We have a guestbook that doubles as contact form on our website czechfriends org. After repairing it, we immediately got entries...90% of them spam. Besides, I get notifications that the spammers are probably filling all kinds of email addresses as “sender”, maybe harvested addresses to distribute further spam?

Like everybody else, I would like to stop form spammers to :rollpin:
1. fill up our visitors book with spam and my mailbox with notification mails
2. Use harvested emails to get their spam message out using our “auto-reply” option

There are several FQ threads about this and Google also gives a lot of sites :ytcoffee: . No golden bullet but a lot of different options using combinations of solutions.

Our target group is mostly elderly, using old computers and/or dial-ups. In addition, I am neither a designer nor a programmer. I am not bad in nicely adapting existing things, but not good at all at inventing new things. So everything has to be user-friendly and very KISS.

I am still investigating what is possible and not sure yet what to do yet. Maybe a combination like this:
- Include a “must fill subject” field in the form, but add a script so that if the field is filled, an error will be returned. Then block that field from visibility with a picture on top of it. Humans will see the picture; bots will fill the field and end up with an “Internal Server Error” message.
- Include a field that is made “invisible” with CSS; lessen the chance that a bot will get around two differently hidden fields.
- Make the CGI script only accept submissions from the form page (see below).
- Stop messages with website links
- Use an “alias” email as automatic reply, and stop the alias if it gets too much spam.
- Install a bot-trap
- Mention on the robot.txt that robots should stay away from the form page and several other pages.

Some questions for this community about this as well:

Sheila’s remark in a previous thread: http://www.aota.net/forums/showthread.php?t=22348&highlight=captcha+spam
“…unless the CGI script checks that it was submitted from a particular page”. How to make the CGI script do that was not included. Does any ready script exist for that?

Project Honey Pot http://www.projecthoneypot.org.
Last reference on this forum was from 2005. Does anybody on FQ work-link with them?

Does anybody has experiences with this bot-trap? http://danielwebb.us/software/bot-trap

Some sites with some interesting remarks, especially if you read the later comments and follow some of the links. For avid spam-fighters or experienced site managers probably old had, but for less experienced small operators maybe useful.

http://isc.sans.org/diary.html?storyid=1836
http://www.modernblue.com/web-design-blog/fighting-spam-with-css/
http://blog.riverc.org/?q=node/19 (a reply on the link above)

Not sure what it buys you, but the first thing that I thought of was a captcha (http://en.wikipedia.org/wiki/Captcha).

Not sure what it buys you, but the first thing that I thought of was a captcha (http://en.wikipedia.org/wiki/Captcha).

I looked into those as well, and into the simpler form of just giving a fixed code or word and let people fill that into an obligatory field. However, for our more elderly target group I want to keep it as simple and user-friendly as possible, even if it means more complicated work for me to set up.

Besides, I got the feeling from google searches that simple captcha's are already easy bypassed and more complicated ones -like crossed through words- too difficult for people with not too good eyesight or familiar with this kind of things, i.e. our typical target group.

FQ staff, can one of you please :ytgamer: correct the thread title to "form-spam"? "Farm-spam" is an interesting idea maybe but not really what I wanted as tittle, makes searching later also difficult. Thanks.

FQ staff, can one of you please :ytgamer: correct the thread title to "form-spam"? "Farm-spam" is an interesting idea maybe but not really what I wanted as tittle, makes searching later also difficult. Thanks.Done. :)

Done. :)

Thanks Melissa.

Just installed the first bot trap :ytshark: . You can try it out by typing czechfriends org slash dugout / slash /index.php. This is part of the site that is explicitly forbidden for robots and cannot be seen by normal visitors. Let's see what happens.

I looked into those as well, and into the simpler form of just giving a fixed code or word and let people fill that into an obligatory field. However, for our more elderly target group I want to keep it as simple and user-friendly as possible, even if it means more complicated work for me to set up.

Besides, I got the feeling from google searches that simple captcha's are already easy bypassed and more complicated ones -like crossed through words- too difficult for people with not too good eyesight or familiar with this kind of things, i.e. our typical target group.


I have been trying to get Carnegie Mellon's reCAPTCHA (http://recaptcha.net/) to work with NMS Formmail - unfortunately there is a conflict between Formmail and one of the needed modules to process the captcha - so I am probably switching to a PHP solution which should be easier.

Interestingly enough - it seems that reCAPTCHA is a bit forgiving in the sense that you do not have to get the text exactly correct it most cases, and it seems that they have a good understanding of what human mistakes are in this case over bots. It will be interesting to see if/how it helps the spam problem when I get it implemented.

They also have a Mailhide (http://mailhide.recaptcha.net/) service - where you put in your email address on their site, and it gives you back the html code that creates a link to a popup with reCAPTCHA to solve to get the full email address. I am trying this in a few places as well.

John

Akismet http://akismet.com (http://akismet.com/) is good for some uses. They advertise it especially for blogs, but it works for all kinds of forms.

The advantage over CAPTCHA is that it is invisible to users. The main disadvantage is that, depending on your situation and how closely it matches their recipes, it may need a little bit of programming smarts to get working.

In my experience Akismet stops about 95% of spam overall and has occasional false positives (blocking posts that aren't spam). Its effectiveness tends to vary unpredictably, though; some days it's just not as smart as others.

- Include a “must fill subject” field in the form, but add a script so that if the field is filled, an error will be returned.

I am using the FQ provided guestbook.

- how do I write a script line that if a forbidden field is filled, the form should not add the entry to the guestbook but stop and return an error message.

- can I put such a line completely at the beginning of the guest.cgi so that if any of the forbidden fields is filled, the entire entry is immediately discarded and an error message returned?

Got something up and working, sort of, looks like, maybe :confuz:

Fits better in a tread on general coding, so let's continue there
http://www.aota.net/forums/showthread.php?t=23741

Just to throw in my puny 2¢...

For contact form spam, I've started adding code that tests for links in the form's message/comments field, and aborts the mail send if there's one there. It's eliminated virtually all form spam for myself and my clients, although I can't say which is bot spam and which is manually entered. And I'm not using captchas on any of these forms.

Naturally, this means users can't send you links unless they're munged in some way, but it's never presented a problem, since a follow-up email with links in it works fine.

Okay, that's it from the peanut gallery for now. :safegrin:

For contact form spam, I've started adding code that tests for links in the form's message/comments field, and aborts the mail send if there's one there. :safegrin:

I have to install that too if I have time.

We use Sheila's gypsy form on another site as a pure contact form, and it runs without problems. For this particular site, I wanted a real-time guestbook without me having to bother checking every five minutes. My last jubilant announcement was a bit premature, but since yesterday, it finally works OK (I think).