Thursday, August 09, 2007

CONTACT US Form Spammers Monitor Submit Results!

I have one CONTACT US form on a website that I leave less protected than other forms just to allow customers with their browser security dialed up tight to drop a line without getting caught in anti-spam snares.

Mind you, this page only sends an email to ME, nothing public, nothing nobody will ever see as I sure as hell won't look at the spam other to delete it, so it gives them ZERO value for their efforts, yet they persist.

So in the beginning there was a small trickle of spam on this form that started to escalate.

The first thing I did ages ago was I changed to the form to require a POST just to thwart them from their simple GET's dumping junk.

Eventually they switched to use a POST, but that means someone was monitoring response codes, but WHY?

The trickle of spam eventually came back.

So I changed a couple of fields just to alter the process and break their auto-spam tool.

A long nice quite period but obviously someone is watching and they adapted yet again.

Fine, so I made it a requirement that the page rejected the post unless they had accessed some other page on my site first, which would be a normal user thing.

This caused a longer period of blissful silence.

Then here comes the spam yet AGAIN!

OK, fine, let's try embedding something in the page unique per visitor so if you don't get the CONTACT US page first, and use that parameter, it will reject the submit.

This just blew my fucking mind when a few days later they adapted to first get the page, get all parameters from the form, then POST the page!

OK, now we know someone is fucking watching this page...


I made a change that you can't see in the HTML, it's all server side, knock your fucking socks off trying to adapt this time.

I still don't see why the spammers would bother as they're just wasting time.

Nobody will ever see their spams, NEVER EVER, but I can play this cat and mouse game as long as they can.

All this trouble just because I didn't want to annoy visitors with a captcha on a single page, or require cookies or javascript to be enabled.

If they push me too hard the captcha gets installed.

FYI, I'm watching the someone trying to fix their form post to my site as I'm writing this. They've made about 10 attempts now and it's still not getting through. This must be making him nuts as I don't give them any clues why the submit isn't working except a generic error that the submit failed and please try again!

Let's see what happens next...

UPDATE: The spambots were hammering away at that forum trying to figure out what I did for days with literally hundreds of post attempts from a couple of IPs. Probably the spambot herder trying to figure out my latest anti-spam hack. Then it stopped, not a single POST from those sources and it's back to normal with only real posts from humans.


Lea said...

The ones that 'amuse' me (ok, for values of 'amuse' that equal 'wonder what the hell they think they are doing') are the ones that makes an obvious blog comment type drop - on a comment form.
I figure they are just hitting any texarea.
But yours takes the cake, Bill - I'd say someone is specifically trying to piss off you :(

Anonymous said...

What if a real commenter gets your "generic submit failed" message and has no idea how to fix it? Oh, how user-friendly. :P You are contemptible, Bill. It's surely not so much spam you can't just hit delete.

IncrediBILL said...

Unlike some programmers I actually test my code to make sure a real commenter won't run into any trouble at all.

You obviously have no clue what bots do and how to code specifically for their quirks vs. normal browsers as it's easy to exploit weaknesses without causing an impact on everyone else.

IncrediBILL said...

[NOTE] I normally don't remove comments but off topic comments were removed from this thread. Some people appear to have no ability to focus.

Anonymous said...

How do you guarantee that a "real commenter" won't run into any trouble at all? What exactly twigs the "generic submit failed" to occur and why are you so confident that a human won't trip it?

BTW there is no need for insults. Oh, and you're a hypocrite and a cheating liar Bill and any businessman will cut $200 of expenses to undercut another businessman if he can.

IncrediBILL said...

If I told you how I made my comment form stop the spammers then the spammers could read this and maybe figure it out.

Sorry, but just like KFC you won't get me to share my secret recipe as it's working so far. The little bastards have had a batch of IPs repeatedly hammering the hell out of that form all day long today and nothing got through.

However, humans left many messages without a problem.

So far, so good, and all without a captcha or javascript, not bad.

Hell, for all I know you're the one behind the nonsense in the first place.

Anonymous said...

So I just have to take your word for it that your method lets humans in but not bots. What is it? Hidden form field passed from page to page? Surely not simply referer checking? Maybe a 1px by 1px field a human would never fill in but bots do? Hidden field with timestamp that's stale on the bot postings? (This will confound any human that spends a while composing their submission -- guaranteeing that they'll be *especially* PO'd at your "generic error message"!) Field names change randomly over time? Bot submissions are coming from a predictable IP range and you've blocked this?

IncrediBILL said...

You just like the sound of your own bullshit.

Your hypothesis is all wrong as you haven't a clue what I did and I'm certainly not telling to educate the spammers, already said that.

Anonymous said...

You have no credibility without evidence. You just keep posting tons of your patented incredibull and see how quickly I start believing you. (Hint: don't hold your breath)

IncrediBILL said...

You confuse me with someone that gives a shit what you think.

All I know is spam bots are trying harder than ever at the moment, probably the bot herder trying to figure it out what's stopping them.

The fact that it's working is way more important than your opinion.

(hris said...

Interesting exchange. :-)

I came over here hoping to find out what you did to stop the form spam, but I can appreciate your point about not just posting it.

After fighting for quite a while I discovered that the form builder software that Coffee Cup Software sells can stop the automated stuff, at least for now. You may look down your nose at it, but for non-programers it's a nice thing.

At lest the other commentor give me a few good suggestions that I can try if the CC forms stop working for us.