Saturday, June 16, 2007

Contact Us Form Spammers

Well boys and girls, you didn't really think that hiding your email address behind a CONTACT US form would stop spammers did you?

I have all of my forms on my website protected except one page which I left wide open with no protection just to allow anyone having trouble with the site easily contact me. That page has just a simple form, no captcha, no referrer checks, no bot blocking, nothing, it's completely open as a safety valve for access from end users.

However, some dick head in Oman with nothing better to do has apparently decided to make it his personal goal in life to automatically post to this form.

You have to ask yourself, why is this random form page so important?

The answer is obvious as everyone hides behind CONTACT US forms and no longer post email addresses which the spammers can no longer harvest from your web page. Now it would appear they are harvesting any page with a FORM on it and trying to set up the parameters that allow them to submit spam through all these forms.

I don't run any off-the-shelf Open Source software so there is no software fingerprint on any of my pages that the mass spammers could easily find, so this is an act of desperation in manually building a bigger database of sites to spam.

Just to prove this theory, I checked to see what else this spammer was trying to do on my site besides trying to spam my contact page. Big shock, the same IP address is trying to spam the other protected pages.

Here's some other info collected from the same IP: "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko/20040115 Galeon/1.3.12" "massive dick sex" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)" "Online tramadol. Cheap tramadol." http://
I never see any of the above junk in my Inbox or anywhere else as it's all submitted on protected pages so a little information is automatically logged and the rest of the crap discarded.

So how can I protect this form from automation and still leave it open to not impact other visitors?

We'll use one of my old favorites, a simplistic but effective approach, which is RANDOM FIELD NAMES. Each time the form is displayed the field names change so the spammer can't pre-program any code to automatically populate the fields because he won't know their name.

An argument could be made that the spammer could read the page and use the field position, but that would assume the position in the HTML is the same as the position on the page, good old CSS to the rescue.

If I want to really make it just about impossible for the spammer to figure out the page and still not use javascript or a captcha, I might use 10-20 random fields with only 3 of them chosen at random to be visible so the user would never know the difference.

Golly gee Mr. Spammer, which of those 20 random fields should you fill in?

Be careful because filling the wrong field, the field the visitor can't see, is yet another form of CAPTCHA, so choose your field wisely otherwise you're automatically going to be banned.

Maybe to be real sneaky, I'll just add new fields to the form and leave the old obsolete fields on the page so if they get filled in I know it's an old spammer script.

Just remember, keeping your email address off the web site doesn't mean you won't get spammed so secure those contact pages today!


Tony said...

I wonder if they have thought about the conversion rate of this kind of spam? It must even be smaller than the conversion rate of normal spam as the webmaster would be at least savvy enough to put in place a form? Maybe (it might be wishful thinking) those webmasters are the kind that wouldn't actually click on spam?

competitive webmaster said...

I like to add a field called e-mail and then offset it -2000 via CSS. If it comes in with data, it was either not a human or someone with CSS disabled/swapped/modified. I don't care about those.

Anonymous said...

"...or someone with CSS disabled/swapped/modified. I don't care about those."

It's nice to know that you discriminate against the disabled, people with older computers, and the like.

Er, which website do you operate, again? I'd like to know, so I can stay away and warn my grandfather (who has poor vision and uses a custom CSS in his browser to remove clutter and control the font size) to do so as well...

IncrediBILL said...

You can view larger text without removing the CSS as I enlarge 8 pt type all the time if it's hard to read, so that's just a lame bullshit argument.

Besides, people that can't afford to buy new computers that can at least run MSIE 6, probably can't view my pages anyway so what's your point?

Keep going as I can't wait to the next comment which will probably be funnier than the last.

Anonymous said...

Some visual impairments require more than changing the font size, such as avoiding clashing color schemes and altering layout, which requires custom CSS, you prick. Client-side CSS overrides are also often used to make pages more usable on handheld devices.

IncrediBILL said...

My color schemes don't clash so fuck 'em and the handheld devices are blocked because my javascript doesn't work so well on those little junky devices anyway.

You seem to assume I give a shit about these issues that only affect a few day with their little blackberry trying to surf the web on a postage stamp sized screen.

I'm pandering to the easy to please masses, not the handful of fringe people.

Peter said...

I love the idea of random field names. So simple and so effective.

maurizio said...

The css thing remind me how Alexa shows the ranking. You see a simple number (maybe lower than my 400k-something :( ), but if you try to copy&paste you get some sort of garbage.
They simply have 5 or 6 <span with pieces of your number and random crap.The browser read the css and knows what to remove.
I created a php script to show your alexa ranking by reading their page and removing the crap. You can find it somewhere on my blog

Anonymous said...

"You see a simple number (maybe lower than my 400k-something :( ), but if you try to copy&paste you get some sort of garbage."

I hate this sort of stupid prank. What is the point? Once information has arrived at my computer I have every right to copy and paste or do whatever else I want to it. Maybe not republish big chunks of it randomly, but certainly to do whatever I wish in the privacy of my own computer. It's called "fair use". And it's easily defeated. A six digit number is easy to hand-copy for Chrissake.

Who thinks up stupidity like this and then manages to actually get their code to work? The one seems to require a too colossally low IQ to stand a chance in hell at succeeding at the other!

Nick said...

Its not to stop people hand copying data, or 'fair using' it... its to stop people automatically grabbing their stuff mechanically - on mass - and draining their resources.

eg: I use a CURL proceedure to go rip down my site stats from various places, reformat them and restyle them and display them directly on my own site.

hey IncrediBILL - I get these jackwad spamming my forms on a portal I run... but all he does is either contact people saying shite like: "I just wanted to say hello" and stuff - or he'll post on my blogs going "Interesting.... very cool", etc....

WTF is with that? What possible goal is there? He doesn't get any benefit that I can see - he's not even selling stuff... I don't get why even the darkest of black-hats would go to the effort... Anyone else get this? Whats the point?

IncrediBILL said...

I get that crap as well and I think the point is to prove the scripts are working and be low profile because eventually I see links start to slip in from the same sources.

Just a guess, but I think it's an attempt to thwart some anti-spam measures that won't let you post links until x-number of page submits, etc.

Basically attempting to establish credibility via spamming before the REAL spamming starts.