• 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Help With Contact Form Abuse - a Trivial solution

In the last few months I have had problems with spammers abusing my contact form. The contact form result only goes to two or three departments in my company, depending on where it was accessed, but we all got tired of dealing with robot spam.

 My solution was to add an id to the URL. This is an example -- contact/index/CKjuFiDk5tPO6wWfuclc6l

 This is a trivial solution which will defeat most robot spammers.  The token is generated as follows:

$token = $this->mylibrary->GetRandomString(16) . 'my secret phrase';
$token = md5($token);
$token .= base_convert( crc32($token), 10 , 36);

 and confirmed as follows by the contact form:

$actual_token = substr( $token, 0, 32);
$crc = substr( $token, 32);
if(base_convert( crc32($actual_token), 10 , 36) != $crc) { $spammer = TRUE ; }
else { $spammer = FALSE; }

function GetRandomString( $length = 50)
$OK_CHARS= "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890";
$maxChar = strlen($OK_CHARS) - 1;
$string = "";

for( $i = 0; $i < $length; $i++)
  $string .= $OK_CHARS[rand(0,$maxChar)];
return $string;

 It is somewhat trivial but at least contains a secret phrase. MD5 works because it returns URL friendly characters and is relatively short and reasonably fast.

 If you encounter a spammer, always say the message was delivered. You can add spam rules for those who go through your pages to send spam, but I found most robots use old URLs.

 Old  tokens will always work. Saving this to a database with a 'time to live' helps more but adds overhead. At a minimum, this help stops the dumb ones.

there is the honeypot approach that CI4 makes available to you . As i understand it robots will be able and do fill in every form even hidden from human eye ones. I do it by adding <input type="hidden" name="honeypot" value=""/><br>

to forms , then tweak Honeypot.php as required located app/Config/Honeypot.php

Honeypots can be a good way to discover bad actors and ban the IPs.

What I was seeing was auto entry of the contact form without going through the website proper. This prevents that. I also have a small number of content rules and denature user input to prevent the form from sending messages which, when viewed, auto download malicious software. Contact form responses are never saved to prevent them from being a vector into my databases. Routing is decided at the program level based on the context within which the form was requested and not indicated in hidden form fields.

Digg   Delicious   Reddit   Facebook   Twitter   StumbleUpon  

  Theme © 2014 iAndrew  
Powered By MyBB, © 2002-2020 MyBB Group.