Tuesday, September 25, 2007


It's been about 2 months since I implemented my last anti-spam form submit code and surprisingly the spammers were stopped dead this time and don't seem to have a clue how to get around it.

Without giving away all the secrets so the little pecker heads don't read this and figure it out, it's a combination of javascript in the browser and some server side tracking algorithms that seem to be able to detect the spam scripts very accurately.

Looking at my log today the spammers may have just given up on my site because the ton of failed posts no longer appears.

Here's a few highlights of the last anti-spam patch:

  • No captcha that a human must type as the javascript itself is the captcha
  • Browser and user agent validation
  • Data center blocking
  • Behavior profiling
The cute thing with the javascript captcha code is that it automatically builds a series of letters in a value that's posted back to the server. Each time something is entered into a field, meaning a human manually typing in a name, email address or comment, the javascript code adds another letter to the internal captcha string. Basically how it works is the human entering data into the form automatically creates the captcha answer returned as a form value.

The way the javascript is written it's nothing that happens the exact same way twice and the results are always different so I'm sure they gave up trying after a bit because the first wrong answer submitted and I froze the form from being used again. This stopped the spammers from hacking at the code as one wrong move and they were locked out for 24 hours before they could attempt it again.

Unfortunately, I might've locked out a couple of humans with javascript disabled as well but I can't tell as the volume of form submissions looks normal, no obvious decline, and the page clearly states that javascript must be enabled in order for the form to work.

I think a few minor casualties are acceptable for my peace of mind and less work cleaning up spammers messes.

Bye bye spammers, nice know'n ya!


Da Scritch said...

Double POST method, asking first a preview then a send (as in Dotclear 2) seems being a very good method too.
No javascript use, no capcha, just invite your correspondent to re-read the mail.

IncrediBILL said...

I tried various other tricks like that and they were coding around them.

I found it bizarre that whoever it was would monitor the results of a single form post and come fix it if something changed.

That's why I had to do something a bit more drastic because they were adapting to every change so it became obvious on my last change that it had to be a bit over the top to make 'em go away.

Anonymous said...

you know, it just might be someone that is trying to get into your main PC. ( yep I am paranoid )

from my pov, if I know your main PCs IP, I could try to attack it, hoping that your firewall and your OS is not up-to date. I would think that the value of the data you have could be worth ( to multiple parties ) in excess of 6 digit's


IncrediBILL said...

I have those attacks too.

The idiots hitting my forms actually send spam when they get it working.

Amazing, like I'd even look at their spam in the first place, what are they thinking?

David said...

The problem of being spammed through these Contact Us Forms is still yet to be resolved, i have read a bundle of articles on Spam, Spam-Filtering, Comment Spam, Anti-Spam, Anti-Spam Solutions Website and found some better solutions too. You must also check out the link in order to find latest articles

Anonymous said...

Oh lovely -- it's comment spam advertising anti-comment-spam products!

WebGeek said...

Hey Bill,

As usual, great post! I have a very similar anti-spam measure that I devised in place on my contact forms, and I have to say, it's a beautiful thing. No CAPTCHA, no inconvenience for the user, and best of all, no SPAM for us. I first tested it out on several sites for about six months, and haven't gotten a single piece of automated spam. I recently modified the code for my WordPress blog to use it, and it works great there too...no comment spam...not even to moderate. As you've found, sometimes the best solutions are brilliantly simple.