Hi,

I'm looking for a suggestion on the best form processor for dealing with spambots. I have a customer who's receiving several emails a day with phony info from the Request for Quote form that's used on their site. I think their main concern is that the form is being used to send spam to other people. Is that possible since the script has a setting that specifies who is allowed to receive mail from the script? What exactly do the spambots usually do with a form, and is it possible that the customer's company name or email is also being used?

Thanks for your help.

Kelly

It depends entirely on how the script processes. From reading it would seem that there is no validation on the server-side to prevent spam bots from randomly filling out the form. If you add server-side validation, it'll stop it. Regarding customer information, unless there's a way for the spam bot to retrieve that info before the form is allowed to submit, I think you'll be fine there...but again, I stress, it depends on how the script is processing.

If you can provide more info, we can probably elaborate further.

This is the NMS drop-in replacement for Matt Wright's formmail.pl, which has supposedly been rewritten with better security by programmers at sourceforge.net (actually I just noticed that I don't have the latest version so maybe I should try replacing with the latest version first and see if that solves the problem.)

Anyway, it doesn't have a captcha feature. I've read that a preview page can also be helpful, but my customer doesn't want the user to have to submit twice.

Here's a link to the index from sourceforge.net where you can look at an example of the script and its code:

http://nms-cgi.sourceforge.net/formmail_compat-3.14c1/

I don't program in PERL and my PHP programming skills aren't the greatest. I'd like to either find a good ready-made form processing script with good anti-spam features, or edit the current one if possible.

The form doesn't have any email addresses in it, so I doubt that they could get access to that, but I don't understand how any of that works.

Thanks a bunch for your help.

Kelly

I noticed that there's a variable called "$allow_empty_ref " which is set to true. (I assume that means allow empty referrer.) I read that you can set that to "1" to avoid problems with some users' firewalls.

Could that "allow empty referrer" variable being set to true be a problem?

Thanks again,
Kelly

It sounds like there's no security on the form and it could be used as a spam relay. The spam it sends out could appear to orignate from your customer.

It sounds like there's no security on the form and it could be used as a spam relay. The spam it sends out could appear to orignate from your customer.

Do you have any suggestions for a good form processing script? I'd like one that can be used for all forms on the site (using one script.) Is captcha worth using?

Thanks,
Kelly

I write all my own in php, so I can't recommend any others.

Captcha is easily circumnavigated by spammers.

Ok, well then can you tell me what to look for in a script (commercial or otherwise) as far as spam-fighting features . . . or what type of validation to look for in the script?

Thanks again,
Kelly

If the server supports php, then I recommend phpFormMail (http://www.tectite.com/formmailpage.php). The use of a hidden field that is named something that looks like it should be filled in (like "address") but should remain blank as checked by the script, works well against auto-filling spambots.

If the server supports php, then I recommend phpFormMail (http://www.tectite.com/formmailpage.php). The use of a hidden field that is named something that looks like it should be filled in (like "address") but should remain blank as checked by the script, works well against auto-filling spambots.

Thanks Centauri. So, it sounds like I'd have to edit the script and add some validation to make sure that the field that's supposed to be left blank is actually left blank, right? I'm assuming this is not a feature of the script that you recommended.

Kelly

Validation rules are a part of that script, and the documentation describes how to implement it. If a validation error occurs, you can specify a different email address to send notification to - I have this implemented on a couple of client's sites to check how often they catch a spambot and to see what type of stuff they try to fill in.

Thanks a lot. So do you use the optional captcha feature?

Kelly

I faught with this issue last fall... if you look for a similar post on spam bot & CSS you might find it... but here is the short answer...

Create a hidden drop down field that is unseen by the browser by making the style hidden in your css... then use a mail filter to weed out anything that might be selected in that drop down menu... make it something silly or descriptive to keep CSS disabled browsers from using that option.

Someone using a CSS disabled browser would be a blackberry user.

here is the link to the post I was talking about it in more detail.

http://www.webdeveloper.com/forum/showthread.php?t=160151

Pete,

When you say use a mail filter, do you mean like using a "rule" in Outlook to delete messages with a certain word in them?

That doesn't sound like it would address the issue of bots using the form for spam relay, or am I misunderstanding something?

Thanks,
Kelly

He's referring to a rule in the script, not an outlook rule. This shouldn't be that difficult to get going. In PHP, it's relatively simple to get a form processing script going that can be used for multiple pages.

For instance, say you have a name and comments field on a HTML page, in the opening form tag, you would post to a PHP, say results.php like this:

<form method="post" action="results.php">

Then in the results.php, copy the design of the site into this file and then create PHP processing script like so:

<?php

if(isset($_POST['submit'])){

//check to see if the name field was filled out

if($_POST['name']) !=""){
//do nothing
}else{
$message[]="Please enter your name";
}

if($_POST['comments'] !=""){
//do nothing
}else{
$message[]="Please enter comments";
}

//check for errors

foreach($message as $key=>$value){
echo "The following errors have occured: " . $value;
}

//send the mail since error handling is complete

}

?>

You would just have to change the post values to the names of your form fields.