Hello,

I'm getting submssions through my nms formmail that do not match the html form that I have on my site. For example they have "WWW Form Submission" for the subject instead of the subject that I have specified and they do not record the senders email address but are from "nobody@zoomer.futurequest.net" instead. Also I use maxlength to limit the amount of characters per field but they are somehow overriding this and submitting very long lists of urls. I'm getting regular spam through my forms as well, and its getting more everyday, soon all I will be doing is sifting through spam.

So, I am hoping someone can point me to a captcha that I can add to the nms form. I don't want to switch to php but I will if I have to, I'm just not sure which script is best to use on futurequest. Anyone? Thanks! :)

I can't advise you on any captchas, as I have never installed one (yet) on any of my websites.

However, the problem with scripts like nms formmail, is that they allow the submitter of the script to submit whatever values they like into the form. Also, as you noted, the submitter does not have to use your HTML form page to submit the script (this is true of any CGI script), unless the CGI script checks that it was submitted from a particular page (there are various mechanisms to do this).

One thing that you might try, is using a form mail type of script that has templated responses, so that the spammers cannot simply submit anything they like into the form. One such script is this one:
GypsyMail (http://www.thinkspot.net/sheila/staticpages/index.php?page=gypsymail)
I use it on my site (I am the script author) and do not recall getting any spam from my script. Well, occasionally, but very far and few between, and it's been a very long time since I received one.

There are other similar scripts, but I don't have links to them off-hand, and don't recall the names at the moment. A search of these forums for
template script
might return some earlier discussions on this topic with names of some similar scripts.

Thanks Sheila, I will look at your script.

nms formmail is supposed to check a list of referring hosts and only allow those on the list to use the script - I have mine filled out like this:

@referers = qw(example.com www.example.com);

Is this not working anymore?

Also I use maxlength to limit the amount of characters per field but they are somehow overriding this and submitting very long lists of urls. Spammers don't use the form, they bypass it and directly submit to the mailform script.
nms formmail is supposed to check a list of referring hosts and only allow those on the list to use the script - I have mine filled out like this:

@referers = qw(example.com www.example.com);

Is this not working anymore? Referrer fields are easily faked and spammers nearly always use fake referrers.

-Arthur

My formmail is quickly becoming useless, only the spammers lack of imagination in choosing their names makes it possible to screen the incoming flood, and any unfortunate whose actual name is similar to the spammer's choices gets deleted.

I will be investigating captchas. I'm thinking of possibly accepting only Blogger comments as input, these require a captcha. That would send people to another domain, but it is a q&d solution.

Spammers don't use the form, they bypass it and directly submit to the mailform script.

If Pelagia's problem is like mine, it's not a form hijack... It's just that they're spamming whoever the form recipient is, so they're sending it via the form.

For this kind of spammer, I've had a lot of success with just disallowing all URLs in my (custom) scripts. Makes it tough for those who use scripts, although a real human can generally get the message across without making it a clickable link.

On the other hand, to keep would-be hijackers from sending tons of test messages before giving up, I've added other measures which have pretty much killed their input.

Every once in a while something gets through, but it's usually because they found a script whose loins I haven't girded yet. :smile:

I've never used a canned formmail-style script; always seemed too dangerous...

If Pelagia's problem is like mine, it's not a form hijack... It's just that they're spamming whoever the form recipient is, so they're sending it via the form.

I'm not sure what they are doing, I have commented out the submit button and I still get the spam, also how would they override the maxlength if they are using the form?

If they are submitting directly to the script is there any way to stop them? I tried moving it and renaming it and they were back within 2 hours.

Also if they are submitting directly to the script, then will a captcha work? Is that part of the html form or the script?

It has to be integrated into the script.

I've had some success by periodically changing the email address associated with the form but some spammers are now quickly defeating that, I think if I periodically change the file name of the contact page they will require some time to find it.

That will be easier than installing complicated scripts which never work the first time anyway.

I find it odd that these slugs are fiendishly clever when defeating my anti-spam efforts and yet they use this skill to send me the dumbest possible messages.

That will be easier than installing complicated scripts which never work the first time anyway.

Yes, I know, I found one but it doesn't work. I get an Internal Server Error message and in the logs_cgi it says Out of memory. Then I read that this might be caused when the host has a memory limitation policy. Is this correct?

I find it odd that these slugs are fiendishly clever when defeating my anti-spam efforts and yet they use this skill to send me the dumbest possible messages.

Ha ha. I know, sad thing is they must be fooling someone otherwise why would they keep doing it?

I've had a lot of success with just disallowing all URLs in my (custom) scripts.

What does that mean? How do you do that?

I get an Internal Server Error message and in the logs_cgi it says Out of memory. Then I read that this might be caused when the host has a memory limitation policy. Is this correct? Yes, there is a 32 MB memory limit for CGI scripts on the shared servers.

-Arthur