what this is for:

$| = 1;

I'm not easily finding any reference to this (I'm sure I'll hate myself for not knowing after someone tells me). I'm rusty with perl.:smile:

Thanks!

John

Ok, so it looks like the CGI::Simple module is causing a problem with the Recipients part of the Formmail script.

Arrrg - why can't scripts play well together! :dunno:

John

We had problems with spam on our guestbook, and found a solution to it. I think the same principle and coding is possible in form mail as well. For real form mail we use the gypsy script, still seems to be working ok.

Included two fields in plain sight called name=website and name=url. Added a warning in front and at the beginning of the form coding that those fields should be left empty.

Looks like this, with the first part written in red font:

First read "BEWARE" Website: ...........

Fill anything in the empty space and -when submitting- the form throws an "Unexpected input, exiting program :rasberry: " message and terminates without entering anything in the log or doing anything else.

What I like about it that you need a human to check where it goes wrong; there are no tell-tale hints like "hidden field" or any other strange code in the form itself. Only a rule in the CGI script that if that field has data, then exit.

I don't like to use captcha's, too annoying for our target group.

You could wrap it in
<div style="display: none;">
</div>
for the 99% of browsers that understand that.
But then it's not so simple if it goes wrong.

You could wrap it in
<div style="display: none;">
</div>

I read about that and other tricks like 1 pxl pictures etc. Would not smart bots look for such things, like have a command saying that "if field location = <div style="display: none;"> field </div>, do not fill field"?

Don't actually know how bots really work; do they run through a complete site and then "report back" with all the harvested emails or a message like "spam delivered" or do the report link for link? Does a bot falling into our bot-trap disappears from the radar without doing harm to me or am I killing the bug after it stole info from my site? Given the number and types of bots, probably yes to all possibilities

I would guess not until more than a few percent of forms start doing a given trick. Right now there are plenty of easier targets to hammer away at.

I have just been sent a solution to adding reCAPTCHA to NMS formmail - as soon as I get a chance to try it out here at FQ, and see that it works, I will post the information for all.

John

Ok, I just tried this and it works - hopefully will help a little bit more with those of you receiving spam via Formmail.

(these instructions for FutureQuest servers - otherwise you will need to install the reCaptcha perl module for other servers)

Edit your formmail.cgi file (whatever you have renamed it - make a backup just in case):
(line numbers may vary)
Look for line 1034 is blank, change it to:
use Captcha::reCAPTCHA;

Should now look like this:

package CGI::NMS::Script;
use strict;
use Captcha::reCAPTCHA;
use CGI;
use POSIX qw(locale_h strftime);

Line 2094 is blank, change it to:
$self->check_recaptcha or return;

Should now look like this:

$self->missing_fields_output(@missing);
return;
}
$self->check_recaptcha or return;
my $date = $self->date_string;
my $email = $self->get_user_email;


Insert the following two functions into the script
starting at line 2104. Replace YOUR_PRIVATE_KEY_HERE with your actual
private key from the reCaptcha folks.

2104 is just above this:

=item date_string ()

Returns a string giving the current date and time, in the configured
format.

Here is the code to insert above that:
# START additions to support reCaptcha verification

=item check_recaptcha ( )

Uses the reCaptcha perl module to CHECK the user entered words.

=cut

sub check_recaptcha {
my ($self) = @_;
use constant PRIVATE_KEY => 'YOUR_PRIVATE_KEY_HERE';
my $c = Captcha::reCAPTCHA->new;
if ( $self->{Form}{recaptcha_response_field} ) {
my $result = $c->check_answer(
PRIVATE_KEY, $ENV{'REMOTE_ADDR'},
$self->{Form}{recaptcha_challenge_field},
$self->{Form}{recaptcha_response_field}
);
if ( $result->{is_valid} ) {
return 1;
}
else {
$self->bad_recaptcha_error_page;
return 0;
}
}
else {
$self->bad_recaptcha_error_page;
return 0;
}

}

=item bad_recaptcha_error_page ()

Outputs the error page for a bad or missing reCaptcha user entry.

=cut

sub bad_recaptcha_error_page {
my ($self) = @_;

my $errhtml = <<END;
<p>
The validation word response was missing or not correct.
All test phrases are two words long so your entry should
be two words as well. The presented words are generated
automatically from a scanned book and are often hard to read.
Please use the back button in your browser to return to the form
and you will automatically have two new words. There is a small
refresh icon next to the response field that will generate two
new words if you can not read the two words presented.
</p>
END

$self->error_page( 'Error: Incorrect or Missing Challenge Words',
$errhtml );

}

# END additions to support reCaptcha verification

Don't forget to put in your private key from reCAPTCHA!

That is it for the changes to the formmail script - save it.

Now for the HTML form page.
Insert the following code just above your "Submit" button:

<script type="text/javascript"
src="http://api.recaptcha.net/challenge?k=<your_public_key>">
</script>

<noscript>
<iframe src="http://api.recaptcha.net/noscript?k=<your_public_key>"
height="300" width="500" frameborder="0"></iframe><br>
<textarea name="recaptcha_challenge_field" rows="3" cols="40">
</textarea>
<input type="hidden" name="recaptcha_response_field"
value="manual_challenge">
</noscript>

Make sure to place your matching public key in the 2 places above.

And that should do it. With these changes made to your files on the server, you should now need a valid response to the reCAPCHA to be able to submit the form.

You will receive the recaptcha_challenge_field, and the recaptcha_response_field in the email messages however, but better than getting more spam.

Special thanks to Blake Girardot for his help with this!

Any questions, let me know, I will try and help.

John