We've been having some abuse on our submit forum and I was looking for suggestions. We put up a CAPTCHA script, but its on the html/java script level. I am guessing the automated scripts can submit directly to the php script and skip the html page all together. So is there a way to make the php script only accept posts from a certain url? Thanks!
Yes, but this is not reliable either, as the referrer can be faked easily. (in fact, all bots will probably do this by default) What I've been working successfully with (until now), are dummy input fields, which are hidden with CSS. The field has no value and is not visible to the user. But the bot will most likely not parse your CSS and check for its visibility, and therefore put a value in it. Then in your PHP script you just accept the form submission if the field is really empty. (maybe you don't even show an error, just say the form was submitted successfully)
Image verification should be PHP only. I have a form that used to be abused that sent me email. What happened is the spammers would include their own headers (SMTP injection), so I scanned any input against an array of things like "Mime-type" and "bcc:". I also use captcha, referer checking and post the number of spammers that're automatically banned under the form itself - kind of like the heads of your enemies on a spike.
I assume you want to submit your own form to your own domain, right? Bots usually use the domain which they're currently "working" on as referrer.
Yeah. Is there any way to limit the referring as a specific url? So that you can only submit the form from a specific page?
Theoretically, yes. Practically, no. First, because I would assume that the bot uses the URL where the form is on, as referrer. And besides that, the referrer (if the user is a normal visitor) is sent by the browser, and some browsers don't send it, and it can be disabled. Therefore it can't be trusted. Forget this method, it's not a good way to prevent spam.
How many fields are there? Set a timeout, for example if the form is submitted in less than 2 seconds after viewing, then it is a bot. Peace,
I use the following and it works quite well for me is this. When the form is requested, get a session id and a) store it in the session variable and b) send it to be stored in the hidden field on the form. When the form is submitted, compare the value received from the form with the value stored in the session and process the form only if the values are the same. my 2c.