In the last few months I have had problems with spammers abusing my contact form. The contact form result only goes to two or three departments in my company, depending on where it was accessed, but we all got tired of dealing with robot spam.
My solution was to add an id to the URL. This is an example -- contact/index/CKjuFiDk5tPO6wWfuclc6l
This is a trivial solution which will defeat most robot spammers. The token is generated as follows:
Code:
$token = $this->mylibrary->GetRandomString(16) . 'my secret phrase';
$token = md5($token);
$token .= base_convert( crc32($token), 10 , 36);
and confirmed as follows by the contact form:
Code:
$actual_token = substr( $token, 0, 32);
$crc = substr( $token, 32);
if(base_convert( crc32($actual_token), 10 , 36) != $crc) { $spammer = TRUE ; }
else { $spammer = FALSE; }
##################
function GetRandomString( $length = 50)
{
$OK_CHARS= "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890";
$maxChar = strlen($OK_CHARS) - 1;
$string = "";
for( $i = 0; $i < $length; $i++)
{
rand(0,$maxChar);
$string .= $OK_CHARS[rand(0,$maxChar)];
}
return $string;
}
It is somewhat trivial but at least contains a secret phrase. MD5 works because it returns URL friendly characters and is relatively short and reasonably fast.
If you encounter a spammer, always say the message was delivered. You can add spam rules for those who go through your pages to send spam, but I found most robots use old URLs.
Old tokens will always work. Saving this to a database with a 'time to live' helps more but adds overhead. At a minimum, this help stops the dumb ones.
