Website form spam

C

ClintZA

Banned
Joined
Aug 8, 2012
Messages
2,266
Reaction score
0
So I've suddenly started getting spam from the contact form I put on the website. Outlook's junk filter sucks as it seems to not be registering the blocking of addresses from the domain specified so I put some validation using Spry on my forms but I am still getting spam that does not conform to these validation checks (eg telephone number must be 10 digits but it comes through on my email as 12345).

Does this mean that my address is already on their spam servers and they are no longer using the form to get it to me? It is still coming in the form format though (name, telephone number, email, comments).

Any suggestions as to why I'd still be getting them? If suggestions are offered I'd prefer them to not be too complex and I'd prefer to not have to use lots of scripts, unless someone is willing to talk me through step by step.

Thanks.
 
Do you have server-side validation as well as client-side (ie, spry?)

As a bot has no javascript engine, it bypasses any client-side validation (including spry).
 
One easy way to prevent spam like this is to add an extra field, named something tasty like "emailAddress" and hide it using css.

The bot also does not render css, so will just fill in the form field. On your server, you would check to see if this has a value. If it does - a bot filled in the form. If it does not, a human (probably) filled it in. Here is an example and tutorial.

Note that this is not a 100% fix, but it should stop most bots, because they are not programmed specifically for your website. Human spam factories will still get past.


Or use a captcha, but they truely suck.
 
Last edited:
Nope, no captcha, I considered it but was trying the easiest solutions first, of which a validation of the fields seemed easiest.

I suppose my question is why I am still getting the spam even when the telephone number provided does not match the validation criteria. When I attempt to enter details myself it will correctly tell me I need to input a valid telephone number if I enter it incorrectly.

I have read about a hidden field but it made little sense to me and I was not sure how to. Thanks, scudsucker, I'll take a peek at that tutorial for sure.
 
scudsucker said:
Do you have server-side validation as well as client-side (ie, spry?)

As a bot has no javascript engine, it bypasses any client-side validation (including spry).
Click to expand...

Apologies for being a noob here but hopefully I'll answer this by stating that I used Dreamweaver and it did add Spry scripts which were uploaded to the server. As mentioned I did test it myself and it did not allow me to submit the form with an invalid telephone number.
 
OK.

Spry uses javascript, which, alongside the HTML and CSS and images are downloaded into the user's browser (or client)

Javascript is executed on the client browser - so the validation is quick. The form then sends (or POSTs) the data to the server-side code - probably PHP. This code remains on the server, it is not downloaded. The server-side code is what actually creates your email and sends it.

It is a very good idea to do validation twice: once using client side javascript - which is fast and can be made to look nice (eg, make invalid fields red) and once on the server - which prevents SPAM like you are getting (and lots of other problems)

So the bots are getting past your form validation because they ignore javascript. The javascript does not get a chance to execute and validate. Data is sent to your server as the bot wants it.

As you do not have server-side validation, the data is simply taken as is, and sent to you.

The tutorial I linked to has very basic validation in that it tests for the existence of the hidden field, but you would ideally test each field to make sure and email is actually an email address, a phone number is actually a phone number etc.

You'll need to read up on server-side validation, there's plenty on the web, for example this basic tutorial:

http://phpmaster.com/form-validation-with-php/
 
scudsucker said:
OK.

Spry uses javascript, which, alongside the HTML and CSS and images are downloaded into the user's browser (or client)

Javascript is executed on the client browser - so the validation is quick. The form then sends (or POSTs) the data to the server-side code - probably PHP. This code remains on the server, it is not downloaded. The server-side code is what actually creates your email and sends it.

It is a very good idea to do validation twice: once using client side javascript - which is fast and can be made to look nice (eg, make invalid fields red) and once on the server - which prevents SPAM like you are getting (and lots of other problems)

So the bots are getting past your form validation because they ignore javascript. The javascript does not get a chance to execute and validate. Data is sent to your server as the bot wants it.

As you do not have server-side validation, the data is simply taken as is, and sent to you.

The tutorial I linked to has very basic validation in that it tests for the existence of the hidden field, but you would ideally test each field to make sure and email is actually an email address, a phone number is actually a phone number etc.

You'll need to read up on server-side validation, there's plenty on the web, for example this basic tutorial:

http://phpmaster.com/form-validation-with-php/
Click to expand...


Thank you!
 
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X