25 Replies Latest reply on Nov 20, 2008 12:18 PM by Newsgroup_User

    anti spam

    Level 7
      Is it possible to have a hidden field that a spambot would fill in but a
      legitimate user wouldn't see? Then if the field is filled in the form
      would be reset or the asp code simply wouldn't send the email.
        • 1. Re: anti spam
          Level 7
          > Is it possible to have a hidden field that a spambot would fill in but a
          > legitimate user wouldn't see?

          Sure. Hide it with CSS. I do this ALL THE TIME, and it's quite effective.

          Search this forum for "honeypot" to get some good descriptive answers.

          --
          Murray --- ICQ 71997575
          Adobe Community Expert
          (If you *MUST* email me, don't LAUGH when you do so!)
          ==================
          http://www.projectseven.com/go - DW FAQs, Tutorials & Resources
          http://www.dwfaq.com - DW FAQs, Tutorials & Resources
          ==================


          "Harvey Waxman" <hnwaxman@gmail.com> wrote in message
          news:hnwaxman-6AB7E9.10282419112008@forums.macromedia.com...
          > Is it possible to have a hidden field that a spambot would fill in but a
          > legitimate user wouldn't see? Then if the field is filled in the form
          > would be reset or the asp code simply wouldn't send the email.

          • 2. Re: anti spam
            Level 7
            Wouldn't this method fail when there is an actual person that is being paid
            to spam the form?


            • 3. Re: anti spam
              bregent Most Valuable Participant
              Google honeypot. That's exactly how that works.
              • 4. Re: anti spam
                Level 7
                Actually Google is misleading when searching for that term. You get sent to
                honeypot.org, which is not quite what you would be looking for.

                --
                Murray --- ICQ 71997575
                Adobe Community Expert
                (If you *MUST* email me, don't LAUGH when you do so!)
                ==================
                http://www.projectseven.com/go - DW FAQs, Tutorials & Resources
                http://www.dwfaq.com - DW FAQs, Tutorials & Resources
                ==================


                "bregent" <webforumsuser@macromedia.com> wrote in message
                news:gg1d0n$38n$1@forums.macromedia.com...
                > Google honeypot. That's exactly how that works.

                • 5. Re: anti spam
                  Level 7
                  If the person can read HTML and CSS, then yes, it would fail. However, I
                  have never seen it fail yet, so I guess that scenario doesn't obtain very
                  often.

                  --
                  Murray --- ICQ 71997575
                  Adobe Community Expert
                  (If you *MUST* email me, don't LAUGH when you do so!)
                  ==================
                  http://www.projectseven.com/go - DW FAQs, Tutorials & Resources
                  http://www.dwfaq.com - DW FAQs, Tutorials & Resources
                  ==================


                  "Matt" <matt@notmail.com> wrote in message
                  news:gg1c8v$2ch$1@forums.macromedia.com...
                  > Wouldn't this method fail when there is an actual person that is being
                  > paid to spam the form?
                  >

                  • 6. Re: anti spam
                    bregent Most Valuable Participant
                    >Wouldn't this method fail when there is an actual person that is being paid to spam the form?

                    Every method will fail under those circumstances, right?
                    • 7. Re: anti spam
                      Level 7
                      In article <gg1br4$1ms$1@forums.macromedia.com>,
                      "Murray *ACE*" <forums@HAHAgreat-web-sights.com> wrote:

                      > Search this forum for "honeypot" to get some good descriptive answers.

                      I did a search on subject, summary and keywords and came up empty.
                      • 8. Re: anti spam
                        Level 7
                        I didn't mean that they were looking into the page's code, I meant that they
                        were paid to fill out forms on web pages, a practice described in the second
                        paragraph below.

                        "A quick point to remember is that there are two types of people who target
                        your forms. The first in being a specially written search robot which just
                        scans the web looking for PHP contact forms with vulnerabilities, which they
                        can use to send out the mass emails.

                        The second is the single form spammer who are paid (believe it or not!) to
                        search the web for contact forms to copy and paste a preset emails which
                        will make use of your forms mail() function and send out mass emails. These
                        emails look like they have come form your contact form, which is not very
                        nice, especially when you get contacted many of the recipients asking why
                        you have sent them emails!"

                        (excerpted from http://www.stevedawson.com/article0015.php )


                        • 9. Re: anti spam
                          Level 7
                          http://tinyurl.com/6plop6


                          --
                          Murray --- ICQ 71997575
                          Adobe Community Expert
                          (If you *MUST* email me, don't LAUGH when you do so!)
                          ==================
                          http://www.projectseven.com/go - DW FAQs, Tutorials & Resources
                          http://www.dwfaq.com - DW FAQs, Tutorials & Resources
                          ==================


                          "Harvey Waxman" <hnwaxman@gmail.com> wrote in message
                          news:hnwaxman-40B79D.16465819112008@forums.macromedia.com...
                          > In article <gg1br4$1ms$1@forums.macromedia.com>,
                          > "Murray *ACE*" <forums@HAHAgreat-web-sights.com> wrote:
                          >
                          >> Search this forum for "honeypot" to get some good descriptive answers.
                          >
                          > I did a search on subject, summary and keywords and came up empty.

                          • 10. Re: anti spam
                            Level 7
                            Yes, it will fail in that instance as will any spam prevention method.

                            --
                            Murray --- ICQ 71997575
                            Adobe Community Expert
                            (If you *MUST* email me, don't LAUGH when you do so!)
                            ==================
                            http://www.projectseven.com/go - DW FAQs, Tutorials & Resources
                            http://www.dwfaq.com - DW FAQs, Tutorials & Resources
                            ==================


                            "Matt" <matt@notmail.com> wrote in message
                            news:gg22a8$1qe$1@forums.macromedia.com...
                            >I didn't mean that they were looking into the page's code, I meant that
                            >they were paid to fill out forms on web pages, a practice described in the
                            >second paragraph below.
                            >
                            > "A quick point to remember is that there are two types of people who
                            > target your forms. The first in being a specially written search robot
                            > which just scans the web looking for PHP contact forms with
                            > vulnerabilities, which they can use to send out the mass emails.
                            >
                            > The second is the single form spammer who are paid (believe it or not!) to
                            > search the web for contact forms to copy and paste a preset emails which
                            > will make use of your forms mail() function and send out mass emails.
                            > These emails look like they have come form your contact form, which is not
                            > very nice, especially when you get contacted many of the recipients asking
                            > why you have sent them emails!"
                            >
                            > (excerpted from http://www.stevedawson.com/article0015.php )
                            >
                            >

                            • 11. Re: anti spam
                              Level 7
                              > Every method will fail under those circumstances, right?

                              They are more difficult to stop. My first form spam results had been filled
                              with nonsense text and then a spam url in the comment section. I started
                              using scripts to verify that email addresses (and other required fields)
                              contained legitimate syntax.

                              Then real people started following the corrective prompts to get their form
                              spam successfully submitted. When those came in I noticed fields that had
                              duplicate data in them (they were pasting nonsense data into more than
                              field), so I had the page check for dupe field results (where no dupes
                              should be).

                              At some point in all of this, I realized that the protective measures would
                              fail if the spammers knew that their submissions were getting stopped (I
                              think I used to redirect the form to reload whenever it failed the spam
                              checks), so I set up the form results page to give a success message to the
                              spammers, even though the results never got mailed to our server. Valid form
                              results arrive to us as an email, and are not posted in a forum (which
                              ironically is their goal in all of this). If these forms were for a web
                              comment page, then I would probably have to look into alternate methods to
                              fool the human form spammers, but as it is the spam is down low enough to
                              not bother.


                              • 12. Re: anti spam
                                Level 7
                                Wikipedia has a good overview of the different types of spam blog prevention
                                methods and their pros and cons: http://en.wikipedia.org/wiki/Spam_in_blogs
                                .


                                • 13. Re: anti spam
                                  Level 7
                                  Honeypot is not covered there and is the best method I have yet found.

                                  --
                                  Murray --- ICQ 71997575
                                  Adobe Community Expert
                                  (If you *MUST* email me, don't LAUGH when you do so!)
                                  ==================
                                  http://www.projectseven.com/go - DW FAQs, Tutorials & Resources
                                  http://www.dwfaq.com - DW FAQs, Tutorials & Resources
                                  ==================


                                  "Matt" <matt@notmail.com> wrote in message
                                  news:gg24iu$4qi$1@forums.macromedia.com...
                                  > Wikipedia has a good overview of the different types of spam blog
                                  > prevention methods and their pros and cons:
                                  > http://en.wikipedia.org/wiki/Spam_in_blogs .
                                  >

                                  • 14. Re: anti spam
                                    Level 7
                                    Thanks

                                    I found this using tinyurl:
                                    ================================================
                                    On my site, I have added two fields to my form -

                                    1. <input type="text" name="address2" id="address2" class="special"
                                    value="">
                                    2. <textarea name="moreInfo" id="moreInfo" class="special">More
                                    Info</textarea>

                                    Both of these fields have been hidden BY CSS, e.g.,

                                    .special { display:none; }

                                    This way, a real visitor would not see these fields.

                                    Then when I process the results of the form, if "address2" is not blank,
                                    or is "moreInfo" is not "More Info", I discard the form, assuming that
                                    the only entity that will see these fields is a javascript bot.
                                    ================================================
                                    Just what is the syntax for the CSS ".special { display:none; }" and
                                    where does it go?

                                    How do you discard the form? What do the IF statements look like? Is
                                    there some sort of "THEN" statement after?

                                    Sorry to be so uninformed.


                                    In article <gg22am$1qh$1@forums.macromedia.com>,
                                    "Murray *ACE*" <forums@HAHAgreat-web-sights.com> wrote:

                                    > http://tinyurl.com/6plop6
                                    • 15. Re: anti spam
                                      Level 7
                                      > Just what is the syntax for the CSS ".special { display:none; }"

                                      Uhh - it's '.special { display:none; }' - that would go in your stylesheet.

                                      > How do you discard the form?

                                      In the form processing script - the first thing you do is to test for these
                                      fields (I'll show just one - assume that it must contain 'More info here').

                                      <?php if(isset($_POST['honey1']) && $_POST['honey1'] != 'More info here') {
                                      } else {
                                      the rest of your form processing is here - if you
                                      reach this point, the field honey1 has not been altered
                                      }
                                      ?>
                                      --
                                      Murray --- ICQ 71997575
                                      Adobe Community Expert
                                      (If you *MUST* email me, don't LAUGH when you do so!)
                                      ==================
                                      http://www.projectseven.com/go - DW FAQs, Tutorials & Resources
                                      http://www.dwfaq.com - DW FAQs, Tutorials & Resources
                                      ==================


                                      "Harvey Waxman" <hnwaxman@gmail.com> wrote in message
                                      news:hnwaxman-813BE4.18012519112008@forums.macromedia.com...
                                      > Thanks
                                      >
                                      > I found this using tinyurl:
                                      > ================================================
                                      > On my site, I have added two fields to my form -
                                      >
                                      > 1. <input type="text" name="address2" id="address2" class="special"
                                      > value="">
                                      > 2. <textarea name="moreInfo" id="moreInfo" class="special">More
                                      > Info</textarea>
                                      >
                                      > Both of these fields have been hidden BY CSS, e.g.,
                                      >
                                      > .special { display:none; }
                                      >
                                      > This way, a real visitor would not see these fields.
                                      >
                                      > Then when I process the results of the form, if "address2" is not blank,
                                      > or is "moreInfo" is not "More Info", I discard the form, assuming that
                                      > the only entity that will see these fields is a javascript bot.
                                      > ================================================
                                      > Just what is the syntax for the CSS ".special { display:none; }" and
                                      > where does it go?
                                      >
                                      > How do you discard the form? What do the IF statements look like? Is
                                      > there some sort of "THEN" statement after?
                                      >
                                      > Sorry to be so uninformed.
                                      >
                                      >
                                      > In article <gg22am$1qh$1@forums.macromedia.com>,
                                      > "Murray *ACE*" <forums@HAHAgreat-web-sights.com> wrote:
                                      >
                                      >> http://tinyurl.com/6plop6

                                      • 16. Re: anti spam
                                        Level 7
                                        On Wed, 19 Nov 2008 16:00:40 -0600, "Matt" <matt@notmail.com> wrote:

                                        >The second is the single form spammer who are paid (believe it or not!) to
                                        >search the web for contact forms to copy and paste a preset emails which
                                        >will make use of your forms mail() function and send out mass emails. These
                                        >emails look like they have come form your contact form, which is not very
                                        >nice, especially when you get contacted many of the recipients asking why
                                        >you have sent them emails!"

                                        If your form uses proper validation of the users' input, the worst they
                                        could do is send the e-mail to the person who is designed to receive the
                                        form results.

                                        Gary
                                        • 17. Re: anti spam
                                          bregent Most Valuable Participant
                                          >I started using scripts to verify that email addresses (and other required fields)
                                          >contained legitimate syntax.

                                          True. All form fields should be validated to ensure they do not contain illegitimate characters/strings.

                                          > I set up the form results page to give a success message to the
                                          >spammers, even though the results never got mailed to our server.

                                          I do this too in some cases. It's a trade off between allowing good form submissions from possibly being rejected and reducing spam. I do this only when it seems very apparent that the submission is spam.
                                          • 18. Re: anti spam
                                            Level 7
                                            In article <gg26f2$75n$1@forums.macromedia.com>,
                                            "Murray *ACE*" <forums@HAHAgreat-web-sights.com> wrote:

                                            > > Just what is the syntax for the CSS ".special { display:none; }"
                                            >
                                            > Uhh - it's '.special { display:none; }' - that would go in your stylesheet.

                                            Thank you. I can understand your impatience. My form page uses a
                                            template which is uneditable but it contains a CSS tag. The editable
                                            portion has none.

                                            Since the CSS seems to have to be in the head I'm guessing the line goes
                                            into the template CSS.
                                            >
                                            > > How do you discard the form?
                                            >
                                            > In the form processing script - the first thing you do is to test for these
                                            > fields (I'll show just one - assume that it must contain 'More info here').
                                            >
                                            > <?php if(isset($_POST['honey1']) && $_POST['honey1'] != 'More info here') {
                                            > } else {
                                            > the rest of your form processing is here - if you
                                            > reach this point, the field honey1 has not been altered
                                            > }
                                            > ?>

                                            and honey1 is the name of the hidden field which, if altered halts the
                                            process at that point?


                                            Thanks again.
                                            • 19. Re: anti spam
                                              Level 7
                                              Harvey:

                                              > Thank you. I can understand your impatience. My form page uses a
                                              > template which is uneditable but it contains a CSS tag.

                                              The child pages of a properly built Template always have an editable region
                                              in the head where such things can be placed. Worst case would be that you
                                              have to add an entire embedded stylesheet to accommodate just this single
                                              rule. Do that by changing this -

                                              <!-- InstanceBeginEditable name="head" -->
                                              <!-- EndEditable -->

                                              to this -

                                              <!-- InstanceBeginEditable name="head" -->
                                              <style type="text/css">
                                              .special { display:none; }
                                              </style>
                                              <!-- EndEditable -->

                                              > and honey1 is the name of the hidden field which, if altered halts the
                                              > process at that point?

                                              Yes. If the test succeeds, you would not execute the 'else' part of the
                                              test, which would be completely bypassed. Do whatever you want at that
                                              point to the lousy spammer! 8)

                                              --
                                              Murray --- ICQ 71997575
                                              Adobe Community Expert
                                              (If you *MUST* email me, don't LAUGH when you do so!)
                                              ==================
                                              http://www.projectseven.com/go - DW FAQs, Tutorials & Resources
                                              http://www.dwfaq.com - DW FAQs, Tutorials & Resources
                                              ==================


                                              "Harvey Waxman" <hnwaxman@gmail.com> wrote in message
                                              news:hnwaxman-5DD5C2.21000119112008@forums.macromedia.com...
                                              > In article <gg26f2$75n$1@forums.macromedia.com>,
                                              > "Murray *ACE*" <forums@HAHAgreat-web-sights.com> wrote:
                                              >
                                              >> > Just what is the syntax for the CSS ".special { display:none; }"
                                              >>
                                              >> Uhh - it's '.special { display:none; }' - that would go in your
                                              >> stylesheet.
                                              >
                                              > Thank you. I can understand your impatience. My form page uses a
                                              > template which is uneditable but it contains a CSS tag. The editable
                                              > portion has none.
                                              >
                                              > Since the CSS seems to have to be in the head I'm guessing the line goes
                                              > into the template CSS.
                                              >>
                                              >> > How do you discard the form?
                                              >>
                                              >> In the form processing script - the first thing you do is to test for
                                              >> these
                                              >> fields (I'll show just one - assume that it must contain 'More info
                                              >> here').
                                              >>
                                              >> <?php if(isset($_POST['honey1']) && $_POST['honey1'] != 'More info here')
                                              >> {
                                              >> } else {
                                              >> the rest of your form processing is here - if you
                                              >> reach this point, the field honey1 has not been altered
                                              >> }
                                              >> ?>
                                              >
                                              > and honey1 is the name of the hidden field which, if altered halts the
                                              > process at that point?
                                              >
                                              >
                                              > Thanks again.

                                              • 20. Re: anti spam
                                                Level 7
                                                I wonder why they don't refer to it on that page (and why no one has added
                                                it yet)?

                                                They have a listing elsewhere for the term honeypot, but it sounds different
                                                in concept. As if they use the term for a method of putting dedicated
                                                machines on a network to intercept spam traffic, versus a client or server
                                                side method to halt bogus responses in forms:

                                                http://en.wikipedia.org/wiki/Honeypot_(computing) .


                                                • 21. Re: anti spam
                                                  Level 7
                                                  >
                                                  > They have a listing elsewhere for the term honeypot, but it sounds
                                                  > different in concept. As if they use the term for a method of putting
                                                  > dedicated machines on a network to intercept spam traffic, versus a client
                                                  > or server side method to halt bogus responses in forms:
                                                  >
                                                  > http://en.wikipedia.org/wiki/Honeypot_(computing) .

                                                  Yes, that's describing a different kind of 'spam cop' type service. As far
                                                  as I know, the term 'honeypot' to describe what we have been referring to,
                                                  was coined right here on this board (or perhaps on one of the related
                                                  boards).

                                                  --
                                                  Murray --- ICQ 71997575
                                                  Adobe Community Expert
                                                  (If you *MUST* email me, don't LAUGH when you do so!)
                                                  ==================
                                                  http://www.projectseven.com/go - DW FAQs, Tutorials & Resources
                                                  http://www.dwfaq.com - DW FAQs, Tutorials & Resources
                                                  ==================


                                                  "Matt" <matt@notmail.com> wrote in message
                                                  news:gg40bf$hge$1@forums.macromedia.com...
                                                  >I wonder why they don't refer to it on that page (and why no one has added
                                                  >it yet)?
                                                  >
                                                  > They have a listing elsewhere for the term honeypot, but it sounds
                                                  > different in concept. As if they use the term for a method of putting
                                                  > dedicated machines on a network to intercept spam traffic, versus a client
                                                  > or server side method to halt bogus responses in forms:
                                                  >
                                                  > http://en.wikipedia.org/wiki/Honeypot_(computing) .
                                                  >

                                                  • 22. Re: anti spam
                                                    Level 7
                                                    In article <gg424j$jlv$1@forums.macromedia.com>,
                                                    "Murray *ACE*" <forums@HAHAgreat-web-sights.com> wrote:

                                                    > >
                                                    > > They have a listing elsewhere for the term honeypot, but it sounds
                                                    > > different in concept. As if they use the term for a method of putting
                                                    > > dedicated machines on a network to intercept spam traffic, versus a client
                                                    > > or server side method to halt bogus responses in forms:
                                                    > >

                                                    Re your code:

                                                    <?php if(isset($_POST['honey1']) && $_POST['honey1'] != 'More info
                                                    here') {
                                                    } else {
                                                    the rest of your form processing is here - if
                                                    you
                                                    reach this point, the field honey1 has not been altered
                                                    }

                                                    What would be the asp equivalent?
                                                    • 23. Re: anti spam
                                                      Level 7
                                                      It's been a while.

                                                      <%

                                                      if request.form('honey1') = "More info here" Then
                                                      (all your form processing goes here)

                                                      else

                                                      (your honeypot processing would go here)

                                                      end if
                                                      %>

                                                      --
                                                      Murray --- ICQ 71997575
                                                      Adobe Community Expert
                                                      (If you *MUST* email me, don't LAUGH when you do so!)
                                                      ==================
                                                      http://www.projectseven.com/go - DW FAQs, Tutorials & Resources
                                                      http://www.dwfaq.com - DW FAQs, Tutorials & Resources
                                                      ==================


                                                      "Harvey Waxman" <hnwaxman@gmail.com> wrote in message
                                                      news:hnwaxman-50C450.12021820112008@forums.macromedia.com...
                                                      > In article <gg424j$jlv$1@forums.macromedia.com>,
                                                      > "Murray *ACE*" <forums@HAHAgreat-web-sights.com> wrote:
                                                      >
                                                      >> >
                                                      >> > They have a listing elsewhere for the term honeypot, but it sounds
                                                      >> > different in concept. As if they use the term for a method of putting
                                                      >> > dedicated machines on a network to intercept spam traffic, versus a
                                                      >> > client
                                                      >> > or server side method to halt bogus responses in forms:
                                                      >> >
                                                      >
                                                      > Re your code:
                                                      >
                                                      > <?php if(isset($_POST['honey1']) && $_POST['honey1'] != 'More info
                                                      > here') {
                                                      > } else {
                                                      > the rest of your form processing is here - if
                                                      > you
                                                      > reach this point, the field honey1 has not been altered
                                                      > }
                                                      >
                                                      > What would be the asp equivalent?

                                                      • 24. Re: anti spam
                                                        Level 7
                                                        Thanks again, I'll try it

                                                        In article <gg48fa$rmh$1@forums.macromedia.com>,
                                                        "Murray *ACE*" <forums@HAHAgreat-web-sights.com> wrote:

                                                        > It's been a while.
                                                        >
                                                        > <%
                                                        >
                                                        > if request.form('honey1') = "More info here" Then
                                                        > (all your form processing goes here)
                                                        >
                                                        > else
                                                        >
                                                        > (your honeypot processing would go here)
                                                        >
                                                        > end if
                                                        > %>
                                                        • 25. Re: anti spam
                                                          Level 7
                                                          Good luck, Harvey!

                                                          --
                                                          Murray --- ICQ 71997575
                                                          Adobe Community Expert
                                                          (If you *MUST* email me, don't LAUGH when you do so!)
                                                          ==================
                                                          http://www.projectseven.com/go - DW FAQs, Tutorials & Resources
                                                          http://www.dwfaq.com - DW FAQs, Tutorials & Resources
                                                          ==================


                                                          "Harvey Waxman" <hnwaxman@gmail.com> wrote in message
                                                          news:hnwaxman-3E6003.14313620112008@forums.macromedia.com...
                                                          > Thanks again, I'll try it
                                                          >
                                                          > In article <gg48fa$rmh$1@forums.macromedia.com>,
                                                          > "Murray *ACE*" <forums@HAHAgreat-web-sights.com> wrote:
                                                          >
                                                          >> It's been a while.
                                                          >>
                                                          >> <%
                                                          >>
                                                          >> if request.form('honey1') = "More info here" Then
                                                          >> (all your form processing goes here)
                                                          >>
                                                          >> else
                                                          >>
                                                          >> (your honeypot processing would go here)
                                                          >>
                                                          >> end if
                                                          >> %>