Form Spam

[warpsite]

I started getting spam through the webform at one of my WHB domains, then about a week ago, it started coming through another, too.

I don't know if this is adding to the load on the server (Gold) or not, helping to cause the recent overloads, but it is a pain to have to deal with it.

Any idea how to deal with this? I thought about using one of those goofy graphic things, but have no idea how to implement one.

- Mike

[Alan B]

Since there is a risk that your form is being used by spammers, you should open a ticket to inform Support.

Is this a formmail (form-to-mail) setup? (Web site visitor enters details in a web form, which is then submitted and passed via e-mail to you?)

[Matt R.]

Check your logs to see if it's coming from one or a few ips. You can block these using .htaccess, or we can block them at the server firewall level.

[aztech]

Are you receiving emails from your webform? or are others receiving the SPAM?

A "captcha" is quite easy to implement depending on what sort of "webform" you are using. Search google for "captcha" and maybe php depending on what code you are using.

Cheers,
Aaron

[Alan B]

There's much more he can do to secure it, if it's a form-to-mail type script. Once he answers that, I can give more tips.

[warpsite]

I'm sorry that it took so long for me to answer. I'm not getting emails from the forum to notify me of new posts. I've got it set to "Instant", so maybe it will work eventually.

It's a form-to-email form that I created using the form tool at my CP, and I'm receiving the spam at my end (I hope that no one else is receiving it). For the longest time it only came through the one domain, tbmp.org, then it started coming through from cfnson.com. Both hosted by WHB. I have yet to see any from watersysop.com, my other WHB-hosted domain. I get about three to ten per day from tbmp.org

Matt, how do I implement the block using .htaccess? And thnks, Alan for the suggestions. I'll do a Google on captcha's & php.

[Alan B]

I don't know what script cPanel includes, but for a long time cPanel included an insecure formmail script. I prefer to choose a script that is known to be secure. This script at nms sourceforge is secure: http://www.scriptarchive.com/nms.html.

You should not enable recipient addresses to be specified from hidden fields within the html form. Specify the recipient e-mail addresses only within the script itself. Putting them in the form is not secure.

The script should include a specification for valid referrer addresses or domains. Referrers from anywhere else should be rejected.

Do not name the script anything obvious: don't use words such as "formmail", "form" or "mail". If it has already been named something obvious, rename it immediately. Name it "macktruck" or "halibut" or something else each client coins for himself.

[EasyCall]

I use this NMS formmail script exclusively because at a former host, that is all they allowed us to use due to it being very secure. I like that you don't have to have your email addresses exposed to spiders and also that only my own domains can mail from it. I highly recommend it. And like Alan, I've renamed it to something unusual.

[warpsite]

Thank you to all of you who offered suggestions to this problem. I also apologize for my delay in answering your posts.

I added some lines and code to the form page and the php file to include a "Are you human?" question that has to be answered in a particular way in order to get the form to generate an email to me.

I saw this on an inquiry form at a website that I visit often and liked the format.

So far it's completely stopped the spam inquiries from generating, and I hope that it will continue to for some time in the future.

Something that my son brought up, could the spammers use my forms to generate spam that goes to email addresses other than my own? WHB has had to reboot our server frequently due to spam generation load. Could my forms have been significantly adding to this load because of this?

[Alan B]

could the spammers use my forms to generate spam that goes to email addresses other than my own? WHB has had to reboot our server frequently due to spam generation load. Could my forms have been significantly adding to this load because of this?

Yes, of course! I'm concerned that you created a form-to-mail form without understanding the security issues and you may not have followed the tips I provided. You should not create your own form-to-mail scripts, you should only use established form-to-mail scripts that are known to be safe.

[warpsite]

Alan,

I used the form generator in my cPanel on my WHB domains. I did not create my own. I did however, add the code for the antispam radio buttons.

I'm not sure why you would think that I created my own.

And thank you for answering my question. I was not aware that the forms could be hijacked in that manner to do that. Actually, I'm a bit surprised that WHB provided a form generator that could create forms that were unsecure.

Now, if I could only figure out how to keep the forms from using html formatting in the email messages that they generate. It's a bit irritating to have to pick messages out from the tags in the text. It doesn't load like html, but the tags are there all the same.

[Alan B]

I'm not sure why you would think that I created my own.

Because you wrote:

It's a form-to-email form that I created using the form tool

It was unclear whether you used an available form-to-email script, or just used a tool to create a standard HTML form to which you added your own form-to-email script. If you don't provide detail, we can't read your mind.

[trulymoney_com]

Any form can be spammed! The most used for prevention is by applying CAPTCHA on your form. But you should aware that there are some parts in this world where its people eagerly enough to submit (spam) the form even it's already protected by CAPTCHA. Take a look at http://www.rajakscripts.com/project/...y__data_entry/ in there you frequently can find some open jobs who looking for people who want to do such thing (submitting the form which secured by CAPTCHA). The people (mostly from India & Pakistan) can perform 1000 submissions/account creations or such just for $10. Can you believe it, US$10 for 1.000 performed submissions??!!

[warpsite]

Because you wrote: It was unclear whether you used an available form-to-email script, or just used a tool to create a standard HTML form to which you added your own form-to-email script. If you don't provide detail, we can't read your mind.

Sorry about that. I assumed that it would be understood that I used WHB's cPanel form tool. My mistake.

At least the fix is working for now. I know about the Hannah Montana concert snafu with the ticket agents getting past the CAPTCHA on the ticket form. That was one of the reasons I was hesitant about using CAPTCHA on my own forms.