Blocking Spam via Forms

classic Classic list List threaded Threaded
13 messages Options
Reply | Threaded
Open this post in threaded view
|

Blocking Spam via Forms

Jim VH-2
I thought I might share what I came up with. This method is  
transparent to the user and uses a combination of techniques mentioned  
here on LassoTalk

1. The first thing I do is write code that validates that each field  
was entered properly with expected data. That pretty much is SOP.

2. Next I add the following to my css sheet:

        // Any name can be used. Avoid words like "hide"  as a CSS name. A  
bot may pickup on that.
        // This likely works best when using an external css sheet, but have  
found it to work on internal sheets as well
        .applecore { display: none; }

and this as an input:

        <input type="text" name="e-mail" value="" class="applecore" />

The field name of "e-mail" is used to lure spam bots to fill in this  
field even though it is written to be hidden from a normal viewer.

3. Then I add the following spam trap code:

        // ---------------------------------
        // Spam Trap
        // ---------------------------------
       
                Var:'Spam'='N';
                       
                If:(Action_Param:'e-mail');
                        // If the field "e-mail" is filled in, then it is spam
                        // This blocks about 80% of my spam when used alone

                        Var:'Spam'='Y',

                Else:Referrer_URL !>> Server_Name;
                        // If the referrer isn't the same as the the website name, then it  
is spam
                        // This blocks only about 10-20% of my spam when used alone
                       
                        Var:'Spam'='Y',

                Else:(String:(Action_Params)) >> 'Content-' ||
                        (String:(Action_Params)) >> '</a>' ||
                        (String:(Action_Params)) >> '/url';
                        // If it contains any of these characters, it is spam
                        // This blocks about 40% of my spam when used alone
                       
                        Var:'Spam'='Y';

                /If;

4. I wrap what I do with the form result around a conditional

        If:$Spam != 'Y';
                Email_Send:....  and/or Inline:....
        /If;


If it passes all form validation, but fails spam, I still respond with  
a successful form submission while silently rejecting it. If it fails  
form validation, I still return the form errors and let them try again.

So far, this has stopped 100% of the spam in the past couple of weeks  
where I used to get 100+ a day. Using parts of this gave me less than  
100% success.

If you have other methods that remains transparent to the user, I'd  
love to see a post on it. I figure over time, spam bots will be  
sophisticated enough to get through all of these so I'd like to add  
more as they become available.

---
Jim Van Heule
Heunox Corporation




--
This list is a free service of LassoSoft: http://www.LassoSoft.com/
Search the list archives: http://www.ListSearch.com/Lasso/Browse/
Manage your subscription: http://www.ListSearch.com/Lasso/

Reply | Threaded
Open this post in threaded view
|

Re: Blocking Spam via Forms

Bil Corry-3
Jim VH wrote on 8/25/2008 5:12 PM:
> If you have other methods that remains transparent to the user, I'd love
> to see a post on it. I figure over time, spam bots will be sophisticated
> enough to get through all of these so I'd like to add more as they
> become available.

Create a session on the form page, then check for it on the response page.

Create a hidden field with a blowfish encrypted timestamp, then reject any submission that took too long.

If your site requires JavaScript, use it to hide the fake field.

Check that the user-agent is something reasonable.

There's probably more...

- Bil


--
This list is a free service of LassoSoft: http://www.LassoSoft.com/
Search the list archives: http://www.ListSearch.com/Lasso/Browse/
Manage your subscription: http://www.ListSearch.com/Lasso/

Reply | Threaded
Open this post in threaded view
|

Re: Blocking Spam via Forms

Jim VH-2
Do you have any data to show how well any of these work? Generalities  
of how well they work?

> Create a session on the form page, then check for it on the response  
> page.

Easily done. We use sessions on all our sites. I'd just have to check  
to see if the session ID changed.

> Create a hidden field with a blowfish encrypted timestamp, then  
> reject any submission that took too long.

How long would be too long? Wouldn't a session timeout work just as  
well? I tend to use 30-60 minutes. Of course none of my forms take  
more than 2 minutes to fill out, though I've seen someone start to  
fill out a short form, take a call and then try to finish it 30-60  
minutes later. I'd hate to silently reject them.

> If your site requires JavaScript, use it to hide the fake field.

The site does, but I have about 3% of my users that have it turned  
off, so I make sure that the site works regardless.

> Check that the user-agent is something reasonable.

That I fear would create a fairly long conditional. Probably something  
worthy of its own tag, but also something that likely would change  
with updated browsers. I'd hate to include code that I know will cause  
false triggers over time.

---
Jim Van Heule
Heunox Corporation



On Aug 25, 2008, at 6:20 PM, Bil Corry wrote:

> Jim VH wrote on 8/25/2008 5:12 PM:
>> If you have other methods that remains transparent to the user, I'd  
>> love to see a post on it. I figure over time, spam bots will be  
>> sophisticated enough to get through all of these so I'd like to add  
>> more as they become available.
>
> Create a session on the form page, then check for it on the response  
> page.
>
> Create a hidden field with a blowfish encrypted timestamp, then  
> reject any submission that took too long.
>
> If your site requires JavaScript, use it to hide the fake field.
>
> Check that the user-agent is something reasonable.
>
> There's probably more...
>
> - Bil
>
>
> --
> This list is a free service of LassoSoft: http://www.LassoSoft.com/
> Search the list archives: http://www.ListSearch.com/Lasso/Browse/
> Manage your subscription: http://www.ListSearch.com/Lasso/
>


--
This list is a free service of LassoSoft: http://www.LassoSoft.com/
Search the list archives: http://www.ListSearch.com/Lasso/Browse/
Manage your subscription: http://www.ListSearch.com/Lasso/

Reply | Threaded
Open this post in threaded view
|

Re: Blocking Spam via Forms

jasonhuck
>> Check that the user-agent is something reasonable.
>
> That I fear would create a fairly long conditional. Probably something
> worthy of its own tag, but also something that likely would change with
> updated browsers. I'd hate to include code that I know will cause false
> triggers over time.

I'd probably at least verify that it's not a bot:

http://tagswap.net/lp_client_isbot

- jason



--
tagSwap.net :: Open Source Lasso Code
<http://tagSwap.net/>

--
This list is a free service of LassoSoft: http://www.LassoSoft.com/
Search the list archives: http://www.ListSearch.com/Lasso/Browse/
Manage your subscription: http://www.ListSearch.com/Lasso/

Reply | Threaded
Open this post in threaded view
|

Re: Blocking Spam via Forms

Jim VH-2
The sister tag for lp_client_isbot has some serious code in it!

lp_client_browser has 1,795 lines in that tag!

I had no idea that puppy was out there. Thanks Bil!

And thanks Jason for re-pointing it out.


---
Jim Van Heule
Heunox Corporation



On Aug 25, 2008, at 7:26 PM, Jason Huck wrote:

>>> Check that the user-agent is something reasonable.
>>
>> That I fear would create a fairly long conditional. Probably  
>> something
>> worthy of its own tag, but also something that likely would change  
>> with
>> updated browsers. I'd hate to include code that I know will cause  
>> false
>> triggers over time.
>
> I'd probably at least verify that it's not a bot:
>
> http://tagswap.net/lp_client_isbot
>
> - jason
>
>
>
> --
> tagSwap.net :: Open Source Lasso Code
> <http://tagSwap.net/>
>
> --
> This list is a free service of LassoSoft: http://www.LassoSoft.com/
> Search the list archives: http://www.ListSearch.com/Lasso/Browse/
> Manage your subscription: http://www.ListSearch.com/Lasso/
>


--
This list is a free service of LassoSoft: http://www.LassoSoft.com/
Search the list archives: http://www.ListSearch.com/Lasso/Browse/
Manage your subscription: http://www.ListSearch.com/Lasso/

Reply | Threaded
Open this post in threaded view
|

Re: Blocking Spam via Forms

Eric Landmann
Jim VH <[hidden email]> wrote on Monday, August 25, 2008:

>The sister tag for lp_client_isbot has some serious code in it!
>
>lp_client_browser has 1,795 lines in that tag!
>
>I had no idea that puppy was out there. Thanks Bil!
>
>And thanks Jason for re-pointing it out.

Yes, I can attest to it working great. We use it to deny certain aspects of our web applications that are running on demo servers that should only be of interest to "real people."

--Eric

--
This list is a free service of LassoSoft: http://www.LassoSoft.com/
Search the list archives: http://www.ListSearch.com/Lasso/Browse/
Manage your subscription: http://www.ListSearch.com/Lasso/

Reply | Threaded
Open this post in threaded view
|

Re: Blocking Spam via Forms

Bil Corry-3
In reply to this post by Jim VH-2
Jim VH wrote on 8/25/2008 7:12 PM:
> The sister tag for lp_client_isbot has some serious code in it!
>
> lp_client_browser has 1,795 lines in that tag!

Ha, well, it started out as two tags that parsed the user-agent header (one for bots and one for browsers; the one for bots was based on a tag originally from Fletcher).  A couple of rewrites later, they were combined into one mother of a tag :)

Despite the size, the tag itself is actually pretty speedy to use.

- Bil


--
This list is a free service of LassoSoft: http://www.LassoSoft.com/
Search the list archives: http://www.ListSearch.com/Lasso/Browse/
Manage your subscription: http://www.ListSearch.com/Lasso/

Reply | Threaded
Open this post in threaded view
|

Re: Blocking Spam via Forms

John Williscroft
In reply to this post by Jim VH-2
Hi
Does this definitely not catch out any browsers that auto-fill  
certain named fields, e.g., Safari? The 'real person' would have no  
idea that the field has been filled in that case, even though they  
are a valid user.

best rgds
john

On 25 Aug 2008, at 23:12, Jim VH wrote:

> I thought I might share what I came up with. This method is  
> transparent to the user and uses a combination of techniques  
> mentioned here on LassoTalk
>
> 1. The first thing I do is write code that validates that each  
> field was entered properly with expected data. That pretty much is  
> SOP.
>
> 2. Next I add the following to my css sheet:
>
> // Any name can be used. Avoid words like "hide"  as a CSS name. A  
> bot may pickup on that.
> // This likely works best when using an external css sheet, but  
> have found it to work on internal sheets as well
> .applecore { display: none; }
>
> and this as an input:
>
> <input type="text" name="e-mail" value="" class="applecore" />
>
> The field name of "e-mail" is used to lure spam bots to fill in  
> this field even though it is written to be hidden from a normal  
> viewer.
>
> 3. Then I add the following spam trap code:
>
> // ---------------------------------
> // Spam Trap
> // ---------------------------------
>
> Var:'Spam'='N';
>
> If:(Action_Param:'e-mail');
> // If the field "e-mail" is filled in, then it is spam
> // This blocks about 80% of my spam when used alone
> <snip>


www.icatching.eu   t:0845 644 2884   f:0871 733 5358



--
This list is a free service of LassoSoft: http://www.LassoSoft.com/
Search the list archives: http://www.ListSearch.com/Lasso/Browse/
Manage your subscription: http://www.ListSearch.com/Lasso/

Reply | Threaded
Open this post in threaded view
|

Re: Blocking Spam via Forms

Jim VH-2
Good point John. I've used the CSS trick for a few months now and have  
not heard of a single complaint that a message didn't get through, but  
that doesn't guarantee that it isn't happening. I just ran through  
some tests of my own using auto-fill and all worked as expected. Maybe  
on the browser-side, it knows the difference between a hidden and non-
hidden field.

---
Jim Van Heule
Heunox Corporation



On Aug 26, 2008, at 5:43 AM, John Williscroft wrote:

> Hi
> Does this definitely not catch out any browsers that auto-fill  
> certain named fields, e.g., Safari? The 'real person' would have no  
> idea that the field has been filled in that case, even though they  
> are a valid user.
>
> best rgds
> john
>
> On 25 Aug 2008, at 23:12, Jim VH wrote:
>
>> I thought I might share what I came up with. This method is  
>> transparent to the user and uses a combination of techniques  
>> mentioned here on LassoTalk
>>
>> 1. The first thing I do is write code that validates that each  
>> field was entered properly with expected data. That pretty much is  
>> SOP.
>>
>> 2. Next I add the following to my css sheet:
>>
>> // Any name can be used. Avoid words like "hide"  as a CSS name. A  
>> bot may pickup on that.
>> // This likely works best when using an external css sheet, but  
>> have found it to work on internal sheets as well
>> .applecore { display: none; }
>>
>> and this as an input:
>>
>> <input type="text" name="e-mail" value="" class="applecore" />
>>
>> The field name of "e-mail" is used to lure spam bots to fill in  
>> this field even though it is written to be hidden from a normal  
>> viewer.
>>
>> 3. Then I add the following spam trap code:
>>
>> // ---------------------------------
>> // Spam Trap
>> // ---------------------------------
>>
>> Var:'Spam'='N';
>>
>> If:(Action_Param:'e-mail');
>> // If the field "e-mail" is filled in, then it is spam
>> // This blocks about 80% of my spam when used alone
>> <snip>
>
>
> www.icatching.eu   t:0845 644 2884   f:0871 733 5358
>
>
>
> --
> This list is a free service of LassoSoft: http://www.LassoSoft.com/
> Search the list archives: http://www.ListSearch.com/Lasso/Browse/
> Manage your subscription: http://www.ListSearch.com/Lasso/
>


--
This list is a free service of LassoSoft: http://www.LassoSoft.com/
Search the list archives: http://www.ListSearch.com/Lasso/Browse/
Manage your subscription: http://www.ListSearch.com/Lasso/

Reply | Threaded
Open this post in threaded view
|

Re: Blocking Spam via Forms

Fletcher Sandbeck-3
On 8/26/08 at 9:35 AM, [hidden email] (Jim VH) wrote:

>Good point John. I've used the CSS trick for a few months now and have
>not heard of a single complaint that a message didn't get through, but
>that doesn't guarantee that it isn't happening. I just ran through
>some tests of my own using auto-fill and all worked as expected. Maybe
>on the browser-side, it knows the difference between a hidden and
>non-hidden field.

That would make sense since from the browser's point of view
that would be a way for you to phish for information from their
auto-fill database.  You could turn auto complete off on the form.

<form autocomplete="off" action="[response_filepath]" method="post">
...
</form>

[fletcher]

--
Fletcher Sandbeck                         [hidden email]
LassoSoft, LLC                          http://www.lassosoft.com


--
This list is a free service of LassoSoft: http://www.LassoSoft.com/
Search the list archives: http://www.ListSearch.com/Lasso/Browse/
Manage your subscription: http://www.ListSearch.com/Lasso/

Reply | Threaded
Open this post in threaded view
|

Re: Blocking Spam via Forms

Greg Hemphill
In reply to this post by Jim VH-2
Hi jim,

I think this would make a good article at LassoTech.com :)

G

On Aug 25, 2008, at 6:12 PM, Jim VH wrote:

> I thought I might share what I came up with. This method is  
> transparent to the user and uses a combination of techniques  
> mentioned here on LassoTalk
>
> 1. The first thing I do is write code that validates that each field  
> was entered properly with expected data. That pretty much is SOP.
>
> 2. Next I add the following to my css sheet:
>
> // Any name can be used. Avoid words like "hide"  as a CSS name. A  
> bot may pickup on that.
> // This likely works best when using an external css sheet, but  
> have found it to work on internal sheets as well
> .applecore { display: none; }
>
> and this as an input:
>
> <input type="text" name="e-mail" value="" class="applecore" />
>
> The field name of "e-mail" is used to lure spam bots to fill in this  
> field even though it is written to be hidden from a normal viewer.
>
> 3. Then I add the following spam trap code:
>
> // ---------------------------------
> // Spam Trap
> // ---------------------------------
>
> Var:'Spam'='N';
>
> If:(Action_Param:'e-mail');
> // If the field "e-mail" is filled in, then it is spam
> // This blocks about 80% of my spam when used alone
>
> Var:'Spam'='Y',
>
> Else:Referrer_URL !>> Server_Name;
> // If the referrer isn't the same as the the website name, then  
> it is spam
> // This blocks only about 10-20% of my spam when used alone
>
> Var:'Spam'='Y',
>
> Else:(String:(Action_Params)) >> 'Content-' ||
> (String:(Action_Params)) >> '</a>' ||
> (String:(Action_Params)) >> '/url';
> // If it contains any of these characters, it is spam
> // This blocks about 40% of my spam when used alone
>
> Var:'Spam'='Y';
>
> /If;
>
> 4. I wrap what I do with the form result around a conditional
>
> If:$Spam != 'Y';
> Email_Send:....  and/or Inline:....
> /If;
>
>
> If it passes all form validation, but fails spam, I still respond  
> with a successful form submission while silently rejecting it. If it  
> fails form validation, I still return the form errors and let them  
> try again.
>
> So far, this has stopped 100% of the spam in the past couple of  
> weeks where I used to get 100+ a day. Using parts of this gave me  
> less than 100% success.
>
> If you have other methods that remains transparent to the user, I'd  
> love to see a post on it. I figure over time, spam bots will be  
> sophisticated enough to get through all of these so I'd like to add  
> more as they become available.
>
> ---
> Jim Van Heule
> Heunox Corporation
>
>
>
>
> --
> This list is a free service of LassoSoft: http://www.LassoSoft.com/
> Search the list archives: http://www.ListSearch.com/Lasso/Browse/
> Manage your subscription: http://www.ListSearch.com/Lasso/
>


--
This list is a free service of LassoSoft: http://www.LassoSoft.com/
Search the list archives: http://www.ListSearch.com/Lasso/Browse/
Manage your subscription: http://www.ListSearch.com/Lasso/

Reply | Threaded
Open this post in threaded view
|

Re: Blocking Spam via Forms

Eric Landmann
In reply to this post by Jim VH-2
Jim VH <[hidden email]> wrote on Monday, August 25, 2008:

>How long would be too long? Wouldn't a session timeout work just as  
>well? I tend to use 30-60 minutes. Of course none of my forms take  
>more than 2 minutes to fill out, though I've seen someone start to  
>fill out a short form, take a call and then try to finish it 30-60  
>minutes later. I'd hate to silently reject them.

We use a logout timer system with a Javascript popup page. Something like this could be used to alert them of an impending redirect (after a **short** timeframe), and then when the time limit is up, redirect them to another page. Maybe this: <http://www.bozo.com/>?

--Eric

--
This list is a free service of LassoSoft: http://www.LassoSoft.com/
Search the list archives: http://www.ListSearch.com/Lasso/Browse/
Manage your subscription: http://www.ListSearch.com/Lasso/

Reply | Threaded
Open this post in threaded view
|

Re: Blocking Spam via Forms

Randy Phillips-2
In reply to this post by Jim VH-2
I've been using the css trick for months with success, but I use a
less generic name for the hidden field because of the potential
autofill issue. I also store ip addresses from each form post and use
your client_isbadcrawler ctag Jim (I think it's yours) to block ip
addresses that regularly post spam. So far I've only had to block
three addresses for an anonymous comments form for a small blog I
manage. Not sure if this would be enough of a defense for a high
traffic site but I have not seen any spam for a few months after doing
this.

On Tue, Aug 26, 2008 at 8:35 AM, Jim VH <[hidden email]> wrote:

> Good point John. I've used the CSS trick for a few months now and have not
> heard of a single complaint that a message didn't get through, but that
> doesn't guarantee that it isn't happening. I just ran through some tests of
> my own using auto-fill and all worked as expected. Maybe on the
> browser-side, it knows the difference between a hidden and non-hidden field.
>
> ---
> Jim Van Heule
> Heunox Corporation
>
>
>
> On Aug 26, 2008, at 5:43 AM, John Williscroft wrote:
>
>> Hi
>> Does this definitely not catch out any browsers that auto-fill certain
>> named fields, e.g., Safari? The 'real person' would have no idea that the
>> field has been filled in that case, even though they are a valid user.
>>
>> best rgds
>> john
>>
>> On 25 Aug 2008, at 23:12, Jim VH wrote:
>>
>>> I thought I might share what I came up with. This method is transparent
>>> to the user and uses a combination of techniques mentioned here on LassoTalk
>>>
>>> 1. The first thing I do is write code that validates that each field was
>>> entered properly with expected data. That pretty much is SOP.
>>>
>>> 2. Next I add the following to my css sheet:
>>>
>>>        // Any name can be used. Avoid words like "hide"  as a CSS name. A
>>> bot may pickup on that.
>>>        // This likely works best when using an external css sheet, but
>>> have found it to work on internal sheets as well
>>>        .applecore { display: none; }
>>>
>>> and this as an input:
>>>
>>>        <input type="text" name="e-mail" value="" class="applecore" />
>>>
>>> The field name of "e-mail" is used to lure spam bots to fill in this
>>> field even though it is written to be hidden from a normal viewer.
>>>
>>> 3. Then I add the following spam trap code:
>>>
>>>        // ---------------------------------
>>>        // Spam Trap
>>>        // ---------------------------------
>>>
>>>                Var:'Spam'='N';
>>>
>>>                If:(Action_Param:'e-mail');
>>>                        // If the field "e-mail" is filled in, then it is
>>> spam
>>>                        // This blocks about 80% of my spam when used
>>> alone
>>> <snip>
>>
>>
>> www.icatching.eu   t:0845 644 2884   f:0871 733 5358
>>
>>
>>
>> --
>> This list is a free service of LassoSoft: http://www.LassoSoft.com/
>> Search the list archives: http://www.ListSearch.com/Lasso/Browse/
>> Manage your subscription: http://www.ListSearch.com/Lasso/
>>
>
>
> --
> This list is a free service of LassoSoft: http://www.LassoSoft.com/
> Search the list archives: http://www.ListSearch.com/Lasso/Browse/
> Manage your subscription: http://www.ListSearch.com/Lasso/
>
>



--
Rp

--
This list is a free service of LassoSoft: http://www.LassoSoft.com/
Search the list archives: http://www.ListSearch.com/Lasso/Browse/
Manage your subscription: http://www.ListSearch.com/Lasso/