Preventing Webform Based Spam

Have you ever wondered why your email server is sending you a lot of ‘bounced’ email reports? This might be due to a Hacker attack called “spam injection” on web forms that are poorly written.

First they use “zombies” (PC’s that they have been able to take over) to scan the Internet for web pages containing forms.

Then they try to insert some special code into the fields of your form that will trick your server into sending the form email to a different address, an address that your server is fooled into thinking is specified in a “bcc” field.

To begin they will test your server to see if they can re-route the form to send email to a throwaway email address (usually an AOL address). Once they are successful, they start sending spam emails via YOUR webform. And when those emails bounce, they bounce back to YOUR email server!

Several tips on how to prevent webform spams:

1. Use Captchas.
A CAPTCHA is a visual image (usually of a series of characters) that are written in a strange font and are difficult to read. They are supposed to be impossible for a computer to read, but a human can read them. Then your readers read the text, fill in the correct letters, and their form is submitted.

2. Use CSS and Javascript to fool spam bots
Many of the spam bots don’t read JavaScript, or they don’t read it well, so you can encrypt an entire form in JavaScript and block the spam bots from seeing it. Your readers will only have a problem if they don’t have JavaScript turned on.

One way that I like to fool spammers is to add CSS to forms to hide certain fields. When the spam bot comes in and reads the HTML, their bot sees that form field and fills it in. Then when I get the results any entries that have that field are automatically deleted. To do this use the display: none; property on the field. Web browsers will leave that form field completely off the page, but spam bots will see it in the HTML and fill it in.

3. Environment Checks
Every browser sends a HTTP_USER_AGENT value to a server. So a missing HTTP_USER_AGENT value almost always indicates a spammer bot.
The most of browsers (all modern browsers) send a HTTP_REFERER value, which would contain the submitted form URL. Whereas clever bots send this value, a missing HTTP_REFERER value could mean a bot submitting.
Note. There are several firewall and “security” products which block HTTP_REFERER by default. So, none of these people could send a message if you block posting without HTTP_REFERER.
You can use this PHP-code to do the Environment Checks:


4. Extra Form Fields
Yet another way to avoid of spamming by bots is Extra Form-fields where people have to answer an intellectual question like “which day comes after tuesday?” or “spell the number 7 in lowercase letters”. You can take a look at such form at the blog of Kim K. Jonsson.

In order to do not bother people with extra questions, you can invert the Extra Form-fields tactics. Place a blind field with an attractive name into your form. Only bots could detect this fields and fill it out. For example:

Your Name:
Your Email:

Only bots would fill the “email” field, real people will enter emails into the “x” field.

Anders Brownworth suggests to make the Submit button as image and require realistic mouse coordinates with the form posting. Your form processor should then approve the coordinates with etalon. You can take a look at this way realized in the Anders blog.