http://www.savagehost.com/how-to-prevent-web-form-spam.html Just another WordPress weblog Wed, 14 Jul 2010 11:55:28 -0500 http://wordpress.org/?v=2.8 hourly 1 http://www.savagehost.com/how-to-prevent-web-form-spam.html/comment-page-1#comment-10469 Shui X Mon, 19 Oct 2009 16:00:56 +0000 http://www.savagehost.com/how-to-prevent-web-form-spam.html#comment-10469 Checking HTTP_REFERER is an old an unreliable security measure. Sure, it can add a tiny bit of security but it's very very easy to spoof the referer info, even automatically. There's a PHP security expert named Chris Shiflet that has written a lot about this topic. One of his ideas is to generate two related strings, store one in an invisible tag in the form, and the other in a cookie set in the browser. When the data is received, the two values are compared. If there is no cookie (session) info, script dies. If they don't match, the script dies. In a nutshell, the one string is psuedo randomly generated off the current time, and the other is a one-way hash (md5) of that string plus a secret component. Like this: $hash = md5('secret salt here'.$string); Chris Shiflet does a better job of explaining it. The technique does require cookies allowed by your visitor, but it is very easy for the "good guys" to use your form while being very tough on preventing "bad guys" from taking advantage. I've adapted this idea a bit for my own use and I limit the time involved for each token/hash pair. In other words, you only have 15 minutes to submit the form. This means that a spammer can't gather a token/hash pair from my site and use it from now on to send spam through my form. Checking HTTP_REFERER is an old an unreliable security measure. Sure, it can add a tiny bit of security but it’s very very easy to spoof the referer info, even automatically.
There’s a PHP security expert named Chris Shiflet that has written a lot about this topic. One of his ideas is to generate two related strings, store one in an invisible tag in the form, and the other in a cookie set in the browser. When the data is received, the two values are compared. If there is no cookie (session) info, script dies. If they don’t match, the script dies.
In a nutshell, the one string is psuedo randomly generated off the current time, and the other is a one-way hash (md5) of that string plus a secret component. Like this:
$hash = md5(’secret salt here’.$string);
Chris Shiflet does a better job of explaining it. The technique does require cookies allowed by your visitor, but it is very easy for the “good guys” to use your form while being very tough on preventing “bad guys” from taking advantage.
I’ve adapted this idea a bit for my own use and I limit the time involved for each token/hash pair. In other words, you only have 15 minutes to submit the form. This means that a spammer can’t gather a token/hash pair from my site and use it from now on to send spam through my form.

]]> http://www.savagehost.com/how-to-prevent-web-form-spam.html/comment-page-1#comment-10468 Koolkat Mon, 19 Oct 2009 14:45:03 +0000 http://www.savagehost.com/how-to-prevent-web-form-spam.html#comment-10468 Talking of spam, your other answer (which has been reported) was a spam virus download. Spam is a huge problem on the entire Internet. Since laws were made (and enforced) against sending spam by email, they've had to resort to any other method where users are allowed to put content anywhere on a site. That's why we get so many here on this site, which is designed for user content. Your relative could get some Captchas on the site. These are those blurry squiggly hard-to-read numbers and letters you have to copy before submitting something. They are a nuisance, and may put off a small number of customers, but they are very hard to read by computer, so at least the automated spam bots can't get past them to spam you. Big companies get theirs from a Captcha service. A smaller site could make up some, say 20, as graphics images, and have a script that displays them at random on the contact form. The other defense is to put a good spam filter on the incoming mail from the site. This one is $30 and has a 20-use free trial. . http://www.antispamguard.com This is a listing of many different ones, ranging from free to shareware to commercial oneshttp://3d2f.com/tags/spam/guard For low volume, probably even one of the free ones would work well. Get the mail directed to a POP account (on Outlook Express, not on Web mail) as that also has better built-in sorting and blocking features. Also it will sort the mail into different groups, if there are different types of queries coming in. All you need do is put a list of choices for the customer to click; this goes into the email subject line, and gets sorted on that basis into the right folder. Good luck with this never-ending fight. Talking of spam, your other answer (which has been reported) was a spam virus download.
Spam is a huge problem on the entire Internet. Since laws were made (and enforced) against sending spam by email, they’ve had to resort to any other method where users are allowed to put content anywhere on a site. That’s why we get so many here on this site, which is designed for user content.
Your relative could get some Captchas on the site. These are those blurry squiggly hard-to-read numbers and letters you have to copy before submitting something. They are a nuisance, and may put off a small number of customers, but they are very hard to read by computer, so at least the automated spam bots can’t get past them to spam you.
Big companies get theirs from a Captcha service. A smaller site could make up some, say 20, as graphics images, and have a script that displays them at random on the contact form.
The other defense is to put a good spam filter on the incoming mail from the site.
This one is $30 and has a 20-use free trial.
. http://www.antispamguard.com
This is a listing of many different ones, ranging from free to shareware to commercial oneshttp://3d2f.com/tags/spam/guard
For low volume, probably even one of the free ones would work well. Get the mail directed to a POP account (on Outlook Express, not on Web mail) as that also has better built-in sorting and blocking features. Also it will sort the mail into different groups, if there are different types of queries coming in. All you need do is put a list of choices for the customer to click; this goes into the email subject line, and gets sorted on that basis into the right folder.
Good luck with this never-ending fight.

]]>