« Home | Safari BETA for Windows – now working! » | Apple release Safari 3.0.1 – still not working » | Safari BETA for Windows – not working yet » | SD Card: The New Standard? » | Be Ranked No.1 on Google! » | Is your site well designed? » | Horizon Flash Memory » | eBay Auctions. » | Happy New Year » | Google Myths. »

How to stop spam bots with FormMail and CSS

Most people who run their own websites have some type of online form as they are very useful for getting the information that you require from a potential client or site visitor, unfortunately there is little to stop spammers or spam bots from using your form too. Which means you get an endless stream of information about cheap holidays, medication and porn sites that they feel you should visit, rather than the enquiries about your products and services that you hoped you'd get.

The more popular and better ranked your site is, the more of these spammers use your contact form, if you're lucky it could just be 20-30 a day, if not it will be upwards of 100 a day. One of the major causes for so much spam coming through your online form, is the form itself. Most people use a ready made form, and why not? Why pay someone else, or spend the time writing thousands of lines of code for a script youself, when you can download one for free? Not to mention that custom written scripts, particularly those that will be the target of countless spammers, have to be very secure. With the free scripts available on line you are assured that thousands, if not millions of people are testing that script and any holes are quickly discovered.

The most popular on line form script is FormMail from Matt's Script Archive. Many web hosts offer this free with their hosting packages, some web designers offer this too and it is available to download in countless locations. The reason for the huge popularity (the site has a PageRank of 7/10) of this script is that it is free, it has been around since 1995 so almost everyone in the industry has heard of it, and it is very simple to use, even for those with little or no knowledge of HTML or Perl.

What isn't generally known is that the script was written by Matt when he was about 16 and still a high school student studying Perl (the programming language that the script is written in), so unfortunately the script was (and still is) full of holes. In fact even though it is still one of the most widely used form to email scripts the general consensus within the webmaster community is 'Don't Use It!'

A better and easier to use script was made by the nms project. This is generally regarded as a far more secure script by the webmaster community but works in a similar way, so no need to change all of your online forms. This is the script that is generally used by Horizon Web Development in their online forms but even though it is quite secure, it still isn't perfect, spammers can still get through by simply filling in your form or by creating an automated 'robot' or spam bot to do it for them.

This is very difficult to guard against as there is no real way of the form being able to tell a spam bot from a real person, or is there?

There is a trick to fool spam bots into filling the form out in a particular way so that they give themselves away, without annoying or asking for extra input from potential clients as a word verification test would do. It is actually amazingly simple, just add an extra text field and name it something that a spam bot would mostly likely be programmed to fill in automatically, such as 'Surname' or 'First Name' or some other variation of it that you haven't used in your real form and assign it to the class 'Surname'. Then in your Stylesheet simply add the following bit of code:



Surname {

visibility: hidden;

}


The 'Surname' field will then be hidden from legitimate users, so they can't accidentally fill it in, but not from spam bots who will see it as merely another field to fill in on your form and mostly likely just another space to insert countless porn links.

So simple and yet brilliant, except that that is as far as I managed to get. As I mentioned our web forms use nms FormMail, but unfortunately there aren't any Perl programmers in the Horizon Web Development Team. We tried and failed to guess at how to edit the FormMail script so that it would verify the 'Surname' field and automatically reject any forms that had that field filled in, our knowledge of HTML, CSS and PHP not really coming in handy.

Many, many hours were spent trawling the internet for a solution, but amazingly none of us were able to find one. Even though it is the most widely used FormMail script, there was no solution to be found for Matt's FormMail script either. It was as if the users of these scripts had never needed to verify fields in their forms.

Then I struck gold! This site:- http://codingforums.com/showthread.php?t=113863 in which 'rwedge' had revealed the answer. Again it was amazingly simple, using the nms FormMail script (and I advise anyone that is using Matt's Script to change to this one as it is far easier to set up and much more secure), add this piece of code into the user customisation section:



# USER CUSTOMISATION SECTION
# --------------------------
# Place any custom code here

use CGI;
sub spam {
my $q = new CGI;
my $spamcheck = $q->param('Surname') || '';
if ($spamcheck ne '') {
print "Location: http://www.farfaraway.com\n\n";
exit;
}
}
spam();


Surname of course being the name of the trick field that you want the spam bots to fill in and location where you want them to be directed after your FormMail script rejects them.

It was all so simple and yet amazingly effective. I felt that I had no choice but to write something about it so that anyone else searching for a solution won't have to devote hours and hours like we did to find the answer.

Since adding that field to our forms and adding the above code to our script we've not had a single spam email via the contact form. If only all other spam could be dealt with so effectively.

Labels: , , , ,

Posted by Horizon Web Development on Tuesday, July 10, 2007 at 1:08 AM |

Great solution...thanks!

Now for a dumb question...

What's the html code for Surname?
Is it...

input type="text" id="Surname" name="Surname" value=""

Posted by Anonymous Anonymous | 4:38 PM  

All the code that you'd need for the form would be:

input name="Surname" type="text" class="Surname"

Then you'd need to add the following to the stylesheet:

.Surname {
visibility: hidden;
}

This will make your Surname field invisible to all but the Spam bots.

Posted by Blogger Horizon Web Development | 6:40 PM  

You've done a great service by making this solution known!
However, in the perl code shown:

my $spamcheck = q->param('Surname') || '';

the "greater than" character seems to be html-ized. Should be:

my $spamcheck = $q->param('Surname') || '';

Thanks for this solution!

Posted by Anonymous Anonymous | 5:59 AM  

Thanks for the comment. I wish I could take all the credit but I only came up with half the solution, I got the Perl code from this forum:

http://codingforums.com/showthread.php?t=113863

It works brilliantly though. Two months on and since using it I haven't had any spam through the online forms.

Posted by Blogger Horizon Web Development | 1:28 PM  

Guys

I'm just trying to implement this and noticed that in the original thread, rwedge said that "...The nms script evokes CGI.pm farther down in the script, find it and comment it out:"

Did you do this as well as implement the custom code??

Posted by Anonymous Anonymous | 4:50 PM  

Hello, yes we did comment out the section lower down (just added a # in front of the first):

# use CGI;
use POSIX qw(locale_h strftime);
use CGI::NMS::Charset;

As well as adding the custom code.

Not sure what difference it makes to be honest as we never tried it without commenting out that section. But it works perfectly with it commented out.

Posted by Blogger Horizon Web Development | 1:37 PM  

Thanks anonymous no.2 for pointing that out (and sorry for the late acknowledgement), missed that greater than sign when it was published to the page. Changed it now though.

Posted by Blogger Horizon Web Development | 1:44 PM  

This post has been removed by a blog administrator.

Posted by Anonymous <a href="http://users2.titanichost.com/buyviagra/161.html">kaiser permanente health insurance</a> | 5:06 PM  

It seems that the spambots are out for revenge!

We've had three spam comments today alone so unfortunately have had to enable the annoying word verification thing on comments.

On the plus side it must the article is useful.

Posted by Blogger Horizon Web Development | 6:28 PM  

Fantastic! I have been searching for this for about a year and have tried all sorts of useless catchpa and other devices. This works really well. Only one thing to add; perhaps not a good idea to call your 'name' field in the hidden HTML anything like 'Surname'. If anyone is using AutoFill from the browser or a Google toolbar, it will find the field and populate it.

Thanks again, really pleased I found this.

Graham

Posted by Anonymous Anonymous | 3:38 PM  

Brilliant - nice one for pursuing a good solution to this. I'm going to use it on all my client's sites.

I imagine the majority of mail forms must be abused by spamming and most folk will just put their hands up and put up with it.

Posted by Anonymous Anonymous | 4:09 PM  

Thanks for the comment.

I agree, many people have unfortunately gotten used to spam and just see it as part of the internet.

It was great to discover that some spam at least, can be stopped. Six months on and we haven't had any spam via our online forms.

Posted by Blogger Horizon Web Development | 5:35 PM  

Post a Comment

Links to this post

Create a Link

About me

  • Horizon Web Development
  • From United Kingdom
  • This is the web log for Horizon Web Development, we will be placing information here about the company, including issues, special offers and also some general chit chat. Feel free to make any comments about the site and service and ask questions.

View Profile

Search


Previous posts

Archives

Links

Subscribe to this blog's feed
[What is this?]