0

I typically only do front-end UI. But, on a project I have been working on I had to make a form. The form works, with emails coming through, but unfortunately an incredibly large amount of spam is coming through. I've added a CAPTCHA input but that doesn't seem to have reduced the amount of spam very much if at all.

After some research, it seems a honeypot is the best option. However because I don't know a lot about php and javascript (working on this :) ), I'm not sure what the best code for this is or where to put it.

However I haven't been able to find a clear guide on how to do this.

So my question is; Does anyone know of a clear guide that has instruction on how to make and implement a honeypot input (with the server side conditional code)?

Any help is appreciated. Thanks.

P.S. The form is "in a lightbox", so that may affect things.

jakeallard
  • 19
  • 3
  • what are your current form fields, do you believe these attacks are automated? – robbmj Dec 12 '13 at 23:57
  • Sorry but after answering I found it's already a SO duplicate. – Francisco Presencia Dec 13 '13 at 00:04
  • @robbmj The attacks are almost definitely automated, based on the amount coming through and the nature of the messages. Are looking for the coding or the name of the fields (sorry if this has an obvious answer)? – jakeallard Dec 13 '13 at 00:06
  • no worries, I hope you find the dup link an effective solution to stop the attacker(s). Good luck. – robbmj Dec 13 '13 at 00:08
  • 1
    There's a whole bunch of methods here => http://stackoverflow.com/questions/8472/practical-non-image-based-captcha-approaches – Funk Forty Niner Dec 13 '13 at 00:12
  • Most worryingly, apparently the CAPTCHA is doing nothing to stop automated attacks. – robbmj Dec 13 '13 at 00:15

3 Answers3

2
<form>
  <input name="not-honeypot" type="text">
  <input name="honeypot" type="text" style="display: none">
</form>

<?php

if (!empty($_POST['honeypot'])) {
    // this is a spam!
}

Note display: none for [name=honeypot]. If your spammers a smart enough to not fill hidden fields, you need another way to hide honeypot field from a user. Or not hide it at all.

neoascetic
  • 2,476
  • 25
  • 34
1

It's actually really simple. I'll attempt from memory, so typos are expected. You can always google for a more solid answer as I'm sure there're few tutorials out there.

html:

<form method = "POST" action = "post.php">
  <input type = "email" name = "email>
  <input type = "email" name = "emailb">
  <input type = "submit">
</form>

Javascript (jquery):

$(document).ready(function(){
  $(".another[attribute='emailb']").hide();
  });

post.php:

<?php
if (!empty($_POST['emailb']))
  throw new Exception("SPAAAAM");

You need to do it with javascript as most automated bots won't be using it. However, you also want to check for the number of forms sent in X minutes from that IP and few other options to prevent even more. Note: don't automatically dissable it, show a recaptcha as a last-line measure.

Francisco Presencia
  • 8,732
  • 6
  • 46
  • 90
0

Firsly, Define what spam is / could be:

Spam could consist of:
1. More uppercase charcters than lowercase
2. More whitespaces than text
3. Very short posts (eg 10 characters long)

Then, Write code to deal with it

1. if (strlen(preg_replace('![^A-Z]+!', '', $post)) > strlen(preg_replace('![^a-z]+!', '', $post))){
//spam post
}

2. if(!isset($post) || strlen(strip_tags($post))<150){
//too short - spam post
}

3. if (strlen(preg_replace('/\S/', '', $post)) > strlen(preg_replace('/\s+/', '',     $post)))
{
//spam post
}

This will not stop the spam, but it should filter quite a bit of it.

user3096443
  • 180
  • 1
  • 14