Re: [PHP] Question About Blocking Email Addresses in Forms
Or even a simple text CAPTCHA What is 16 divided by 4?. Careful though, I made a class which converted numbers to text (TextualNumbers IIRC) and it got broken. Almost any CAPTCHA can be broken if somebody wants it badly enough. Some are easier than others, of course. But you get rid of a LOT of bottom-feeders with a CAPTCHA. CAPTCHA has serious usability drawbacks, however. I would suggest NOT going for something really hard for a human to use -- I believe that it won't make THAT much difference to the number of junk eliminated. When I introduced a CAPTCHA on my blog (http://www.phpguru.org) site it reduced comment spam by nearly 100%. Not completely; I still get maybe 1 per month, but it was well worth adding. -- Richard Heyes http://www.websupportsolutions.co.uk Knowledge Base and Helpdesk software that eases your support burden and helps increase your sales. ** NOW OFFERING FREE ACCOUNTS TO CHARITIES AND NON-PROFITS ** -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Question About Blocking Email Addresses in Forms
I am wondering if there is a way to block out email addresses in specific format from a form? We ahve a form that people have to enter an email address, and the form has been getting used by bots to send spam to a listserv. The email address they enter is in this type of format [EMAIL PROTECTED], and of course it is always just a bit different every time. Any help is greatly appreciated. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Question About Blocking Email Addresses in Forms
Richard Heyes wrote: I am wondering if there is a way to block out email addresses in specific format from a form? We ahve a form that people have to enter an email address, and the form has been getting used by bots to send spam to a listserv. The email address they enter is in this type of format [EMAIL PROTECTED], and of course it is always just a bit different every time. Any help is greatly appreciated. Could add a CAPTCHA image (Type the letters in the image...) to your form. It eliminated comment junk when I added one to my website. Or even a simple text CAPTCHA What is 16 divided by 4?. /Per Jessen, Zürich -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Question About Blocking Email Addresses in Forms
I am wondering if there is a way to block out email addresses in specific format from a form? We ahve a form that people have to enter an email address, and the form has been getting used by bots to send spam to a listserv. The email address they enter is in this type of format [EMAIL PROTECTED], and of course it is always just a bit different every time. Any help is greatly appreciated. Could add a CAPTCHA image (Type the letters in the image...) to your form. It eliminated comment junk when I added one to my website. -- Richard Heyes http://www.websupportsolutions.co.uk Knowledge Base and Helpdesk software that eases your support burden and helps increase your sales. ** NOW OFFERING FREE ACCOUNTS TO CHARITIES AND NON-PROFITS ** -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Question About Blocking Email Addresses in Forms
The bad thing about using only registered users is that we have this form set in our Smart classrooms to give us feedback about any issues they encountered while using the AV equipment. We have to keep the form open to non-university users. When I implemented the Captcha code, I thought that it would take care fo this problem. Basically it looks as though someone is entering the data manually. Stephen [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Javier Huerta wrote: I am wondering if there is a way to block out email addresses in specific format from a form? We ahve a form that people have to enter an email address, and the form has been getting used by bots to send spam to a listserv. The email address they enter is in this type of format [EMAIL PROTECTED], and of course it is always just a bit different every time. Any help is greatly appreciated. Have a registration process and only allow registered users to send email to the list. Stephen -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Question About Blocking Email Addresses in Forms
Eric Butera [EMAIL PROTECTED] wrote:
On Jan 18, 2008 9:50 AM, Javier Huerta [EMAIL PROTECTED] wrote:
I am wondering if there is a way to block out email addresses in specific
format from a form? We ahve a form that people have to enter an email
address, and the form has been getting used by bots to send spam to a
listserv. The email address they enter is in this type of format
[EMAIL PROTECTED], and of course it is always just a bit different every
time. Any help is greatly appreciated.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Hi Javier!
At my work we had tons of issues with spam bots randomly hitting our
contact forms. They would inject all sorts of random garbage along
with the standard email header injection attempts to try and send mass
mails through the forms.
We've worked on a standardized form processing script that has some
basic ideas implemented that has cut down on 99% of the spam in our
forms yet also does _not_ use any horrible CAPTCHA crap. If you use
one of those you're basically saying you hate your users and want to
make them miserable.
Here are a few of the ideas we use:
- Require a user enter an email address and then validate this address
using PEAR::Validate::email() with the true parameter to resolve host
names. That would always require at least a valid domain name.
- Filter all the fields against a set of invalid keywords. Also make
this set of keywords extendable on a per site basis because some sites
get hit with different keywords. Here is a set you can start with
array('to:','from:','cc:','bcc:','href=','url=')
- Trick the bots. I noticed lots of forms spam scripts will use some
sort of regex to find all form fields and then inject them with any
value that they want. Just because your form uses a select dropdown
or hidden field doesn't mean that is what you're going to get back.
Most of these things in my experience are automated so they just do a
mass search for name=. I use this to my advantage by doing two
things. First I have a commented out field that if it is submitted I
fail the post. Then I also have a hidden field that has a constant
value that must remain the same. If this value is changed (only a
spammer would do it since it's hidden) fail the post.
- Add a configurable option to ignore posts that contain the domain
name in them. Lots of these bots will send out a test that uses
random@the current domain of the site as a test. I usually enable
this feature after the client has tested their form and are happy with
it.
Make sure that if any of these conditions fail you show the form back
to the user with a helpful error message. This way if a real user
accidently triggers any of the security measures you can let them know
how to fix it, such as removing href= from input fields.
Good luck!
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Those are pretty sweet suggestions there Eric, I hadn't thought about the
constant field or the commented on to check on. :)
Thanks for sharing!!
Wolf
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Question About Blocking Email Addresses in Forms
Or even a simple text CAPTCHA What is 16 divided by 4?. Careful though, I made a class which converted numbers to text (TextualNumbers IIRC) and it got broken. -- Richard Heyes http://www.websupportsolutions.co.uk Knowledge Base and Helpdesk software that eases your support burden and helps increase your sales. ** NOW OFFERING FREE ACCOUNTS TO CHARITIES AND NON-PROFITS ** -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Question About Blocking Email Addresses in Forms
On Jan 18, 2008 9:50 AM, Javier Huerta [EMAIL PROTECTED] wrote:
I am wondering if there is a way to block out email addresses in specific
format from a form? We ahve a form that people have to enter an email
address, and the form has been getting used by bots to send spam to a
listserv. The email address they enter is in this type of format
[EMAIL PROTECTED], and of course it is always just a bit different every
time. Any help is greatly appreciated.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Hi Javier!
At my work we had tons of issues with spam bots randomly hitting our
contact forms. They would inject all sorts of random garbage along
with the standard email header injection attempts to try and send mass
mails through the forms.
We've worked on a standardized form processing script that has some
basic ideas implemented that has cut down on 99% of the spam in our
forms yet also does _not_ use any horrible CAPTCHA crap. If you use
one of those you're basically saying you hate your users and want to
make them miserable.
Here are a few of the ideas we use:
- Require a user enter an email address and then validate this address
using PEAR::Validate::email() with the true parameter to resolve host
names. That would always require at least a valid domain name.
- Filter all the fields against a set of invalid keywords. Also make
this set of keywords extendable on a per site basis because some sites
get hit with different keywords. Here is a set you can start with
array('to:','from:','cc:','bcc:','href=','url=')
- Trick the bots. I noticed lots of forms spam scripts will use some
sort of regex to find all form fields and then inject them with any
value that they want. Just because your form uses a select dropdown
or hidden field doesn't mean that is what you're going to get back.
Most of these things in my experience are automated so they just do a
mass search for name=. I use this to my advantage by doing two
things. First I have a commented out field that if it is submitted I
fail the post. Then I also have a hidden field that has a constant
value that must remain the same. If this value is changed (only a
spammer would do it since it's hidden) fail the post.
- Add a configurable option to ignore posts that contain the domain
name in them. Lots of these bots will send out a test that uses
random@the current domain of the site as a test. I usually enable
this feature after the client has tested their form and are happy with
it.
Make sure that if any of these conditions fail you show the form back
to the user with a helpful error message. This way if a real user
accidently triggers any of the security measures you can let them know
how to fix it, such as removing href= from input fields.
Good luck!
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Question About Blocking Email Addresses in Forms
Javier Huerta wrote: I am wondering if there is a way to block out email addresses in specific format from a form? We ahve a form that people have to enter an email address, and the form has been getting used by bots to send spam to a listserv. The email address they enter is in this type of format [EMAIL PROTECTED], and of course it is always just a bit different every time. Any help is greatly appreciated. http://en.wikipedia.org/wiki/Captcha HTH, cheers! Silvio -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Question About Blocking Email Addresses in Forms
Hi Javier!
At my work we had tons of issues with spam bots randomly hitting our
contact forms. They would inject all sorts of random garbage along
with the standard email header injection attempts to try and send mass
mails through the forms.
We've worked on a standardized form processing script that has some
basic ideas implemented that has cut down on 99% of the spam in our
forms yet also does _not_ use any horrible CAPTCHA crap. If you use
one of those you're basically saying you hate your users and want to
make them miserable.
Here are a few of the ideas we use:
- Require a user enter an email address and then validate this address
using PEAR::Validate::email() with the true parameter to resolve host
names. That would always require at least a valid domain name.
- Filter all the fields against a set of invalid keywords. Also make
this set of keywords extendable on a per site basis because some sites
get hit with different keywords. Here is a set you can start with
array('to:','from:','cc:','bcc:','href=','url=')
- Trick the bots. I noticed lots of forms spam scripts will use some
sort of regex to find all form fields and then inject them with any
value that they want. Just because your form uses a select dropdown
or hidden field doesn't mean that is what you're going to get back.
Most of these things in my experience are automated so they just do a
mass search for name=. I use this to my advantage by doing two
things. First I have a commented out field that if it is submitted I
fail the post. Then I also have a hidden field that has a constant
value that must remain the same. If this value is changed (only a
spammer would do it since it's hidden) fail the post.
- Add a configurable option to ignore posts that contain the domain
name in them. Lots of these bots will send out a test that uses
random@the current domain of the site as a test. I usually enable
this feature after the client has tested their form and are happy with
it.
Make sure that if any of these conditions fail you show the form back
to the user with a helpful error message. This way if a real user
accidently triggers any of the security measures you can let them know
how to fix it, such as removing href= from input fields.
Good luck!
Thanks again for the suggestions Eric and everyone else. One of my
colleagues, who is more PHP savy than I, agreed to help me work on this
using all of your suggestions.
I am now quite confident that we will be able to conquer our spam problem.
Javier
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Question About Blocking Email Addresses in Forms
-Original Message- From: Andrew Ballard [mailto:[EMAIL PROTECTED] Sent: Friday, January 18, 2008 6:10 PM To: PHP General list Subject: Re: [PHP] Question About Blocking Email Addresses in Forms On Jan 18, 2008 10:18 AM, Richard Heyes [EMAIL PROTECTED] wrote: I am wondering if there is a way to block out email addresses in specific format from a form? We ahve a form that people have to enter an email address, and the form has been getting used by bots to send spam to a listserv. The email address they enter is in this type of format [EMAIL PROTECTED], and of course it is always just a bit different every time. Any help is greatly appreciated. Could add a CAPTCHA image (Type the letters in the image...) to your form. It eliminated comment junk when I added one to my website. Depending on what it is for, make sure if you use CAPTCHA that you provide an accessible alternative, as I'm sure NU would hate to run afoul of the ADA. Andrew It depends on your target, that's for sure. I made up a list of things you can do when you are this kind of trouble. It's a small summary. I think you can't live without 1 and 2 most of the time, and specially for contact forms (you are free to disagree): 1 - Simple CAPTCHA (audio support if it's difficult for people with visual disease - if you target them as well) 2 - Email validation REGEX (well, validation to all extents, not only email) 3 - Some/All of the hidden fields techniques (to prevent automated bots not launched directly to you, but scanning the whole web - which are usually the most powerful and nasty ones) 4 - PHP IP/Session blacklisting (for example, fail the captcha 3 times and you have to wait 10 seconds) 5 - Some mod_security rules for when 1 and/or 2 fail. I don't like mod_security (you have to be careful on the ruleset to keep your server load low and avoid breaking some apps like phpMyAdmin), but sometimes you may need it (specially if you deal with code not written by you). 6 - mod_throttle or similar when it starts becoming more of a DOS/DDOS attack (anybody sharing experience on this?). Regards, Rob Andrés Robinet | Lead Developer | BESTPLACE CORPORATION 5100 Bayview Drive 206, Royal Lauderdale Landings, Fort Lauderdale, FL 33308 | TEL 954-607-4207 | FAX 954-337-2695 Email: [EMAIL PROTECTED] | MSN Chat: [EMAIL PROTECTED] | SKYPE: bestplace | Web: http://www.bestplace.biz | Web: http://www.seo-diy.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Question About Blocking Email Addresses in Forms
On Fri, January 18, 2008 8:50 am, Javier Huerta wrote: I am wondering if there is a way to block out email addresses in specific format from a form? We ahve a form that people have to enter an email address, and the form has been getting used by bots to send spam to a listserv. The email address they enter is in this type of format [EMAIL PROTECTED], and of course it is always just a bit different every time. Any help is greatly appreciated. You should limit posting to subscribers, and force subscribers to confirm that they received an email at their address before finalizing their subscription to the list. That will eliminate 99.999% of this stuff. Trying to determine which emails are forgeries without messing up a real user would be impossible, literally, and consume resources for the rest of your life... NU has better things for you to do! :-) -- Some people have a gift link here. Know what I want? I want you to buy a CD from some indie artist. http://cdbaby.com/from/lynch Yeah, I get a buck. So? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Question About Blocking Email Addresses in Forms
Javier Huerta wrote: I am wondering if there is a way to block out email addresses in specific format from a form? We ahve a form that people have to enter an email address, and the form has been getting used by bots to send spam to a listserv. The email address they enter is in this type of format [EMAIL PROTECTED], and of course it is always just a bit different every time. Any help is greatly appreciated. Have a registration process and only allow registered users to send email to the list. Stephen -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Question About Blocking Email Addresses in Forms
On Fri, January 18, 2008 9:31 am, Richard Heyes wrote: Or even a simple text CAPTCHA What is 16 divided by 4?. Careful though, I made a class which converted numbers to text (TextualNumbers IIRC) and it got broken. Almost any CAPTCHA can be broken if somebody wants it badly enough. Some are easier than others, of course. But you get rid of a LOT of bottom-feeders with a CAPTCHA. CAPTCHA has serious usability drawbacks, however. I would suggest NOT going for something really hard for a human to use -- I believe that it won't make THAT much difference to the number of junk eliminated. -- Some people have a gift link here. Know what I want? I want you to buy a CD from some indie artist. http://cdbaby.com/from/lynch Yeah, I get a buck. So? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Question About Blocking Email Addresses in Forms
On Jan 18, 2008 10:18 AM, Richard Heyes [EMAIL PROTECTED] wrote: I am wondering if there is a way to block out email addresses in specific format from a form? We ahve a form that people have to enter an email address, and the form has been getting used by bots to send spam to a listserv. The email address they enter is in this type of format [EMAIL PROTECTED], and of course it is always just a bit different every time. Any help is greatly appreciated. Could add a CAPTCHA image (Type the letters in the image...) to your form. It eliminated comment junk when I added one to my website. Depending on what it is for, make sure if you use CAPTCHA that you provide an accessible alternative, as I'm sure NU would hate to run afoul of the ADA. Andrew -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
