1

I'm caught in a hard place where I am being forced to use ASP classic on some web forms. I don't want to get spammed, but I am unaware of how to create a honeypot with .asp classic.

Is this possible or will I have to use a captcha field?

Or is there a better way to prevent spam with asp classic?

Form Fields:

<div class="row">
            <div class="col-md-offset-1 col-md-10">
                <form class="form-horizontal" role="form" method="post"      action="submit.asp">
                    <div class="form-group">
                        <div class="col-md-offset-2 col-md-8">
                            <input type="text" class="form-control" name="Name" placeholder="Name" required/>
                        </div>
                    </div>
                    <div class="form-group">
                        <div class="col-md-offset-2 col-md-8">
                            <input type="email" class="form-control" name="Email" placeholder="Email" required/>
                        </div>
                    </div>
                    <div class="form-group">
                        <div class="col-md-offset-2 col-md-8">
                            <input type="tel" class="form-control" name="Phone" placeholder="Phone Number">
                        </div>
                    </div>
                    <div class="form-group">
                        <div class="col-md-offset-2 col-md-8">
                            <input type="text" class="form-control" name="Subject" placeholder="Subject">
                        </div>
                    </div>
                    <div class="form-group">
                        <div class="col-md-offset-2 col-md-8">
                            <textarea name="Info" class="form-control" rows="3" placeholder="Message"></textarea>
                        </div>
                    </div>

                    <div class="form-group">
                        <div class="col-md-offset-2 col-md-8">
                            <button class="btn btn-theme btn-lg btn-block"type="submit" value="Send">Send message</button>
                        </div>
                    </div>
</form>

<%

Dim EmailFrom
Dim EmailTo
Dim Subject
Dim Name
Dim Phone
Dim Email
Dim Questions


EmailFrom = "name@company.com"
EmailTo = "chad.bridges@company.com"
Subject = Trim(Request.Form("Subject"))
Name = Trim(Request.Form("Name"))
Phone = Trim(Request.Form("Phone")) 
Email = Trim(Request.Form("Email")) 
Questions = Trim(Request.Form("Info")) 

Dim Body
Body = Body & "Name: " & VbCrLf
Body = Body & Name & VbCrLf
Body = Body & "Subject: " & VbCrLf
Body = Body & Subject & VbCrLf
Body = Body & "Phone: " & VbCrLf
Body = Body & Phone & VbCrLf
Body = Body & "Email: " & VbCrLf
Body = Body & Email & VbCrLf
Body = Body & "Questions: " & VbCrLf
Body = Body & Questions & VbCrLf

Dim ObjSendMail
Set ObjSendMail = CreateObject("CDO.Message")
ObjSendMail.Configuration.Fields.Item ("http://schemas.microsoft.com/cdo/configuration/sendusing") = 2 
ObjSendMail.Configuration.Fields.Item ("http://schemas.microsoft.com/cdo/configuration/smtpserver") ="10.000.00.000"
ObjSendMail.Configuration.Fields.Item ("http://schemas.microsoft.com/cdo/configuration/smtpserverport") = 00
ObjSendMail.Configuration.Fields.Item ("http://schemas.microsoft.com/cdo/configuration/smtpusessl") = False 
ObjSendMail.Configuration.Fields.Item ("http://schemas.microsoft.com/cdo/configuration/smtpconnectiontimeout") = 60



ObjSendMail.Configuration.Fields.Update



ObjSendMail.To = "chad.bridges@company.com"
ObjSendMail.Subject = "Website Request"
ObjSendMail.From = EMailFrom
ObjSendMail.TextBody = Body
ObjSendMail.Send

Set ObjSendMail = Nothing

Response.Redirect("Index.html#contact")
%>
Chad Yikki
  • 33
  • 7
  • Are you _sure_ you want to create a [honeypot](http://en.wikipedia.org/wiki/Honeypot_%28computing%29)? – stuartd May 11 '15 at 15:10
  • Well, that might not be the correct term, but I have always referred to empty fields that are hidden with js to be honeypots. I'm sure that it isn't the most effective way to hinder spam, but I'm a designer being told to do things because I'm the IT person. – Chad Yikki May 11 '15 at 15:19
  • 1
    You should really have searched SO first before posting this - it's really an unnecessary question. – Paul May 12 '15 at 08:05

2 Answers2

2

I have had good luck with using 3 types of spam prevention on every submit page even sign in and sign up pages. Because ASP is kind of old you might want to keep it simple and only use numeric values as checks with one hidden spam bot field. Keep the human approach. Note: Code is just pieces of my active site, take the ideas and be creative for your site.

  • Email Forms: hidden field, math question and captcha.
  • Registration page: math question and captcha.
  • Login (sign in): math question.

1. Hidden field

<input type="hidden" name="email" value="" />

Maybe your code looks like this: 

Response.Write("<input type=""hidden"" name=""email"" value="""" />" & vbCrLf)

2. Numeric question: This requires a simple function and it does a very good job. We want to randomize numbers 1 to 9 so no answer is ever higher than 18 and never 0. 

str1R = RandomNumber(1,9)
str2R = RandomNumber(1,9)
Session("str3") = (str1 + str2)


Function RandomNumber(LowNumber, HighNumber)
     RANDOMIZE
     RandomNumber = Round((HighNumber - LowNumber + 1) * Rnd + LowNumber)
End Function

HTML might look like: 

<label>Question: What is <%=str1R%> + <%=str2R%> ?</label>
   <div>
     <div>
      <input type="number" name="question" id="question" required />
      <input type="hidden" name="a" id="a" value="1" />

     </div>                
  </div>
        strA = Request.Form("a")
            strQuestion = Left(Request.Form("question"),2)
                If IsNumeric(strQuestion) Then
                'do notta
                Else
                strQuestion = -1
                End If
                If IsNumeric(Session("str3R")) Then
                Session("str3R") = Trim(Session("str3R"))
                Else
                Session("str3R") = 0
                End If
            strMath = ((Session("str3R") - strQuestion) = 0) 'Now we have True or False
If (strMath = True) Then 'Do your ASP Classic Stuff.
        Select Case strA
        Case 1
        'Sends Email
        Case 2
        'Submits Registration
        End Select
    End If

3. CAPTCHA I mean the CheckCAPTCHA() function not those "I can't ever seem to read" I've used numeric values for Captcha for 16 years and only had 2 complaints, when I tried the more complex versions so many couldn't see the letters and numbers very clearly. (ASP = OLD + Members)

Google: Dim newBitmap(21,87) Dim vDistort(8) In the number one slot of your google results should be the full ASP Classic Numeric Captcha code. It's old, It's Numbers, It works. I don't think modern BOTS even detect this old bitstream. (humor)

If you need working examples just ask, takes a bit to setup a test page but if you're new to forms and need spam prevention it's best to learn more than one method. At any "False" point of all form submissions you should know if it's Human or BOT.

I often stop code on BOT traffic with Response.End

With Humans I response with instructions and what might have gone wrong "The math question, you missed it by x much"

The Math Question can be replaced with an image "What is in this picture?" using a dog,apple, cat, something with limited possible responses.

Murray W
  • 102
  • 1
  • 6
  • I'll try some of these, currently the main problem is a contact form that sends an email. Basically they fill out the fields, then it sends an email to us. I am currently declaring the variables, then trimming the responses, then formatting them in the email body, then sending it smtp. I definitely hope I can get something cause it is like 20 emails a day that are spam, and I know someone is going to cause a problem with doing something those emails say. – Chad Yikki May 12 '15 at 20:17
  • You will see great results with the code above. That code will be 20 years old this Oct. 2015 for 1 of my old ASP sites. BOT SPAM = ZERO, HUMAN SPAM a few per year and that's filtered by an Geo to IP. – Murray W May 12 '15 at 21:20
  • Make your forms sanitize any data that is sent to your CreateObject("cdo.message"). Example, validate the email by using IsEmailValid(str) functions and strip HTML you don't need. Example, I do not see why anyone would need to send me an HTTP link, so I have a filter that just stops the process if any HTML code is detected. Post your code that you are working on if you need specifics. – Murray W May 12 '15 at 21:26
  • @ChadYikki Ah Grasshopper, you have much to learn in the ways of Classic ASP. Your first assignment "Sanitize the Code" , "Validate the Input". Good code practices follow rules that may take an additional 10 minutes but with save you hours later. The SendMail CDO code listed should be place in a Function call. This way you can do your Checks and Validate the input then Sanitize before sending to the function call. You will need a "Message Sent" and "On Error" trap just in case your CDO fails to connect or something tosses a 500 error. Migrating from 2003 I bet. – Murray W May 13 '15 at 21:17
  • Sanitize the input with code: If Len(Name) = 0 Or Name = "" Then Or do things to make it all true, If (Len(Name)>= 1) And (Len(Subject)>=1) And (Len(Phone)>=1) And (Len(Questions)>= 1) Then Call SendEmail(strBody) Validate the Email the user submitted google "IsValidEmail(strEmail) bIsValid = True" for a good example. – Murray W May 13 '15 at 21:36
  • I am absolutely new to any sort of programming (insert SO making fun of designers), so I have little to no idea of what I am doing. That aspcaptcha number generator is quite cool and I would really like to integrate it. – Chad Yikki May 20 '15 at 18:17
  • @ChadYikki , post your form fields above your CDO.Message code and I'll offer up a good time proven ASP forms page code layout. Then all you have to do is format to fit your site. The page will be asp with html – Murray W May 20 '15 at 21:36
  • I went ahead and added them, I probably will in the future build out a resume submittal form which would also have a selection box and attachment. – Chad Yikki May 21 '15 at 14:45
1

I recommend going with the general best practices for preventing form spam. This is typically done on the client side (honeypots, captchas, etc.) so using Classic ASP (a server side technology) doesn't matter. Also, there's nothing special about Classic ASP that will help or hinder your attempts to block spam.

With that said, you'll find some good ideas in the answers to this question:

How to prevent robots from automatically filling up a form?

Community
  • 1
  • 1
Keith
  • 20,636
  • 11
  • 84
  • 125
  • Well I would have to verify this as being a blank field and to disregard that and I don't know how to do that with .asp. – Chad Yikki May 11 '15 at 17:45
  • @ChadYikki Then check out this question: http://stackoverflow.com/questions/18110633/how-to-check-if-a-post-submitted-field-exists-in-vbscript – Keith May 11 '15 at 17:52
  • Oh, so I can just make js that checks if the field is filled and if it is it just ignores it? – Chad Yikki May 11 '15 at 18:29
  • 1
    Yes, you can check the field in either js or ASP. – Keith May 11 '15 at 18:42