[Jcbones]

Honeypot Captcha

Ned Batchelder: Stopping spambots with hashes and honeypots

http://en.wikipedia.org/wiki/Honeypot_(computing)

As I said before, they do work...

[bally123]

I dont quite get how to use honeypots I tried but kept getting script error...

This is my original code for the form

HTML Code:

<script language="JavaScript" type="text/javascript"> 
function checkform ( form ) 
{ 
if (form.fname.value == "") { 
alert( "Please enter your full name"); 
form.fname.focus(); 
return false ;
}
if(form.femail.value.match(/^([a-zA-Z0-9_\-\.]+)@((\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.)|(([a-zA-Z0-9\-]+\.)+))([a-zA-Z]{2,4}|[0-9]{1,3})(\]?)$/) == null){
alert( "Please enter valid email address\nThis will only be used to reply to your enquiry." ); 
form.femail.focus(); 
return false ; 
}
if(form.fnumber.value.match(/^\d+/) == null) { 
alert( "Please enter valid contact number\nThis will only be used to contact you in regards to your enquiry." ); 
form.fnumber.focus();
return false ; 
}
if (form.subject.value == "") { 
alert( "Please enter the subject of your enquiry." ); 
form.subject.focus(); 
return false ; 
}  
if (form.fmess.value == "") { 
alert( "You must enter your enquiry"); 
form.fmess.focus(); 
return false ; 
} 
return true ; 
} 
</script> 


<script>document.writeln('<form name="form1" method="post" onSubmit="return checkform(this);" action="mailform.php">');</script>
 
 
<table width="261" border="0" cellspacing="0" cellpadding="2" align="center">
  <tr>
    <td width="257" ><font face="Verdana" size="1" colour="#444444">Your Name*<br><input name="fname" type="text" size="40"></font></td>
      </tr>
  <tr>
    <td width="257" ><font face="Verdana" size="1" colour="#444444">Your E-mail Address*<br><input name="femail" type="text" size="40"></font></td>
  </tr>
  <tr>
    <td width="257" ><font face="Verdana" size="1" colour="#444444">Address Line 1<br><input name="fadd1" type="text" size="40"></font></td>
  </tr>
  <tr>
    <td width="257" ><font face="Verdana" size="1" colour="#444444">Address Line 2<br><input name="fadd2" type="text" size="40"></font></td>
  </tr>
  <tr>
    <td width="257" ><font face="Verdana" size="1" colour="#444444">City<br><input name="fcity" type="text" size="40"></font></td>
  </tr>
  <tr>
    <td width="257" ><font face="Verdana" size="1" colour="#444444">Postal Code<br><input name="fpost" type="text" size="8" maxlength="8"> e.g. AB1C 2DE</font></td>
  </tr>
  <tr>
    <td width="257" ><font face="Verdana" size="1" colour="#444444">Contact number*<br><input name="fnumber" type="text" size="15" maxlength="15"> e.g. 0115 123 1234</font></td>
  </tr>
  <tr>
    <td width="257" ><font face="Verdana" size="1" colour="#444444">Subject*<br><input name="subject" type="text" size="40"></font></td>
  </tr>
  <tr>
    <td width="257" ><font face="Verdana" size"1" colour="#444444">Message*<br>
    <textarea name="fmess" cols="35" style="height: 66px"></textarea></font></td>
  </tr>
 
     <td width="257">
 
	 <font face="Verdana" size="1" colour="#444444">
	 <input name="cmdSend" onMouseover="return hidestatus()" type="submit" value="Send">
	 <input name="cmdReset" type="reset" value="Reset"> </font>
	</td>
  </tr>
</form>
	<tr>
     <td class="style15">
	 <font face="Verdana" size="1">* These fields are required</td>
  </tr>
</table>

Any suggestions? TIA

[Jcbones]

A honeypot is quite simple, but must be validated server side,or it won't work.


The simplest of honeypot form is that bots don't recognize css styles. So adding a style to your stylesheet like:

Code:

.check
{
display: none;
}

This would hide the element with: class="check" from a human visitor, but a bot would still see it.

So,

Code:

<input class="check" type="text" name="real_name" value="" />

would be seen by a bot, and not a human.

We would then validate that field when submitted

PHP Code:

if(!empty($_POST['real_name'])) echo 'A bot sent this message';
else { Do the rest of your form code here } 


I have used honeypots on several of my forms, without any reCAPTCHA or any type of user submitted form controls.

To see if this is even catching any bots, you can save any submittals that have this input filled out to a database.

PHP Code:

if(!empty($_POST['real_name'])) {
     echo 'A bot sent this message';
     $sql = "UPDATE `bots` SET `submittedForms`= submittedForms + 1 WHERE `type`='email'";
        if(mysql_query($sql)) echo 'Your submission has been recorded';
}
else { Do the rest of your form code here } 


[wirehopper]

bally123 - you might want to let go of the whole contact form idea. Seriously, post an email address encrypted or as an image and let people click on it.

Here's my opinion of contact forms that make me enter a lot of data to ask a question - either I don't bother, or, I fill it in with bogus data - unless I REALLY want to communicate with the people. If the contact is initiated through email, a response through email is fine. If, after a response, further discussion is warranted, then phone numbers and addresses can be exchanged.

This is really a business decision. All you need is the email address of the person who contacts you. You have to decide how much time (which is also money) you want to spend getting that email address or letting people send you messages, and how much time and energy you want to waste on the idiots that are abusing your form.

Don't feel bad - this is a big problem, for a lot of people, and there are many valid solutions. Jcbones has a nice one, and all the code is there. (Thanks Jcbones!)

Finally, you can always change your site later, so the decision isn't permanent.

Good luck.

[bally123]

Thanks for the advice guys I will give honeypots a try again if that fails then I will get rid of the form and just use an email address and try mailhide by recaptcha...

Is there a way of generating a email by using mailto: I know you can pre-define the subject but I would like to possibly have pre-define email message they can just edit?

[bally123]

Iv added the honeypot and will monitor the emails over the next few days.

Thanks

[bally123]

Hey guys the honeypots seem to be working but the only problem I have now, it seems that my mailform.php is still sending blank emails... I think I need to add some sort of validation to the processing part to say either if form is blank disregard email or only process if form is submit from enquriy.html... How would I go about doing this?

Here is my PHP Code with honeypots:

PHP Code:

<?php
if(!empty($_POST['real_name'])) echo 'A bot sent this message';
else {
////////////////////////////////////////////////////////////////
// PERFECT                                                    //
// -------                                                    //
// PHP E-mail Receive Form Electronic Content Text            //
// File: feedback.php                                         //
// Version: 1.8 (April 21, 2008)                              //
// Description: Processes a web form to read the user input   //
//    and then send the data to a predefined recipient.  You  //
//    are free to use and modify this script as you like.     //
// Instructions:  Go to "http://www.centerkey.com/php".       //
// License: Public Domain Software                            //
//                                                            //
// Center Key Software  *  www.centerkey.com  *  Dem Pilafian //
////////////////////////////////////////////////////////////////

// Configuration Settings
$SendFrom =    "$fname <$femail>";
$SendTo =      "enquiry@domain.tld";
$SubjectLine = "$subject";
$ThanksURL =   "thanks.html";  //confirmation page

// Build Message Body from Web Form Input 
$MsgBody=<<<END
{$_POST['fname']} has made an enquiry about: {$_POST['subject']}\n\n{$_POST['fmess']}\n\nTheir contact details are:  
{$_POST['fname']}\n{$_POST['fadd1']}\n{$_POST['fadd2']}\n{$_POST['fcity']}\n{$_POST['fpost']}\n\n{$_POST['fnumber']}\n{$_POST['femail']}
END;
$MsgBody = htmlspecialchars($MsgBody, ENT_NOQUOTES);  //make safe 

// Send E-Mail and Direct Browser to Confirmation Page
      if (count($_POST) > 0)
      $Spam = count($_POST) == 0 || stristr($MsgBody, "cc: ") ||
          stristr($MsgBody, "href=") || stristr($MsgBody, "[url") || stristr($MsgBody, "http://");
      if (!$Spam)
          mail($SendTo, $SubjectLine, $MsgBody, "From: $SendFrom"); 
header("Location: $ThanksURL");
}
?>

[bally123]

Honeypots doesnt seem to be working can someone check my is code if you dont mind please...

HTML Code:

<script>document.writeln('<form name="form1" method="post" onSubmit="return checkform(this);" action="mailform.php">');</script>


<table width="261" border="0" cellspacing="0" cellpadding="2" align="center">
  <tr>
    <td width="257" ><font face="Verdana" size="1" colour="#444444">Your Name*<br><input name="fname" type="text" size="40">
<input class="check" type="text" name="real_name" value="" />
</font></td>
      </tr>
  <tr>
    <td width="257" ><font face="Verdana" size="1" colour="#444444">Your E-mail Address*<br><input name="femail" type="text" size="40"></font></td>
  </tr>
  <tr>
    <td width="257" ><font face="Verdana" size="1" colour="#444444">Address Line 1<br><input name="fadd1" type="text" size="40"></font></td>
  </tr>
  <tr>
    <td width="257" ><font face="Verdana" size="1" colour="#444444">Address Line 2<br><input name="fadd2" type="text" size="40"></font></td>
  </tr>
  <tr>
    <td width="257" ><font face="Verdana" size="1" colour="#444444">City<br><input name="fcity" type="text" size="40"></font></td>
  </tr>
  <tr>
    <td width="257" ><font face="Verdana" size="1" colour="#444444">Postal Code<br><input name="fpost" type="text" size="8" maxlength="8"> e.g. AB1C 2DE</font></td>
  </tr>
  <tr>
    <td width="257" ><font face="Verdana" size="1" colour="#444444">Contact number*<br><input name="fnumber" type="text" size="15" maxlength="15"> e.g. 0115 123 1234</font></td>
  </tr>
  <tr>
    <td width="257" ><font face="Verdana" size="1" colour="#444444">Subject*<br><input name="subject" type="text" size="40"></font></td>
  </tr>
  <tr>
    <td width="257" ><font face="Verdana" size"1" colour="#444444">Message*<br>
    <textarea name="fmess" cols="35" style="height: 66px"></textarea></font></td>
  </tr>

     <td width="257">

	 <font face="Verdana" size="1" colour="#444444">
	 <input name="cmdSend" onMouseover="return hidestatus()" type="submit" value="Send">
	 <input name="cmdReset" type="reset" value="Reset"> </font>
	</td>
  </tr>
</form>
	<tr>
     <td class="style15">
	 <font face="Verdana" size="1">* These fields are required</td>
  </tr>
</table>

[themice2]

I'm not sure how exactly the spam is getting through to you. You say you have some forms of validation which I think should stop some form spam bots but some of them will auto fill out fields and then submit. Are you getting spam email sent directly to your PHP $SendTo address or is it form spam.

In any case I also use a PHP mail form but I also encode at least my submit button on my web form page using the Hive Enkoder. see link below. I just copy my submit form button HTML code into the advanced enkoder area and get the scrambled code, paste into my HTML page to replace my submit button. Downside is only site visitors with JS on will see the submit button but you can always have a "no script" message. Haven't had any spam come through with this method.

Hivelogic - The Anti-Spam Email Address Enkoder Web Form

This might be of some use to you (or others). All the best

[bally123]

Basically im just getting blank form submissions

Code:

RFC822 Message body
Return-Path: </unknown.2669688.bounce@domain.tld>
Delivered-To: enquiry@domain.tld@domain.tld
Received: (qmail 27288 invoked from network); 1 Jul 2009 14:37:27 -0000
Received: from unknown (10.8.8.5)
by q5-cgi-norm.netfirms.com with QMQP; 1 Jul 2009 14:37:27 -0000
Date: 1 Jul 2009 14:37:27 -0000
Message-ID: <20090701143727.58568.qmail@cgi5>
X-IP: 202.147.198.75
X-URI: /mailform.php
X-ID: 2669688
To: enquiry@domain.tld
Subject:
From: <>

has made an enquiry about:



Their contact details are:

But what im thinking now is that if someone has a browser with javascript disabled then my form validation is not going to work and the submit button will still submit if the form is blank or not...