Frage
I have a simple form that users use to register their email address for a newsletter.
I want to prevent spammers submitting 000's of fake emails. What's the best way to do this?
I thought about limiting the number of inputs from each IP address to, say, 60 per hour, but then thought anyone determined will simply spoof their IP as part of the attack.
Any ideas?
*EDIT: I am looking for a server-side solution. In this situation, UX is important so I don't want to use a captcha, or ask the user to validate with a token
Lösung 3
You could do something like this,
https://stackoverflow.com/questions/18938405
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russianfunction validEmail($email){
if (filter_var($email, FILTER_VALIDATE_EMAIL)){
list($user,$domain) = explode('@',$email);
return checkdnsrr($domain, 'MX');
}
return false;
}
it may not pick up every fake email, but I always validate their email by sending them a validation email with a link.
EDIT:
As for spam on a form use CSRF, that should prevent most spam (at least in my experience)
Andere Tipps
You could use negative captcha. Idea is to have a field in the form that is not visible to humans but bots would enter values in it. On server side you can ignore requests that have a value in the negative captcha field.
Adavatage is that normal users do not see any extra steps like enter captcha words or validate the email. Cons is that the method works as long as people would not customize bots specifically for your site.
Example of a negative captcha. Include this in your form.
<div style="position: absolute; left:-2000px;"><input type="text" name="email_name" value="" /></div>
On server side do somethig like
if (params[:email_name] != "") //bot
else //not a bot
I found a great technique somewhere on the interwebs. I enhanced it, and it is now available (open source) at www.formspammertrap.com .
It uses some javascript to replace the form action, and requires actual 'clickage' of a live user.
No captchas, hidden fields, etc.; those might work temporarily, but usually doesn't work long-term.
It is free, and it works great on any site I put it on. PHP-based, but will also work in WordPress (not a plugin).
When a user types their email address into the bar, run a script that sends them an email to the address specified that contains a link, when they click the link it will activate that email address for newsletters.
You could use capthcha - which is broken and annoying to users.
What I use is a simple question (how many logs does a dog have) and then use the input of <input type='text' name='email2' value=''>. I then do the necessary checks on the server-side of things. But one thing I do not do is to notify the person that something was wrong i.e. invalid number entered in the email2 textbox.
Anyway, just a thought.
A common approach is, to add another textfield to the form-section. In your stylesheet (not the style-tag!), you set its css-property to display:none, since most spambots fillout every available input-element, but doesn’t load external .css-files.
When your script gets the request, you check this hidden textfield – if it’s blank, you have good chances that this wasn’t spam.
