Basically I'm setting up an online business directory; each listing will have an "email this business" link which goes to their own send email page (one dynamic page called email.php). The only fields on this page will be: name, email address and comments. However I am concerned about spam mail. In all honesty I would prefer not to implement a CAPTCHA as this might put users off from sending the email, especially if they want to contact multiple businesses. I have seen similiar directory sites that don't use CAPTCHA - does this mean that dynamically generated form pages are invisible to bots? What is the best way for me to go about this? I would prefer that bots don't see the page at all, as this will just generate unnecessary traffic and database calls.
I think you can do this by creating robots.txt in your main directory. Not sure though. One way to implement that is using CAPTCHA once, and after the CAPTCHA is validated all you have to do is store a flag in the SESSION that this user is already verified to be a human and the succeeding emails will check whether the SESSION flag exists, if so then don't issue any CAPTCHA because you are for sure know that the user is human.
I agree, a good robots.txt will help. There is another thing you can try, this may help. In your form, generate a hard to guess token and require it for submission, like this: <?php session_start(); switch($_REQUEST['mode']){ case 'dosubmit': if ($_POST['token'] == strrev(md5($_SESSION['SID']))){ // do your work }else { echo "Invalid Form Submission"; } break; default: $tokenvalue = strrev(md5($_SESSION['SID'])); ?><form method="post" action="form.php"> <table border="0"> <tr> <td>Name:</td> <td><input type="text" name="name" /></td> </tr> <tr> <td>Email Address:</td> <td><input type="text" name="email" /></td> </tr> </table> <input type="hidden" name="mode" value="dosubmit" /> <input type="hidden" name="token" value="<?php echo $tokenvalue; ?>"> <input type="submit" name="button" id="button" value="Submit" /> </form> <?php break; } ?> PHP: But even this won't stop a good robot, as they can read the form elements and post them with it. You can use javascript validation also to help, I can post some code here if you need it. Captcha is really your best bet, but nothing is 100% certain.
Captcha, block java, limit the text they can put in, limit the IP adresses in one day, do not call the link contact us
you should check out this site: http://bpform.com/ if for no other reason than what is explained makes good sense.
How about if I use HTTP_REFERER=results.php, i.e the form needs to have been accessed via results.php page, if not then it wont display. So if a spam bot directly accessed the form it wont display.
That could work. However, HTTP referrers can be forged, and is it impossible for the robot to access results.php in the first place?
The refferer solution is not good. Today's spambots are quite smart, and will call the page with the correct refferer.
But if the spambot directly accessed the page, it won't know that a form exists on the page will it? It will only see the form if it accesses it via results.php. So at least that's reducing the chances of being spammed. Chuckun - how can the spambot call the page with the correct referrer if they don't know what it is? OK maybe they can do brute force/dictionary attack but are they really THAT keen!?
Some (the best) spam bots really are foolproof... Some can even scan the easier captcha images (which is why things like RS tend to have awful looking captcha systems.. So I would say that they could very well be that keen >.< It's lame, yes... I dont know what motivates people to want to spam people with crap. What happened to morality?
You should use captchas, as there is no other way to prevent spam-bots. They can change user-agent strings, referring ips, etc ... so you have no other way of checking the submitter is actually human.
I think if you didn't like the captcha . you can use spam filter service for example Akismet or Mollom , they provide an API for interface with your form verification. It will reply spam, ham, or service down and in that case, you can put your form in moderation status.
But let's say I used my HTTP_REFERER solution and the spam bot directly accessed the page: 1) How can the spam bot know that a form exists on the page? 2) How does it know that it needs to specify a REFERER value to access the form?
put a limit on sending mails.. like 5 or a bit higher number... you could also add a IP banning feature which requires a MySQL database, or a text file...