Spam-prevention for my contact form

StackOverflow https://stackoverflow.com/questions/18786639

Question

I've been doing a lot of research about spam-prevention methods, I do not want to resort to using CAPTCHA.

The form typically sends an email to the user and the webmaster with the contents of the form.

The first thing I've done is to remove the contents of the form in the email sent to the user and simply have a confirmation message.

I have added a row for the persons 'title' and hidden the row using CSS, if the field is filled in. The submission completes without sending any emails.

I'd like to add a couple of other techniques,
Check the time to complete submission - do not send emails if under 5 seconds.
Pass through an unique ID - do not send emails if no match

The problem is that website pages are cached, so directly setting a session variable is useless. I'm considering use ajax to hit a CFC and set the variable, but it would require JavaScript.

Should I restrict submissions to only those with JavaScript enabled? Or are there any alternative suggestions?

Thanks

Was it helpful?

Solution

Daniel,

I have a similar spam-detection approach that has been in place since last year. I can share what I have seen.

Session based tests: Checking the time it takes someone to fill out the form and checking that the user comes from the right page have been very reliable checks, though somewhat fraught with difficulty. In your case, forcing users to have modern, javascript enabled browsers might be your best option. And it seems like it's becoming a more accepted practice, I guess, right? I don't really know..

Content based tests: Another two fairly helpful practices are to check that form fields contain different values and that no more than a specified number of URLs have been entered. Spammers almost always seem to stick the same trash URL into every field. However, these checks aren't nearly as good as session-based checks.

Our spam-detection heuristic has a few other checks, in addition to the ones above:

  • Basic regex injection tests - bare-bones, but I can share if you are interested
  • Spam Content - pretty useless - a simple library constructed mostly by hand
  • Banned IP Address - also pretty useless..

Some numbers from our heuristic over the last year or so. Total failed tests= 83,356

  • Failed Injection Test = 54 (0 failed this test and no other tests)
  • Failed Too Many URLs In Input Test = 18,935 (2396)
  • Failed Spam Content Test = 3673 (46)
  • Failed Hidden Field Tampering Test = 60,295 (1479)
  • Failed Dubious Time Elapse Test = 64,430 (17,126)
  • Failed Invalid Session Test = 28,706 (140)
  • Failed Fields Contain Same Values Test = 167 (49)
  • Failed Banned IP Address (not implemented) = 0 (0)

I don't want to post too many details about exactly what our criteria are, but if you are interested I'd be happy to share code.

-Ben

OTHER TIPS

I suggest you take a look at http://cfformprotect.riaforge.org/ as it works well for me.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top