Stopping spam from a email form

Elmo

So I have simply put in required fields and a random number for the user to confirm. Is there anything else that I can do to prevent spam.

The random number currently appears in a read only text box.

syklops

Elmo wrote: »

So I have simply put in required fields and a random number for the user to confirm. Is there anything else that I can do to prevent spam.

The random number currently appears in a read only text box.

I/We'll need more to go on. What language are we talking about? Would you consider a captcha(I hate the things, but they are effective). How many characters is the random character confirmation?

Are you doing any user-input sanitation? I mean, in the "To:" field, what stops someone putting in "syklops@boards.ie; aaaronaaronson@gmail.com; aaaronaaronson1@gmail.com; aaaronaaronson2@gmail.com" etc?

Elmo

syklops wrote: »

I/We'll need more to go on. What language are we talking about? Would you consider a captcha(I hate the things, but they are effective). How many characters is the random character confirmation?

Are you doing any user-input sanitation? I mean, in the "To:" field, what stops someone putting in "syklops@boards.ie; aaaronaaronson@gmail.com; aaaronaaronson1@gmail.com; aaaronaaronson2@gmail.com" etc?

PHP but the required fields and the confirmation are in spry should I use PHP through the whole process?

The random character confirmation is only digits from 1000 to 10000 <<<< very, very simple. I was thinking of getting the user to add 2 randomly generated numbers from 1 to 20. I would consider Captcha.

The To: field is not open to the user but the user can enter any From: field that takes the form of an email address.

It is all very, very simple.

AnCatDubh

You could always add a quick random math question -

what is 2 + 5?

or mix with text equivalents;

if I had three sweets and ate one of them how many would I have left?

mix em up a bit and confuse the spambot? it would leave things still fairly simple/straightforward.

It won't be perfect but should kill most of the spambots. Then you send around people with baseball bats to the people who are human spammers

There are lots of php captchas available which you could also plug in to your application.

Elmo

AnCatDubh wrote: »

what is 2 + 5?

Code currently looks like this (have not included confimation code etc).

[PHP]<?php
$rad1 = rand(1, 20);
$rad2 = rand(1, 20);
$rad = $rad1 + $rad2;
echo 'Please add ' . $rad1 . ' + ' . $rad2 . ' and place your answer in the text box below';
echo '<input name="random" type="hidden" id="random" value="';
echo $rad;
echo '" />';
?>[/PHP]

Screaming Monkey

rather than trying to re-invent the wheel, you could always use http://www.google.com/recaptcha

has PHP plugin as well http://code.google.com/apis/recaptcha/docs/php.html

SM

AnCatDubh

Elmo wrote: »

Code currently looks like this (have not included confimation code etc).

[noparse]<?php
$rad1 = rand(1, 20);
$rad2 = rand(1, 20);
$rad = $rad1 + $rad2;
echo 'Please add ' . $rad1 . ' + ' . $rad2 . ' and place your answer in the text box below';
echo '<input name="random" type="hidden" id="random" value="';
echo $rad;
echo '" />';
?>[/NOPARSE]

If if understand correctly where you are going with this then Yes, that's the gist of the start of it - assumes you have a normal form field in there too to take the user input.

In your confirmation page script (assuming that's where you are doing your checks), how are you processing your hidden field compared to the value entered by the user?

This is where (again assuming you are handling it in the confirmation page script) you would compare the value entered by the user or spambot to the value calculated as per your code above (in the hidden field). If you don't get a match then don't send an email / issue an appropriate response.

Assuming the spam bot isn't clever enough to do maths you should get very little spam coming through.

Also might be worthwhile giving real people that will use your form a break by keeping one of the rand(s) quite small - perhaps rand(1, 5) - it won't matter to the spam bot but humans will thank you for it - not necessary but just a thought.

Razzuh

Screaming Monkey wrote: »

rather than trying to re-invent the wheel, you could always use http://www.google.com/recaptcha

has PHP plugin as well http://code.google.com/apis/recaptcha/docs/php.html

SM

I know it's effective but I really hate using recaptcha. Every time I have to fill one out I know google are making me work for them for free and it irks.

From a more objective standpoint I think they're poor for usability. There's two words and the text of the 'bad' word is often so bad you have to fill them out twice. Very time consuming.

I'd say avoid recaptcha if you can. It depends on how likely you are to be targeted though: what the form does and what business you're in. Having an old-school limited database of questions like 'what colour is the sky?', your own maths question plan, or a number of easy image captchas might do you.

h57xiucj2z946q

Razzuh wrote: »

From a more objective standpoint I think they're poor for usability. There's two words and the text of the 'bad' word is often so bad you have to fill them out twice. Very time consuming.

That's usually the 2nd word. And you can enter anything for the 2nd word anyway.

Razzuh

Lexi White Rower wrote: »

That's usually the 2nd word. And you can enter anything for the 2nd word anyway.

Oh ya that's right. I wasn't really thinking. It must be the first word I'm getting wrong so! I do have to fill them out twice often.