----- Original Message ----- From: "Pete" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, April 12, 2007 11:22 PM Subject: [php-list] Proofing contact forms
I am about to start on a long overdue project - proofing all the contact forms across various sites against unwanted messages... note that I am not using the dreaded S* word to avoid some people's s-blockers. The first thing is to understand the problem - how do they insert their messages? I would have thought that POSTing to the thank-you page would be the easiest method for them. So I would have thought that they would visit the email-me page, find the variable names, and save them, then POST to the thank-you page, using the variable names. Yet, I see so many CAPTCHA forms, which won't stop this method. So am I misunderstanding what the problem is? I am not talking about hiding addresses here, I am talking about protecting PHP contact forms. -- Pete Clark Sunny Andalucia http://www.hotcosta.com/comm_1.htm ------------------------- Hi Pete, This is what I call link spam. The object is improve the search engine ranking of the remote site and sometimes it's just to get your visitors to visit their site. The higher the ranking of the donor site the greater the improvement for the target site so they use search engine results to choose what sites to attack. They're hoping that you have something like a guest book where your site will link to them so they look for <FORM's to submit and pick up contact pages as well. There are two ways this is done. One is done in real time so the script visits your site and works out what values to submit and then does so straight away. The other way records the url and filed values into a list that can be resold. There are several ways to deal with this. CAPTCHA elements are effective but very irritating to users. Another way is to include a checkbox that must be checked before anything will be done by the server. You can also use a session test as these script go directly to the submit page and don't have an established session. Another way is to have a hidden field that contains the time/date from the server so the script can work out how long it took to submit a form. If it took less than 5 seconds its probably a spam script OR more than 30 minutes its probably a script working from a list of sites - then bounce the user back to the same form again without submitting it so that they can try again if they are a real user. Another way (but often too late) is to use a robots.txt file so that search engines don't scan contact pages or submit pages. Thanks Rob.
