Posted by Jerry Stuckle on 04/21/07 18:34

Drazen Gemic wrote:
> I have a feedback form on my site. People can fill the fields and
> message is sent to me using 'mail' function, after the form gets
> submitted (POST).
>
> The fields are subject, from and text. 'subject' is optional, others
> are mandatory. PHP script that handles the form input takes in account
> predefined field names only.
>
> The problem is that someone is sending me spam using that form. I
> don't believe that they target me specificaly. It is more likely that
> some automated robot is doing that. I tried to change field names, but
> still getting the messages. I checked the message source, and they are
> comming from the form.
>
> My question is how they can guess the field names and determine which
> mean what by automated process ? I guess they can parse html form to
> get names, but how they can put values in proper fields ? Are they
> using trial and error ? I should get messages with text in subject
> field, too, then, but I don't.
>
> It is a possible that someone is sending messages by hand, but who
> could be such idiot ?
>
> DG
>

I have a similar problem with a non-profit site I manage. Their members
are occasionally getting spam.

This is a custom form with all kinds of protection against email
injection. But looking at the logs, the info is being posted manually,
not by a 'bot.

There isn't much you can do about manual posting of spam. If they're
determined enough they will post.

To prevent robots, you can add captcha to your site. Even a simple
question such as "What is two plus two?" where the two numbers are
chosen randomly will stop a lot of the scripts.

It won't stop the manual postings - but it might annoy them enough to
move on.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

[Back to original message]