Form spam

[GreGorGy]

One of my clients gets this kind of thing on their site, submitted via the contact form:

From: [email protected] [mailto:[email protected]] 
Sent: Saturday, June 09, 2012 7:54 AM
To: [email protected]
Subject: Website Feedback: subject unset

cash loans left the following message:

Telephone: 123456

Message: fkHJeFZo, http://quick-cashs.co.uk quick cash ,MoCWTQpwWBT,

I really don't want to do a captcha - what else is an idea? TYPE=button?

 

[zamrg]

A few techniques I'd try...

1. Keep a blacklist with spammy terms. Upon post, if a spammy term is detected, pre-populate the form with the posted data and ask for captcha. * I know you said you're against captcha, but at least here, you're not forcing everyone to input it.

2. I guess this is also a captcha, but you could localise the question instead of using a complex, unreadable captcha service like re-captcha. This is obviously dependent on who the target users are, but you could ask questions like, "What are the last 4 letters of the company name?", "Who won the 1995 Rugby World Cup?", etc.

3. This is somewhat more complex, but based off CSRF protection/techniques. A bot doesn't usually load javascript or read images (unless it thinks it's a captcha image and tries to decipher it using a 3rd party service). Upon load of the contact form, you could do an ajax get request to a basic web service. The web service stores a token in a session and passes it back to the js. The js then populates a hidden form field with this token. When the form is posted, you compare the posted token to the token you have in the session. If it's a mismatch, return the user back to the form.

You may have minimal false positives with this last technique. (session issues - cookies, or if it's a really slow connection, the ajax request may not complete before the user posts). You could therefore counter this by returning the user to the pre-populated form and prompting for a captcha. This time, you ignore the CSRF check upon post and only do a captcha check.

 

[roguemat]

Have a table of fruit pictures, and tell the user to click the banana to submit.

 

[guest2013-1]

One of my clients gets this kind of thing on their site, submitted via the contact form:

From: [email protected] [mailto:[email protected]] 
Sent: Saturday, June 09, 2012 7:54 AM
To: [email protected]
Subject: Website Feedback: subject unset

cash loans left the following message:

Telephone: 123456

Message: fkHJeFZo, http://quick-cashs.co.uk quick cash ,MoCWTQpwWBT,

I really don't want to do a captcha - what else is an idea? TYPE=button?

If you don't want to do a captcha (which is very simple to do and will literally take you less time than it took you to read these replies and post your question), you can just tell your client to "live with it"

Have a table of fruit pictures, and tell the user to click the banana to submit.

That's a CAPTCHA aka "Completely Automated Public Turing test to tell Computers and Humans Apart"

 

[roguemat]

Erm yes, I realize that. But its a very unobtrusive one.

 

[House]

Erm yes, I realize that. But its a very unobtrusive one.

Unfortunately, until someone could develop a new script to prevent form spamming, Captchas are the only way to offer somewhat of protection, although they are not 100% effective in combatting spam.

 

[rorz0r]

I tried a captcha2 once. Completely ineffective. Now ask "what colour is a banana" and it works really well. The problem with captchas is the bot takes the captcha it's presented with then uses that as a captcha on some other less than wholesome site and then uses whatever that user there entered as it's input.

 

[timmie23]

Just style the captcha to fit in with your design.
If done right, captchas really fit in well with the design, and don't stick out at all.

 

[LostGoat]

If you want to go with the unobtrusive Capatcha you can use this site http://areyouahuman.com/ They give a random very simple game instead of typing a word.