Re: [WSG] More on spam traps

2012-08-22 Thread Ken Robinson
 Client side validation fails when scammers screen scrape your site and then 
directly send to your receiving script.  You really need to consider using a 
server side validation.

Ken
Sent from my Verizon Wireless BlackBerry

-Original Message-
From: coder co...@gwelanmor-internet.co.uk
Sender: li...@webstandardsgroup.org
Date: Wed, 22 Aug 2012 12:37:51 
To: wsg@webstandardsgroup.org
Reply-to: wsg@webstandardsgroup.org
Subject: [WSG] More on spam traps

Hi All,

I have recently attempted to 'trap' spammers who use autofilling tactics on the 
site at www.gwelanmor-internet.co.uk. This is written in html5 and uses a 
mixture of simple tests to validate the form.  However, yesterday I recvd a 
mail thus:





a.. name 
  a.. igmgrtasel 
a.. email 
  a.. 
a.. hidden 
  a.. -9 
a.. comments 
  a.. CaWePF a href=http://ipdszgwutyvp.com/;ipdszgwutyvp/a, 
[url=http://fkpbtvpaxitv.com/]fkpbtvpaxitv[/url], 
[link=http://rtcdalwdjrkb.com/]rtcdalwdjrkb[/link], http://xsejahukjzdr.com/ 
a.. send 
  a.. send message .




The script I used to validate the form is this:


script type=text/javascript
function validateForm()
  {
  var x=document.forms[contact][email].value;
  var atpos=x.indexOf(@);
  var dotpos=x.lastIndexOf(.);
  if (atpos1 || dotposatpos+2 || dotpos+2=x.length)
 {
 alert(This is Not a valid e-mail address);
 return false;
 }
//
  var y=document.forms[contact][hidden].value;
   if (y==null || y==)
   {
   return true;}
  else
   {
alert(I think you are a machine)
return false;
   }

}
!--// --
  function check(node) 
   {
var re = new RegExp('[\[\\]]', 'g');
document.getElementById('send').disabled = re.test(node.value);
   }
/script

and it works locally and online. However the mail I quote from above is 
completely unaffected.  Does this mean I give up trying, or what?  

Any thing?

Thanks,

Bob



***
List Guidelines: http://webstandardsgroup.org/mail/guidelines.cfm
Unsubscribe: http://webstandardsgroup.org/join/unsubscribe.cfm
Help: memberh...@webstandardsgroup.org
***


***
List Guidelines: http://webstandardsgroup.org/mail/guidelines.cfm
Unsubscribe: http://webstandardsgroup.org/join/unsubscribe.cfm
Help: memberh...@webstandardsgroup.org
***

Re: [WSG] More on spam traps

2012-08-22 Thread Oliver Boermans
Hi Bob,

A few points:
- The form submission was likely posted without JavaScript
- There is no point confronting a robot with the reality of it’s existence

Look into writing a filter on your email inbox or server that can
eliminate such messages without your intervention.

Don’t give up :)
Ollie
--
@ollicle

On 22 August 2012 21:07, coder co...@gwelanmor-internet.co.uk wrote:
 I have recently attempted to 'trap' spammers who use autofilling tactics on
 the site at www.gwelanmor-internet.co.uk. This is written in html5 and uses
 a mixture of simple tests to validate the form.  However, yesterday I recvd
 a mail thus:

 

 name

 igmgrtasel

 email

 hidden

 -9

 comments

 CaWePF a href=http://ipdszgwutyvp.com/;ipdszgwutyvp/a,
 [url=http://fkpbtvpaxitv.com/]fkpbtvpaxitv[/url],
 [link=http://rtcdalwdjrkb.com/]rtcdalwdjrkb[/link], http://xsejahukjzdr.com/

 send

 send message .

 

 The script I used to validate the form is this:


 script type=text/javascript
 function validateForm()
   {
   var x=document.forms[contact][email].value;
   var atpos=x.indexOf(@);
   var dotpos=x.lastIndexOf(.);
   if (atpos1 || dotposatpos+2 || dotpos+2=x.length)
  {
  alert(This is Not a valid e-mail address);
  return false;
  }
 //
   var y=document.forms[contact][hidden].value;
if (y==null || y==)
{
return true;}
   else
{
 alert(I think you are a machine)
 return false;
}

 }
 !--// --
   function check(node)
{
 var re = new RegExp('[\[\\]]', 'g');
 document.getElementById('send').disabled = re.test(node.value);
}
 /script

 and it works locally and online. However the mail I quote from above is
 completely unaffected.  Does this mean I give up trying, or what?


***
List Guidelines: http://webstandardsgroup.org/mail/guidelines.cfm
Unsubscribe: http://webstandardsgroup.org/join/unsubscribe.cfm
Help: memberh...@webstandardsgroup.org
***



RE: [WSG] More on spam traps

2012-08-22 Thread Mike Kear
I think its important to give the spammer no indication that you are onto
them.   If you give them any kind of feedback, they can use that to work a
way through your maze.The filters i use (which are similar to yours on
the client side, but I also use some tests on the server side, but the
submitter sees the same result either way.   Even if the submission is just
discarded to the bitbucket in the sky. They have no way to know their
submission has been discarded.

 

Cheers

Mike Kear

AFP Webworks

Windsor, NSW, Australia 

http://afpwebworks.com

 

 

 

 

From: li...@webstandardsgroup.org [mailto:li...@webstandardsgroup.org] On
Behalf Of coder
Sent: Wednesday, 22 August 2012 9:38 PM
To: wsg@webstandardsgroup.org
Subject: [WSG] More on spam traps

 

Hi All,

 

I have recently attempted to 'trap' spammers who use autofilling tactics on
the site at www.gwelanmor-internet.co.uk. This is written in html5 and uses
a mixture of simple tests to validate the form.  However, yesterday I recvd
a mail thus:

 

  _  

 

.  name 

*   igmgrtasel 

.  email 

*

.  hidden 

*   -9 

.  comments 

*   CaWePF a href=http://ipdszgwutyvp.com/;ipdszgwutyvp/a,
[url=http://fkpbtvpaxitv.com/]fkpbtvpaxitv[/url],
[link=http://rtcdalwdjrkb.com/]rtcdalwdjrkb[/link], http://xsejahukjzdr.com/


.  send 

*   send message .

  _  

 

The script I used to validate the form is this:

 

 

script type=text/javascript
function validateForm()
  {
  var x=document.forms[contact][email].value;
  var atpos=x.indexOf(@);
  var dotpos=x.lastIndexOf(.);
  if (atpos1 || dotposatpos+2 || dotpos+2=x.length)
 {
 alert(This is Not a valid e-mail address);
 return false;
 }
//
  var y=document.forms[contact][hidden].value;
   if (y==null || y==)
   {
   return true;}
  else
   {
alert(I think you are a machine)
return false;
   }

 

}
!--// --
  function check(node) 
   {
var re = new RegExp('[\[\\]]', 'g');
document.getElementById('send').disabled = re.test(node.value);
   }
/script

 

and it works locally and online. However the mail I quote from above is
completely unaffected.  Does this mean I give up trying, or what?  

 

Any thing?

 

Thanks,

 

Bob

 

 

No virus found in this message.
Checked by AVG - www.avg.com
Version: 2012.0.2197 / Virus Database: 2437/5212 - Release Date: 08/20/12


***
List Guidelines: http://webstandardsgroup.org/mail/guidelines.cfm
Unsubscribe: http://webstandardsgroup.org/join/unsubscribe.cfm
Help: memberh...@webstandardsgroup.org
*** 



***
List Guidelines: http://webstandardsgroup.org/mail/guidelines.cfm
Unsubscribe: http://webstandardsgroup.org/join/unsubscribe.cfm
Help: memberh...@webstandardsgroup.org
***

Re: [WSG] More on spam traps

2012-08-22 Thread MJ Ray
Mike Kear
 I think its important to give the spammer no indication that you are onto
 them.   If you give them any kind of feedback, they can use that to work a
 way through your maze.The filters i use (which are similar to yours on
 the client side, but I also use some tests on the server side, but the
 submitter sees the same result either way.   Even if the submission is just
 discarded to the bitbucket in the sky. They have no way to know their
 submission has been discarded.

That's awfully public-spirited of you, as it makes the spammer slower
to move on to attacking another website, but it can get expensive.  If
some spammers think they are being successful, they will absolutely
hammer your server and that could burn your data transfer allowance,
or even overload your server if the tests aren't written carefully.

Let them submit a few forms and then 302 redirect them to
something like http://spam-ip.com/honeypot.php perhaps.

Thanks,
-- 
MJ Ray (slef), member of www.software.coop, a for-more-than-profit co-op.
http://koha-community.org supporter, web and library systems developer.
In My Opinion Only: see http://mjr.towers.org.uk/email.html
Available for hire (including development) at http://www.software.coop/


***
List Guidelines: http://webstandardsgroup.org/mail/guidelines.cfm
Unsubscribe: http://webstandardsgroup.org/join/unsubscribe.cfm
Help: memberh...@webstandardsgroup.org
***