I am still getting spam mail on my detailed contact form which is in php with captcha. it has worked up until now. any advice or recommendations on a very secure script, at least there are no html links in the form for now. I just turned the form off for now it is a form for real estate, so there isn´t a huge hurry in this real estate market.
Or do a custom test, i.e. add a table in your database of questions with answers which only humans would know. What is 7 + 11? You could vary the input names and the text to make it near impossible for any standard bot to get through. The key is uniqueness, if you make something unique then any generic bots wont get through, and unless someone really wants to spam your site they wont mod it for just one site. You could even just have a field asking how many noses we have and the bots still wouldnt get through.
Other options are to measure the length of time for the submission and reject any that are too quick given the length of the form. Include a client side javascript calculation the browser does in the background as most bots cant run jscript Check number of times an IP has submitted a form.
i heard they turn javascript off to get around that validation. spam is just simply the biggest timewaster there is. unfortunately , I do not know how to write a php program code but I can insert code into a php script if someone would kindly help me. I like & prefer the random questions such as "what is 7 + 11" or "what color is usa money" thanks in advance
That is the very idea of the javascript validation - if javascript is turned off (or more accurately the majority of bots cannot support javascript) then it fails validation because it doesnt submit the calculation back - think of it as the 7+11 but done by the browser rather than the individual. Any how, we use .Net not PHP so cannot give samples
I can modify your form. I've created a simple system for a phpBB board that has detected spammers with 100% accuracy so far, and I've also applied this to a form on a seperate website. On the form, which is the same as your case, it has stopped MOST of the spam. I have had to add one or two conditions (such as, if the message contains 'viagra' and 'href') to maintain 100% detection. Even without this, I've cut down massively on spam. The great thing is that you won't really need to bother with a captcha image if this modification is in place. You could keep it on, but it's unnecessary. You can check my phpBB thread: http://forums.digitalpoint.com/showthread.php?t=458946 And I'll modify your form (I understand it's a plain form, not phpBB) for $20 if you're interested. It's important to me that you don't publicize the detection, because if it becomes mainstream, bots may be able to detect it. Let me know if you're interested. I'm keen to test this on a multitude of sites. In the past three days the standard form has blocked 57 spam attempts, all logged and all definitely spam
You should use something more creative and custom, maybe something like: What comes after the number 45? or What galaxy are we in? Or some kind of riddle?
Remember that the more difficult you make it for robots not to be able to post the more difficult you make it for humans to post too - with the above example I would say a fairly large number of people will not know that we are in the milkyway. Now if you want it to be a bot and idiot filter fine if not then you need to be realistic about the balance between preventing spam and user experience.
That's the good thing about my solution. Humans do not even see it. They don't even have to fill out a CAPTCHA any more Here's a dump of my bot log: http://scriptman.pastebin.com/f200a2b21 Note how no real users have been caught.
Here is a pretty secure captcha .. at least until the bots start reading animated gifs, which is not happening right now. The problem with flat pictures is they can be broken. OCR tools look at pixel by pixel and try to match a pattern. To break Animated Gif Captcha, they would have to read images across a random number of frames. Hope this helps
how would I implement this into a php script and is it effective ? my %disallowed_text = ( "[Hh][Tt][Tt][Pp]|[Hh][Tt][Mm][Ll]|[Ww][Ww][Ww]","Please remove links from your message to continue.", );
Something like $isValid = true; if (stripos($text, "http://") != false || stripos($text, "https://") != false) { $isValid = false; echo "Please remove links from your message to continue."; } Code (markup):
Try this: $inputs = array ( $first_name, $last_name, $email, $subject, $message ); $bad_inputs = array( 'Content-Type:', 'MIME-Version', 'Content-Transfer-Encoding', 'bcc:' ); // Invalid strings // Check bad request and ban foreach ( $inputs as $input ) { foreach( $bad_inputs as $bad_input ) { if ( stristr( $input, $bad_input) ) { ban_ip( $ip ); header( 'Location: /banned/' ); } // if } // foreach } // foreach Code (php): Bans anyone that tries to send alternative header information. Might also get the odd normal person by mistake, but it's unlikely. I combine this with a captcha image for full effect. Also, you can ban the IPs I've already banned using this, since I had the same problem by getting in touch with me here: http://www.coffeesh0p.com/contact/ ( <-- the actual form that code is from )
You could also add a field called something like lastname to the comment form and hide it via CSS. People won't see it, bots will and fill it. If that field is set discard the post as spam.
I don't know how stupid this is, but... I know that bots ignore javascript, so... Why not make a mandatory hidden field that gets populated with javascript. If the field is not set, the form won't be submitted. <input type="hidden" id="jsmanda" value=""> <script type="text/javascript"> document.getElementById('jsmanda').value="w00t"; </script> HTML: Your form would then require javascript, but anyone who wants to expect to have minimal problems while online should have javascript turned on anyway.
I can't take credit for coming up with it,but I can't remember where I read it either. It would be quite simple to implement, though. A few lines of code wold do it.