Combating spam sent via forms

vrlist.info

Hello,

I have a directory, , where people add their
vacation rental items via a form.

In this moment I register the submissions at a separate table and
manually delete the spams (about 95% of the total submission and it is
going up).

I do not like the catcha system.

I have an idea and so I am registration the IPs of the sites
considered as spam in a different table (fields: IP, last-date,
times). Most of them are repeting submissions.

My idea is, for instance, put the following rule:

- If I get a submission, checking the IP, if it is at the "spam-table"
more than x times (for instance 5 times) just delete it.

Is somebody working on this?

Has somebody a list of spammers IPs? Or how can I work using black-
lists?

If somebody is interested on my list I can distribute it.

Regards,

Luisa
Vacation rental directory -

asdf

"vrlist.info" <> wrote in message
news:...
> Hello,
>
> I have a directory, , where people add their
> vacation rental items via a form.
>
> In this moment I register the submissions at a separate table and
> manually delete the spams (about 95% of the total submission and it is
> going up).
>
> I do not like the catcha system.
>
> I have an idea and so I am registration the IPs of the sites
> considered as spam in a different table (fields: IP, last-date,
> times). Most of them are repeting submissions.
>
> My idea is, for instance, put the following rule:
>
> - If I get a submission, checking the IP, if it is at the "spam-table"
> more than x times (for instance 5 times) just delete it.
>
[snip]

Blacklisting IP addresses is a very bad idea IMHO, unless you can
categorically state that the IP address is a permanent one. What about
dynamically assigned IP addresses? An IP address does not identify a
spammer, merely it identifies the network address that they were using at
the time.

C.

On 4 Dec, 12:25, "vrlist.info" <> wrote:
> Hello,
>
> I have a directory,, where people add their
> vacation rental items via a form.
>
> In this moment I register the submissions at a separate table and
> manually delete the spams (about 95% of the total submission and it is
> going up).
>
> I do not like the catcha system.

Is it Turing tests in general you don't like? Use a different one.

>
> I have an idea and so I am registration the IPs of the sites
> considered as spam in a different table (fields: IP, last-date,
> times). Most of them are repeting submissions.
>

It would take almost as long to write the code for this as to write
this post. If it solves your problem then fine - but its not valid as
a generic solution.

I'd suggest requiring a validated email address for all posters and
mediating the content via email with spamassasin and let it do the
hard work.

C.

Andrew Bailey

"C." <> wrote in message
news:...
> On 4 Dec, 12:25, "vrlist.info" <> wrote:
>> Hello,
>>
>> I have a directory,, where people add their
>> vacation rental items via a form.
>>
>> In this moment I register the submissions at a separate table and
>> manually delete the spams (about 95% of the total submission and it is
>> going up).
>>
>> I do not like the catcha system.
>
> Is it Turing tests in general you don't like? Use a different one.
>
>>
>> I have an idea and so I am registration the IPs of the sites
>> considered as spam in a different table (fields: IP, last-date,
>> times). Most of them are repeting submissions.
>>
>
> It would take almost as long to write the code for this as to write
> this post. If it solves your problem then fine - but its not valid as
> a generic solution.
>
> I'd suggest requiring a validated email address for all posters and
> mediating the content via email with spamassasin and let it do the
> hard work.
>
> C.

Hi Colin,

I had a similar problem with automated spam registrations on my phpBB2
forum. It seems that spam robots hunt the web looking for forms to fill in,
more specifically they look for the following structure...

<form>
<input>
<input.... etc>
<submit>
</form>

.... fill in the text inputs with their spam and then submit the form. I
discovered that if you break the structure flow of a form then the form
doesn't work so for example, if I were to remove the <input
type="submit"....> part then the whole form fails and the spam robots cant
use it.

So the next thought was if I could devise a test to separate a human from a
robot I could then replace the missing part of the form and it would work.
What I came up with is a confirmation button that the users has to click and
HOLD for a random amount of time between 1 and 10 seconds and be able to
RELEASE within one second of being told to do so.


Here's the gist of my code...

<html>
<head>

<script type="text/javascript" language="JavaScript">
<!-- DISABLE THE SUBMIT BUTTON
var robotusr = 1;
function human(){
robotusr = 1;
var rnd = (Math.random())*10000;
document.getElementById('confirminfo').innerHTML=' <b>KEEP HOLDING THE MOUSE
BUTTON DOWN...</b>';
t=setTimeout("document.getElementById('confirminfo ').innerHTML='<b>RELEASE
THE MOUSE BUTTON NOW !!!</b>'; opendoor();", + rnd);
}
function opendoor(){
robotusr = 0;
setTimeout('closedoor()', 1000);
}
function closedoor(){
robotusr = 2;
}
function robot(){
if (robotusr==1){
document.getElementById('submitspan1').innerHTML=' FAILED';
clearTimeout (t);
document.getElementById('confirminfo').innerHTML=' <b>YOU RELEASED THE MOUSE
BUTTON TOO EARLY, PLEASE TRY AGAIN...</b>';
} else if (robotusr==2) {
document.getElementById('submitspan1').innerHTML=' FAILED';
document.getElementById('confirminfo').innerHTML=' <b>YOU RELEASED THE MOUSE
BUTTON TOO LATE, PLEASE TRY AGAIN...</b>';
} else {
document.getElementById('submitspan1').innerHTML=' <input type="submit"
name="submit" value="{L_SUBMIT}" class="inputbuttonbold150" title="Click
here to SUBMIT your PROFILE" hidefocus>';
document.getElementById('confirminfo').innerHTML=' <b>THANK YOU, PLEASE CLICK
THE SUBMIT BUTTON</b>';
}
}
// - End of JavaScript - -->
</script>

</head>
<body>

<form>

<input type="text">
<input type="text">
<input type="text">

<!-- CONFIRM BUTTON -->
<table cellspacing="0" cellpadding="0" width="100%">
<tr>
<td width="170" align="left" valign="middle"><b>Confirmation</b></td>
<td width="*" align="left" valign="middle"><div class="small"><span
id="confirminfo">Due to the increasing number of automated registrations you
are required to <b>CLICK AND HOLD</b> the button on the right to confirm
your details are correct</span></div></td>
<td width="20">&nbsp;</td>
<td width="150" height="21" align="center" valign="middle"
class="inputbutton150" title="Click and HOLD this button to confirm">
<input type="button" onmousedown="human()" onmouseup="robot()" hidefocus
value="CONFIRM" class="inputbuttonnormal150">
</td>
</tr>
</table>

<!-- SUBMIT BUTTON -->

<table cellspacing="0" cellpadding="0" width="100%">
<tr>
<td width="170" align="left" valign="middle"><b>Submit</b></td>
<td width="*" align="left" valign="middle">&nbsp;</td>
<td width="20">&nbsp;</td>
<td width="150" height="21" align="center" valign="middle"
class="inputbutton150" title="Click here to SUBMIT your PROFILE">
<span id="submitspan1" class="numbers" style="letter-spacing: 2" title="You
must CONFIRM to activate this button" hidefocus><s>Submit</s></span>
</td>
</tr>
</table>

</form>
</body>
</html>

So far this method has stopped 100% of automated spam registrations for me.

Hope this helps.


Andy

vrlist.info

Hi Colin,

On 4 dic, 15:13, "C." <> wrote:

> > I do not like the catcha system.
>
> Is it Turing tests in general you don't like? Use a different one.

I do not like it because there are quite a lot of people having
problems with.

> > I have an idea and so I am registration the IPs of the sites
> > considered as spam in a different table (fields: IP, last-date,
> > times). Most of them are repeting submissions.
>
> It would take almost as long to write the code for this as to write
> this post. If it solves your problem then fine - but its not valid as
> a generic solution.

Maybe it is a problem of skill, it takes to me much more time. And,
yes, you are right, maybe it is not a generic solution.

> I'd suggest requiring a validated email address for all posters and
> mediating the content via email with spamassasin and let it do the
> hard work.

I send an email for all the posters. The spam via email is not a real
problem (spam blocked on the email server), my problem is at the
database. Validating the email would save some of them, but usually
they put a generic sintactically valid email.

Thank you for your answer.

Luisa

vrlist.info

Hi Andy,

I am going to try it. Thank you for your answer.

Regards,

Luisa


On 5 dic, 10:57, "Andrew Bailey" <>
wrote:
> "C." <> wrote in message
>
> news:...
>
>
>
> > On 4 Dec, 12:25, "vrlist.info" <> wrote:
> >> Hello,
>
> >> I have a directory,, where people add their
> >> vacation rental items via a form.
>
> >> In this moment I register the submissions at a separate table and
> >> manually delete the spams (about 95% of the total submission and it is
> >> going up).
>
> >> I do not like the catcha system.
>
> > Is it Turing tests in general you don't like? Use a different one.
>
> >> I have an idea and so I am registration the IPs of the sites
> >> considered as spam in a different table (fields: IP, last-date,
> >> times). Most of them are repeting submissions.
>
> > It would take almost as long to write the code for this as to write
> > this post. If it solves your problem then fine - but its not valid as
> > a generic solution.
>
> > I'd suggest requiring a validated email address for all posters and
> > mediating the content via email with spamassasin and let it do the
> > hard work.
>
> > C.
>
> Hi Colin,
>
> I had a similar problem with automated spam registrations on my phpBB2
> forum. It seems that spam robots hunt the web looking for forms to fill in,
> more specifically they look for the following structure...
>
> <form>
> <input>
> <input.... etc>
> <submit>
> </form>
>
> ... fill in the text inputs with their spam and then submit the form. I
> discovered that if you break the structure flow of a form then the form
> doesn't work so for example, if I were to remove the <input
> type="submit"....> part then the whole form fails and the spam robots cant
> use it.
>
> So the next thought was if I could devise a test to separate a human from a
> robot I could then replace the missing part of the form and it would work.
> What I came up with is a confirmation button that the users has to click and
> HOLD for a random amount of time between 1 and 10 seconds and be able to
> RELEASE within one second of being told to do so.
>
> Here's the gist of my code...
>
> <html>
> <head>
>
> <script type="text/javascript" language="JavaScript">
> <!-- DISABLE THE SUBMIT BUTTON
> var robotusr = 1;
> function human(){
> robotusr = 1;
> var rnd = (Math.random())*10000;
> document.getElementById('confirminfo').innerHTML=' <b>KEEP HOLDING THE MOUSE
> BUTTON DOWN...</b>';
> t=setTimeout("document.getElementById('confirminfo ').innerHTML='<b>RELEASE
> THE MOUSE BUTTON NOW !!!</b>'; opendoor();", + rnd);}
>
> function opendoor(){
> robotusr = 0;
> setTimeout('closedoor()', 1000);}
>
> function closedoor(){
> robotusr = 2;}
>
> function robot(){
> if (robotusr==1){
> document.getElementById('submitspan1').innerHTML=' FAILED';
> clearTimeout (t);
> document.getElementById('confirminfo').innerHTML=' <b>YOU RELEASED THE MOUSE
> BUTTON TOO EARLY, PLEASE TRY AGAIN...</b>';} else if (robotusr==2) {
>
> document.getElementById('submitspan1').innerHTML=' FAILED';
> document.getElementById('confirminfo').innerHTML=' <b>YOU RELEASED THE MOUSE
> BUTTON TOO LATE, PLEASE TRY AGAIN...</b>';} else {
>
> document.getElementById('submitspan1').innerHTML=' <input type="submit"
> name="submit" value="{L_SUBMIT}" class="inputbuttonbold150" title="Click
> here to SUBMIT your PROFILE" hidefocus>';
> document.getElementById('confirminfo').innerHTML=' <b>THANK YOU, PLEASE CLICK
> THE SUBMIT BUTTON</b>';}
> }
>
> // - End of JavaScript - -->
> </script>
>
> </head>
> <body>
>
> <form>
>
> <input type="text">
> <input type="text">
> <input type="text">
>
> <!-- CONFIRM BUTTON -->
> <table cellspacing="0" cellpadding="0" width="100%">
> <tr>
> <td width="170" align="left" valign="middle"><b>Confirmation</b></td>
> <td width="*" align="left" valign="middle"><div class="small"><span
> id="confirminfo">Due to the increasing number of automated registrations you
> are required to <b>CLICK AND HOLD</b> the button on the right to confirm
> your details are correct</span></div></td>
> <td width="20">&nbsp;</td>
> <td width="150" height="21" align="center" valign="middle"
> class="inputbutton150" title="Click and HOLD this button to confirm">
> <input type="button" onmousedown="human()" onmouseup="robot()" hidefocus
> value="CONFIRM" class="inputbuttonnormal150">
> </td>
> </tr>
> </table>
>
> <!-- SUBMIT BUTTON -->
>
> <table cellspacing="0" cellpadding="0" width="100%">
> <tr>
> <td width="170" align="left" valign="middle"><b>Submit</b></td>
> <td width="*" align="left" valign="middle">&nbsp;</td>
> <td width="20">&nbsp;</td>
> <td width="150" height="21" align="center" valign="middle"
> class="inputbutton150" title="Click here to SUBMIT your PROFILE">
> <span id="submitspan1" class="numbers" style="letter-spacing: 2" title="You
> must CONFIRM to activate this button" hidefocus><s>Submit</s></span>
> </td>
> </tr>
> </table>
>
> </form>
> </body>
> </html>
>
> So far this method has stopped 100% of automated spam registrations for me.
>
> Hope this helps.
>
> Andy

vrlist.info

On 4 dic, 14:01, "asdf" <> wrote:
> "vrlist.info" <> wrote in message
>
> news:...
>
> > Hello,
>
> > I have a directory,, where people add their
> > vacation rental items via a form.
>
> > In this moment I register the submissions at a separate table and
> > manually delete the spams (about 95% of the total submission and it is
> > going up).
>
> > I do not like the catcha system.
>
> > I have an idea and so I am registration the IPs of the sites
> > considered as spam in a different table (fields: IP, last-date,
> > times). Most of them are repeting submissions.
>
> > My idea is, for instance, put the following rule:
>
> > - If I get a submission, checking the IP, if it is at the "spam-table"
> > more than x times (for instance 5 times) just delete it.
>
> [snip]
>
> Blacklisting IP addresses is a very bad idea IMHO, unless you can
> categorically state that the IP address is a permanent one. What about
> dynamically assigned IP addresses? An IP address does not identify a
> spammer, merely it identifies the network address that they were using at
> the time.

Yes, I know that it is a problematic technic. Anyway, at least at this
moment, the most common IPs (top ten) are supposing about 75% of thet
total spam.

C.

On 5 Dec, 12:41, "vrlist.info" <> wrote:
> Hi Colin,
<snip>
>
> I send an email for all the posters. The spam via email is not a real
> problem (spam blocked on the email server), my problem is at the
> database. Validating the email would save some of them, but usually
> they put a generic sintactically valid email.
>

It's not enough to just regex the email to check it is valid, or even
do a DNS lookup on the domain - you should hold all submissions from
unconfirmed email addresses in a quarantine area and email a URL on
your server to the address - the URL should release the the
corresponding post and flag the email address as confirmed.

C.

Ian Hobson

vrlist.info wrote:
> Hi Andy,
>
> I am going to try it. Thank you for your answer.
>
Hi vrlist,

Consider your users! Press-and-hold is a very unusual and unexpected
thing to do on the web. You will confuse your visitors.

Any user with a physical impairment or on an unfamiliar laptop with one
of those infernal nipple arrangements, or those with poor English
skills, will have difficulty with press-and-hold.

Besides, it is not necessary - any form that can *only* be submitted via
javascript will stop (most? All?) spam bots.

Or you could filter it out on the server, with validation. Could you ask
for an email address and check it exists on a database of registered
users whose email's have been confirmed?

Regards

Ian

Ian Hobson

vrlist.info wrote:
> Hi Andy,
>
> I am going to try it. Thank you for your answer.
>
Hi vrlist,

Consider your users! Press-and-hold is a very unusual and unexpected
thing to do on the web. You will confuse your visitors.

Any user with a physical impairment or on an unfamiliar laptop with one
of those infernal nipple arrangements, or those with poor English
skills, will have difficulty with press-and-hold.

Besides, it is not necessary - any form that can *only* be submitted via
javascript will stop (most? All?) spam bots.

Or you could filter it out on the server, with validation. Could you ask
for an email address and check it exists on a database of registered
users whose email's have been confirmed?

Regards

Ian