Preventing spammers from using mail form

I created a small website for a friend. On this website he has a
contact page where people can send him email. When I wrote this page I
checked some tutorial pages and they warned about certain precautions
to take to avoid spammers using the mail form to spam multiple
people.

I believe I did most of that, such as making sure that the header
fields does not include multiple addresses, etc.

Now it does seem some spammer has discovered this website and he is
spamming my friend. 20 emails today.

So I figure I need to add more things to the script to stop him. One
obvious thought that came to my mind is to use a captcha. Will that be
the way to go or are there other things that I need to do?

The website is (owen pool care [dot] com), (remove all spaces)if
anyone is interested in looking at the sitet.

I guess I can also post it somewhere, but I don't know exactly where.

Thanks for any advice.

MikeB wrote:
> I created a small website for a friend. On this website he has a
> contact page where people can send him email. When I wrote this page I
> checked some tutorial pages and they warned about certain precautions
> to take to avoid spammers using the mail form to spam multiple
> people.
>
> I believe I did most of that, such as making sure that the header
> fields does not include multiple addresses, etc.
>
> Now it does seem some spammer has discovered this website and he is
> spamming my friend. 20 emails today.
>
> So I figure I need to add more things to the script to stop him. One
> obvious thought that came to my mind is to use a captcha. Will that be
> the way to go or are there other things that I need to do?
>
> The website is (owen pool care [dot] com), (remove all spaces)if
> anyone is interested in looking at the sitet.
>
> I guess I can also post it somewhere, but I don't know exactly where.
>
> Thanks for any advice.

One simple trick that has worked well for me is to build the Submit
button in JavaScript (loaded from a *.js file) instead of HTML. It
doesn't stop determined humans, so you occasionally get advertising from
Chinese firms that use slave labor to do their spamming, but it stops
robots cold. Naturally you need a <NOSCRIPT> warning about this.

Other than that, the usual method is to use a CAPTCHA.

--
John W. Kennedy
"Compact is becoming contract,
Man only earns and pays."
-- Charles Williams. "Bors to Elayne: On the King's Coins"

"John W Kennedy" <jwkenne@attglobal.net> wrote in message
news:4883d66c$0$20936$607ed4bc@cv.net...
> MikeB wrote:
>> I created a small website for a friend. On this website he has a
>> contact page where people can send him email. When I wrote this page I
>> checked some tutorial pages and they warned about certain precautions
>> to take to avoid spammers using the mail form to spam multiple
>> people.
>>
>> I believe I did most of that, such as making sure that the header
>> fields does not include multiple addresses, etc.
>>
>> Now it does seem some spammer has discovered this website and he is
>> spamming my friend. 20 emails today.
>>
>> So I figure I need to add more things to the script to stop him. One
>> obvious thought that came to my mind is to use a captcha. Will that be
>> the way to go or are there other things that I need to do?
>>
>> The website is (owen pool care [dot] com), (remove all spaces)if
>> anyone is interested in looking at the sitet.
>>
>> I guess I can also post it somewhere, but I don't know exactly where.
>>
>> Thanks for any advice.
>
> One simple trick that has worked well for me is to build the Submit button
> in JavaScript (loaded from a *.js file) instead of HTML. It doesn't stop
> determined humans, so you occasionally get advertising from Chinese firms
> that use slave labor to do their spamming, but it stops robots cold.
> Naturally you need a <NOSCRIPT> warning about this.
>
> Other than that, the usual method is to use a CAPTCHA.

good point, jon. you've made it impossible to for some people to submit now
though. js-disabled browser, i mean. yes, there are still some who don't
allow js. :)

captcha stuff is good. don't forget the parsing we still need to do to
insure no one is putting in other directives - other than to whom (usually a
single individual) the email is intended to be sent. for this op, parsing
and captcha should take care of the problem. there should be no 'to' for the
user to fill out, so, the body (probably textarea) of the email is all there
is to parse.

cheers

Message-ID:
<edcd4a73-d3b9-4e52-b186-e891b95a3a22@w7g2000hsa.googlegroups.com> from
MikeB contained the following:

>So I figure I need to add more things to the script to stop him. One
>obvious thought that came to my mind is to use a captcha. Will that be
>the way to go or are there other things that I need to do?

Personally I hate captchas and I think they are over the top for a
simple enquiry form like this. I like captchas when they are there for
/my/ security but this one isn't, it's for your client's benefit alone.
Besides accessibility issues, they are just another obstacle for
potential customers - never a good idea. So I'd look for other ways
first and use CAPTCHA as a last, rather than first resort.

One of my client's forms was being spammed by a bot that filled all
fields with garbage. One simple way to stop this is to have an extra
field, hidden by CSS

<label for='secret_field' style='display:none'>Please leave blank <input
name='secret_field'id='secret_field'></label>

The bot will either fill the field with garbage or omit it entirely,
both easily detectable.

--
Geoff Berrow 0110001001101100010000000110
001101101011011001000110111101100111001011
100110001101101111001011100111010101101011
http://slipperyhill.co.uk

On Jul 21, 12:43*am, MikeB <MPBr...@gmail.com> wrote:
> I created a small website for a friend. On this website he has a
> contact page where people can send him email. When I wrote this page I
> checked some tutorial pages and they warned about certain precautions
> to take to avoid spammers using the mail form to spam multiple
> people.
>
> I believe I did most of that, such as making sure that the header
> fields does not include multiple addresses, etc.
>
> Now it does seem some spammer has discovered this website and he is
> spamming my friend. 20 emails today.
>
> So I figure I need to add more things to the script to stop him. One
> obvious thought that came to my mind is to use a captcha. Will that be
> the way to go or are there other things that I need to do?
>
> The website is (owen pool care [dot] com), (remove all spaces)if
> anyone is interested in looking at the sitet.
>
> I guess I can also post it somewhere, but I don't know exactly where.
>
> Thanks for any advice.

How about reporting the Email sender for spamming, NOT SURE but I
think you take the domain name and send an email to the ISP something
like this "abuse@isp-domain-name.com" I may be wrong but someone else
will be able add more. Or just google report spammers for more info.

VoodooJai

Geoff Berrow wrote:
> Message-ID:
> <edcd4a73-d3b9-4e52-b186-e891b95a3a22@w7g2000hsa.googlegroups.com> from
> MikeB contained the following:
>
>> So I figure I need to add more things to the script to stop him. One
>> obvious thought that came to my mind is to use a captcha. Will that be
>> the way to go or are there other things that I need to do?
>
> Personally I hate captchas and I think they are over the top for a
> simple enquiry form like this. I like captchas when they are there for
> /my/ security but this one isn't, it's for your client's benefit alone.
> Besides accessibility issues, they are just another obstacle for
> potential customers - never a good idea. So I'd look for other ways
> first and use CAPTCHA as a last, rather than first resort.
>
> One of my client's forms was being spammed by a bot that filled all
> fields with garbage. One simple way to stop this is to have an extra
> field, hidden by CSS
>
> <label for='secret_field' style='display:none'>Please leave blank <input
> name='secret_field'id='secret_field'></label>

I like that. I assume that you actually have some value in the
"secret_field" or you'd never know it was omitted. I know that's the
case in perl, can you tell a blank posted field from an omitted field in
php?

Jeff
>
> The bot will either fill the field with garbage or omit it entirely,
> both easily detectable.
>

..oO(Jeff)

>Geoff Berrow wrote:
>
>> One of my client's forms was being spammed by a bot that filled all
>> fields with garbage. One simple way to stop this is to have an extra
>> field, hidden by CSS
>>
>> <label for='secret_field' style='display:none'>Please leave blank <input
>> name='secret_field'id='secret_field'></label>
>
> I like that.

Many refer to it as "honeypot".

>I assume that you actually have some value in the
>"secret_field" or you'd never know it was omitted. I know that's the
>case in perl, can you tell a blank posted field from an omitted field in
>php?

Yes, empty input fields are considered "successful controls" and
submitted. It doesn't matter which language you use on the server.

Micha

Voodoo Jai wrote:
> On Jul 21, 12:43 am, MikeB <MPBr...@gmail.com> wrote:
>> I created a small website for a friend. On this website he has a
>> contact page where people can send him email. When I wrote this page I
>> checked some tutorial pages and they warned about certain precautions
>> to take to avoid spammers using the mail form to spam multiple
>> people.
>>
>> I believe I did most of that, such as making sure that the header
>> fields does not include multiple addresses, etc.
>>
>> Now it does seem some spammer has discovered this website and he is
>> spamming my friend. 20 emails today.
>>
>> So I figure I need to add more things to the script to stop him. One
>> obvious thought that came to my mind is to use a captcha. Will that be
>> the way to go or are there other things that I need to do?
>>
>> The website is (owen pool care [dot] com), (remove all spaces)if
>> anyone is interested in looking at the sitet.
>>
>> I guess I can also post it somewhere, but I don't know exactly where.
>>
>> Thanks for any advice.
>
> How about reporting the Email sender for spamming, NOT SURE but I
> think you take the domain name and send an email to the ISP something
> like this "abuse@isp-domain-name.com" I may be wrong but someone else
> will be able add more. Or just google report spammers for more info.
>
> VoodooJai
>

How do you know who the ISP is? Spammers often use proxies, for
instance, so you don't know their original IP.

And even if you do, many ISP's don't care their users are spamming and
will do nothing about it. Only better ones will take any action, and
that will almost always just be a "don't do this again" to the spammer.

It's not like hosting companies who will kill a spammer's account.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

Message-ID: <AZKdnfsO15KtxhnVnZ2dnUVZ_hGdnZ2d@earthlink.com> from Jeff
contained the following:

> I like that. I assume that you actually have some value in the
>"secret_field" or you'd never know it was omitted. I know that's the
>case in perl, can you tell a blank posted field from an omitted field in
>php?

if(!isset($_POST['secret_field'])||$_POST['secret_field']!=""){
//mail is spam
}
else{
//send mail
}
--
Geoff Berrow 0110001001101100010000000110
001101101011011001000110111101100111001011
100110001101101111001011100111010101101011
http://slipperyhill.co.uk

On Jul 21, 1:55 am, Geoff Berrow <blthe...@ckdog.co.uk> wrote:
> Message-ID:
> <edcd4a73-d3b9-4e52-b186-e891b95a3...@w7g2000hsa.googlegroups.com> from
> MikeB contained the following:
>
> >So I figure I need to add more things to the script to stop him. One
> >obvious thought that came to my mind is to use a captcha. Will that be
> >the way to go or are there other things that I need to do?
>
> Personally I hate captchas and I think they are over the top for a
> simple enquiry form like this. I like captchas when they are there for
> /my/ security but this one isn't, it's for your client's benefit alone.
> Besides accessibility issues, they are just another obstacle for
> potential customers - never a good idea. So I'd look for other ways
> first and use CAPTCHA as a last, rather than first resort.
>
> One of my client's forms was being spammed by a bot that filled all
> fields with garbage. One simple way to stop this is to have an extra
> field, hidden by CSS
>
> <label for='secret_field' style='display:none'>Please leave blank <input
> name='secret_field'id='secret_field'></label>
>
> The bot will either fill the field with garbage or omit it entirely,
> both easily detectable.
>
> --
> Geoff Berrow 0110001001101100010000000110
> 001101101011011001000110111101100111001011
> 100110001101101111001011100111010101101011http://slipperyhill.co.uk

This is a nice idea. I'll look into it. For now, last night I
implemented a captcha and it stopped the spam. That is a great help.

Thanks for all the advice.