Form SPAM (not "HAM") fighting tips· 4 minute read
A site that I have up called Alfa Romeo Sprint QV has recently been the target of malicious spammers and/or their robots. The messages mainly consisted of porn and poker sites.
Now the script used to generate the Your Sprints section of the site was written a long time ago when spamming forms and blogs was not a common occurrence and my site had a relative small readership and no Google rank or anything like that. So I thought I would be safe to allow these cars to be posted un-moderated to the site. I knew I could trust the Alfa owners out there to do the right thing and I did not expect anybody else to visit the site. But as we all know obscurity is no defence against spammers or script kiddies.
So the other night I spent quite a large amount of time trying to secure the forms in the site. First of all, it is now a moderated affair without anything going live until I have approved it. Although robots don’t understand this and will submit the form anyway creating a lot of spam to sort through so this is only beginning of the measures I took.
I then made it so the form had rolling names on all the input fields. Whilst it is not good for accessibility (sorry) it does make it a lot harder for a script to get hold of the from via commonly used names like email_address or name. For accessibility purposes I strongly suggest you make use of the label element of html. If you are interested in creating good forms then I highly recommend this series of articles: Accessible HTML/XHTML Forms by Ian Lloyd of the Web Standards Group.
Every time the page loads new names are generated for the inputs so you cannot take a source snapshot and use that to submit the form either. I store the field names in a session array which is deleted upon submission, but allows me to extract the data from the post array. So if you try posting something with different names the script will not access it and of course if no session is set then you will be sent back to form, which obviously regenerates the field names at the same time.
Now that may sound complex but it really boils down to this:
- Generate field name:
$_SESSION['form']['field1'] = rand(0, 9999999);you\ will\ need\ to\ make\ sure\ that\ you\ have\ some\ way\ of\ ensuring that\ the\ input\ names\ are\ unique
- Label for accessibility:
<label for=?<?=$_SESSION['form']['field1']?>?>Field 1</label>
- Apply to form:
<input name="<?=$_SESSION['form']['field1']?>" type="text" size="20" />
- After submission grab the data:
$data1 = $_POST[$_SESSION['form']['field1']];
- Sanitise the data (strip_tags etc.)
Now to help slow down people who are posting rubbish and separate them from those genuinely trying to post I added a simple mathematical problem that must be completed. The script randomly chooses two numbers between 0 and 10 which the user must correctly add together for the form data to be inserted into the database.
I should also add a note here; although I have used disabled textboxes to hold the numbers that must be added together, when the form is submitted I only use the values stored in the session to determine if they were correct. This way it stops someone from creating their own form and supplying their own numbers. If you took the values from the form then it would be very easy to circumvent the protection.
Anyway these are just some ideas I have had to help deal with the problem of form spam. Obviously you cannot use some of the protections in some forms and you have to weigh up the pros and cons of the additions. But for my little personal site becoming inundated with spam these little changes have made a big difference. So I hope you find some of the ideas useful.