web email form annoyances

[sysadmin42]

I wrote a script for my website that has 4 fields:

- name
- email address
- phone (optional)
- message

and then emails me with what's in the form. Pretty standard stuff.

My problem is that I think either someone, or a search robot is clicking through- i have both JS and PHP validation- and I keep getting lots of either blank or gobbledygook emails.

Any ideas on how to prevent this from occurring?

 

[Wullie]

Most likely it is due to the following, we have seen a huge increase in this recently:

http://www.anders.com/cms/75/Crack.Attempt/Spam.Relay

As for ways to stop them submitting, you could look into using some kind of CAPTCHA system (image verification).

Hope this helps

Wullie

Fresh Look - Quality Coldfusion/Windows Hosting

The pessimist complains about the wind. The optimist expects it to change. The leader adjusts the sails. - John Maxwell

 

[sysadmin42]

that looks very similar to a few of the messages I've received- thanks.

I thought about CAPTCHA, but this is for the main contact form on the site and I wanted it to be as simple as possible for people to contact me. My feeling is that adding the extra step might deter people from finishing the form.

 

[ChrisHunt]

Try changing the name of the script and the input fields not to sound like a contact form. Avoid words like "email" or "formmail". That might fool the robots.

-- Chris Hunt
Webmaster & Tragedian
Extra Connections Ltd

 

[LFI]

sysadmin42,

I agree that no one likes extra steps. I have seen the CAPTCHA technique used with greater frequency recently. It won't be long before everyone understands why it's there and accepts that it is a necessary part of form-entry. Think, you'll be in early on a trend which is about to take over form entry all over the 'net!

--Dave


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
O Time, Strength, Cash, and Patience!

 

[Wullie]

Try changing the name of the script and the input fields not to sound like a contact form. Avoid words like "email" or "formmail". That might fool the robots.

I have been seeing it on some login forms, which use only username and password fields. As long as you have over 2-3 fields in the form, chances are that it is some kind of feedback/contact form. This would be true for probably about 99% of sites anyway.

sysadmin42,

I agree that no one likes extra steps. I have seen the CAPTCHA technique used with greater frequency recently. It won't be long before everyone understands why it's there and accepts that it is a necessary part of form-entry. Think, you'll be in early on a trend which is about to take over form entry all over the 'net!

There are problems with CAPTCHA setups as well though, I guess I should have mentioned that in my previous post. The robots can be trained to read them, in some cases they can read them 100% of the time.

Hope this helps

Wullie

Fresh Look - Quality Coldfusion/Windows Hosting

The pessimist complains about the wind. The optimist expects it to change. The leader adjusts the sails. - John Maxwell

 

[sysadmin42]

ChrisHunt- do you have any examples of this? what would I name "email"?

Wullie- any idea how the robots read the CAPTCHA? OCR or what...?

 

[Wullie]

Chris' suggestion would involve naming the fields anything you want, rather than relative to what they are. So email could be myfield1 or whatever else you want to call it.

Regarding reading the CAPTCHA, see the following page:

http://sam.zoy.org/pwntcha/

The robot needs to be trained to read them, but they can read them.

Hope this helps

Wullie

Fresh Look - Quality Coldfusion/Windows Hosting

The pessimist complains about the wind. The optimist expects it to change. The leader adjusts the sails. - John Maxwell

 

[ChrisHunt]

How about also including something like this in your form:

<label>Subject:
<select name="wotabout">
<option value="0">Please choose...</option>
<option value="1">Comment</option>
<option value="2">Correction</option>
<option value="3">... etc ...</option>
</select></label>

Then have the mailing script reject anything where [tt]wotabout = 0[/tt] .

I find CAPTCHAs rather irritating when filling in forms, and they also shut out visually impaired users.



-- Chris Hunt
Webmaster & Tragedian
Extra Connections Ltd

 

[sysadmin42]

that's a good idea. Thanks to all!

 

[Wullie]

Then have the mailing script reject anything where wotabout = 0 .

That's assuming a robot will pick the first option from a select list, however in reality it doesn't always work that way. The robots don't always simulate form posts from your site, they take the source and submit directly to the processing script passing their own contents in the form.

If you checked for wotabout = 0, then if the spammer passes an email address as every field of the form they have just bypassed your check. Even if you specifically check for one of the numbers being passed, what is to say that the robot won't send a random value from the select lists?

I agree that CAPTCHAS can be problematic, but at the present time it is one of the very few options that can actually work. Anything you do has to work without preventing the user from legitimately submitting the form, so in the case of selects, you need the legitimate option to be there for it to work. As long as that code is there, the chance is there that the robot could pass that as well.

Hope this helps

Wullie

Fresh Look - Quality Coldfusion/Windows Hosting

The pessimist complains about the wind. The optimist expects it to change. The leader adjusts the sails. - John Maxwell

 

[ChrisHunt]

What is to say that the robot won't...

Nothing. I should have made it clear that I'd reject values for wotabout that didn't appear in an option too, but yeah, it's not anything like 100% robot-proof.

However, say it's just 25% robot-proof, that's still 25% less spam that you're getting.

-- Chris Hunt
Webmaster & Tragedian
Extra Connections Ltd