Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

Stopping spam from a email form

  • 16-09-2011 9:25am
    #1
    Registered Users, Registered Users 2 Posts: 23,641 ✭✭✭✭


    So I have simply put in required fields and a random number for the user to confirm. Is there anything else that I can do to prevent spam.

    The random number currently appears in a read only text box.


Comments

  • Closed Accounts Posts: 18,966 ✭✭✭✭syklops


    Elmo wrote: »
    So I have simply put in required fields and a random number for the user to confirm. Is there anything else that I can do to prevent spam.

    The random number currently appears in a read only text box.

    I/We'll need more to go on. What language are we talking about? Would you consider a captcha(I hate the things, but they are effective). How many characters is the random character confirmation?

    Are you doing any user-input sanitation? I mean, in the "To:" field, what stops someone putting in "syklops@boards.ie; aaaronaaronson@gmail.com; aaaronaaronson1@gmail.com; aaaronaaronson2@gmail.com" etc?


  • Registered Users, Registered Users 2 Posts: 23,641 ✭✭✭✭Elmo


    syklops wrote: »
    I/We'll need more to go on. What language are we talking about? Would you consider a captcha(I hate the things, but they are effective). How many characters is the random character confirmation?

    Are you doing any user-input sanitation? I mean, in the "To:" field, what stops someone putting in "syklops@boards.ie; aaaronaaronson@gmail.com; aaaronaaronson1@gmail.com; aaaronaaronson2@gmail.com" etc?

    PHP but the required fields and the confirmation are in spry :( should I use PHP through the whole process?

    The random character confirmation is only digits from 1000 to 10000 <<<< very, very simple. I was thinking of getting the user to add 2 randomly generated numbers from 1 to 20. I would consider Captcha.

    The To: field is not open to the user but the user can enter any From: field that takes the form of an email address.

    It is all very, very simple.


  • Registered Users, Registered Users 2 Posts: 6,393 ✭✭✭AnCatDubh


    You could always add a quick random math question -

    what is 2 + 5?

    or mix with text equivalents;

    if I had three sweets and ate one of them how many would I have left?

    mix em up a bit and confuse the spambot? it would leave things still fairly simple/straightforward.

    It won't be perfect but should kill most of the spambots. Then you send around people with baseball bats to the people who are human spammers :p

    There are lots of php captchas available which you could also plug in to your application.


  • Registered Users, Registered Users 2 Posts: 23,641 ✭✭✭✭Elmo


    AnCatDubh wrote: »
    what is 2 + 5?

    Code currently looks like this (have not included confimation code etc).

    [PHP]<?php
    $rad1 = rand(1, 20);
    $rad2 = rand(1, 20);
    $rad = $rad1 + $rad2;
    echo 'Please add ' . $rad1 . ' + ' . $rad2 . ' and place your answer in the text box below';
    echo '<input name="random" type="hidden" id="random" value="';
    echo $rad;
    echo '" />';
    ?>[/PHP]


  • Registered Users, Registered Users 2 Posts: 218 ✭✭Screaming Monkey


    rather than trying to re-invent the wheel, you could always use http://www.google.com/recaptcha

    has PHP plugin as well http://code.google.com/apis/recaptcha/docs/php.html

    SM


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 6,393 ✭✭✭AnCatDubh


    Elmo wrote: »
    Code currently looks like this (have not included confimation code etc).

    [noparse]<?php
    $rad1 = rand(1, 20);
    $rad2 = rand(1, 20);
    $rad = $rad1 + $rad2;
    echo 'Please add ' . $rad1 . ' + ' . $rad2 . ' and place your answer in the text box below';
    echo '<input name="random" type="hidden" id="random" value="';
    echo $rad;
    echo '" />';
    ?>[/NOPARSE]

    If if understand correctly where you are going with this then Yes, that's the gist of the start of it - assumes you have a normal form field in there too to take the user input.

    In your confirmation page script (assuming that's where you are doing your checks), how are you processing your hidden field compared to the value entered by the user?

    This is where (again assuming you are handling it in the confirmation page script) you would compare the value entered by the user or spambot to the value calculated as per your code above (in the hidden field). If you don't get a match then don't send an email / issue an appropriate response.

    Assuming the spam bot isn't clever enough to do maths you should get very little spam coming through.

    Also might be worthwhile giving real people that will use your form a break by keeping one of the rand(s) quite small - perhaps rand(1, 5) - it won't matter to the spam bot but humans will thank you for it ;) - not necessary but just a thought.


  • Registered Users, Registered Users 2 Posts: 184 ✭✭Razzuh


    rather than trying to re-invent the wheel, you could always use http://www.google.com/recaptcha

    has PHP plugin as well http://code.google.com/apis/recaptcha/docs/php.html

    SM

    I know it's effective but I really hate using recaptcha. Every time I have to fill one out I know google are making me work for them for free and it irks.

    From a more objective standpoint I think they're poor for usability. There's two words and the text of the 'bad' word is often so bad you have to fill them out twice. Very time consuming.

    I'd say avoid recaptcha if you can. It depends on how likely you are to be targeted though: what the form does and what business you're in. Having an old-school limited database of questions like 'what colour is the sky?', your own maths question plan, or a number of easy image captchas might do you.


  • Closed Accounts Posts: 2,267 ✭✭✭h57xiucj2z946q


    Razzuh wrote: »
    From a more objective standpoint I think they're poor for usability. There's two words and the text of the 'bad' word is often so bad you have to fill them out twice. Very time consuming.

    That's usually the 2nd word. And you can enter anything for the 2nd word anyway.


  • Registered Users, Registered Users 2 Posts: 184 ✭✭Razzuh


    That's usually the 2nd word. And you can enter anything for the 2nd word anyway.

    Oh ya that's right. I wasn't really thinking. It must be the first word I'm getting wrong so! I do have to fill them out twice often.


Advertisement