Can't stop form spam. Help?

sks1024

I have a simple form the writes to DB. I can't stop the form getting spammed and junk being written to DB.

I have a captha, hidden honeypot field and I am scrubbing my data before DB insertion.

What else can I do?

Stan

pbismad

Are you sure your existing code is actually preventing the data from being used if the captcha, honeypot, and data validation tests fail? What is your existing program logic?

Is your captcha using recaptch or keycaptcha, where the same question has multiple random answers that require interaction through the browser to solve, or is it a home-brewed text/math question/answer that can easily be solved by the libraries of scripts the spammers use?

BTW - other than trimming data, to detect all white-space values, it's generally not a good idea to modify user submitted data. You would instead render it harmless in any context it gets used in, by properly escaping/encoding it.

dalecosp

Look at the logs ... often can help catch a clue.

sks1024

pbismad;11059701 wrote:
Are you sure your existing code is actually preventing the data from being used if the captcha, honeypot, and data validation tests fail? What is your existing program logic?

Is your captcha using recaptch or keycaptcha, where the same question has multiple random answers that require interaction through the browser to solve, or is it a home-brewed text/math question/answer that can easily be solved by the libraries of scripts the spammers use?

BTW - other than trimming data, to detect all white-space values, it's generally not a good idea to modify user submitted data. You would instead render it harmless in any context it gets used in, by properly escaping/encoding it.

I am using https://www.phpcaptcha.org/

The honeypot uses client side javascript to not allow the form to be submitted if the honeypot field had a value (i.e. via a bot) It is hidden from normal user therefore they cannot enter anything in the field.

I have since added some code on the form processing page that further checks if the honeypot field != ' ' Don't process data. This has seemed to stop it so far. I will keep my eye on it.

White-space trimming is all I am doing.

Thanks,
S

pbismad

The honeypot uses client side javascript to not allow the form to be submitted if the honeypot field had a value (i.e. via a bot) It is hidden from normal user therefore they cannot enter anything in the field.

This is pointless. BOTs could care less about any client-side javascript. They parse the form field information from the html and submit the data directly to the form processing code.

Checking in the server-side code that the honeypot is empty, is the whole point of doing this and the only check that makes sense.

sks1024

Here is my server-side code that didn't work. Happened again last night. I tried it manually and if the "donotuse" field is populated, then the form doesn't process like it should. The bot is using some other way of submitting as it seems to be ignoring this new field. I even included the new field in my database to see if it was being written, but it is blank in the database as well.

<div style="display:none;">
     <label>Keep this field blank</label>
     <input type="text" name="donotuse" id="donotuse" />
</div>

if ($_POST['donotuse'] != '') {  //That is a single quote twice

   die("No Post for You");
}

pbismad

Honeypot fields only address simple bots, that blindly submit data in all the form fields they find. They don't stop more sophisticated scripts and scripts that have been set up specifically to target a form.

The distorted text captcha you are using is easily solved by Optical Character Recognition (OCR) and if the frequency of the submissions is low, they may even be due to a human, not a bot. If the data is being submitted by a bot, using either recaptcha or keycaptcha should help.

And, since you haven't shown your program logic, are you sure that a wrong captcha value stops your code from using the data?

What format does the data have for these invalid submissions? Is there something about the data, that if you were validating it, would distinguish it from a real submission?

dalecosp

pbismad;11059725 wrote:
Honeypot fields only address simple bots, that blindly submit data in all the form fields they find. They don't stop more sophisticated scripts and scripts that have been set up specifically to target a form.

The distorted text captcha you are using is easily solved by Optical Character Recognition (OCR) and if the frequency of the submissions is low, they may even be due to a human, not a bot. If the data is being submitted by a bot, using either recaptcha or keycaptcha should help.

And, since you haven't shown your program logic, are you sure that a wrong captcha value stops your code from using the data?

What format does the data have for these invalid submissions? Is there something about the data, that if you were validating it, would distinguish it from a real submission?

And perhaps another idea ... if you want only human submissions, from real browsers, they WOULD support JavaScript. You might think of adding a form field via JavaScript that would NOT be present in the HTML at page load time, and then have your server-side code reject if this form field is NOT filled out.

Of course, some bots are sophisticated and might read JS, and Nigerian office workers use JavaScript-enabled browsers, most likely.

dalecosp wrote:
Look at the logs ... often can help catch a clue.

sks1024

pbismad;11059725 wrote:
Honeypot fields only address simple bots, that blindly submit data in all the form fields they find. They don't stop more sophisticated scripts and scripts that have been set up specifically to target a form.

The distorted text captcha you are using is easily solved by Optical Character Recognition (OCR) and if the frequency of the submissions is low, they may even be due to a human, not a bot. If the data is being submitted by a bot, using either recaptcha or keycaptcha should help.

And, since you haven't shown your program logic, are you sure that a wrong captcha value stops your code from using the data?

What format does the data have for these invalid submissions? Is there something about the data, that if you were validating it, would distinguish it from a real submission?

I switched over to reCAPTCHA. We'll see what this does.

Thanks,
S

sks1024

So far so good. reCAPTCHA seemed to stop it.

Thanks,
S