junk email attacks

[bmiland]

I updated to the new version 8.16 of formmail has junk email detection features. I have been subject to this kind of attack in the past and devised a solution of my own which works quite well and I have never been bothered by form spam since I implemented it.

The form spammers look for input fields and fill it with junk, sometimes it is the same in every field which can be detected by formmail but if it is not the same junk, it gets through. My solution is to add an input field which has its value set to a randomly generated value. The field is made invisible to a user by using CSS to position it off screen and setting the tabs to skip it. I set the action to a php program which checks for that 'Key' value before invoking formmail.php.
A form spammer cannot detect that this not a vallid input field and will fill this field with junk which the key validation program detects and sends back a rude error message.

I have not been bothered by spammers on any of my websites for months.

Comments?

[russellr]

Hi,

That's good information.

It sounds like a type of Reverse Captcha.

Do you generate the random value using PHP or JavaScript? I'm guessing PHP, because otherwise how would you pass the value to your PHP checking script?

FormMail now has ATTACK_DETECTION_REVERSE_CAPTCHA which does something similar.

We use a minimum of two fields. One field has a known value - so this "proves" that it's not a random attack but one that's come via your form.

The second field must empty. So, if a bot fills it in, we know it's not a human that has filled the form.

Other fields can be included for additional strength, but it's probably not required.

But, I like your idea of generating a random value that is passed to FormMail for checking.

The question is: if a bot just left any existing non-empty text field unchanged, would that not defeat your random value technique?

If you can send me the URL for your form, I'd like to take a look at it in action and run some tests.

[bmiland]

It's actually not as sophisticated as I implied. The keyword is actually generated by any password generator program and is hardcoded in the value property. It could be generated as a new value on each form submission in which case I would use PHP. However, I haven't seen the need. It is like a form specific password which can be an arbitrarily complex combination of characters, numbers, and special characters.

The only way I can see of a bot detecting this as a password field is by checking that the tab property skips it. It cannot be a hidden input field as bots are smart enough to not modify them.

I can see that it could be easily incorporated into formmail.php.

Ben

[CHMOD000]

I'm just wondering if bots would have cookies enabled. I've been using form tokens with flash sessions, and although I haven't had any spam that looked like it was from a bot, I guess I'm just wondering if the cookie requirement would keep them from having successful posts.

[russellr]

Hi,

I've seen some evidence of bots using cookies. That's pretty easy to do.

I've also seen some evidence of bots implementing JavaScript. That's much harder to do.

[warlock]

I'm going to try this in my next forms update in the fall.
I see where your going with this.. dastardly simple yet effective..

Maybe I am not using the current spam/junk features properly but it seems that they get through. Always bot generated.. and in the majority I can tell because of all the field one is usually the same in all..

I'm marking this thread.. I'm sure I'll have more questions when I set this up.
(subscribed)

[jack34]

You should be aware that to "stop" spam, a technique often "soft" may be more useful than a "hard". It is like a jujitsu technique: instead of blocking spam interposed directly in their path, it is better to put only to trip and let it fall because of its own momentum. In the case of spam, this technique is to allow entry but marginalize (applying. HELD), slow down transactions suspected of being spam, responding very slowly during the SMTP dialogue intentionally use other techniques and "soft" similar.

[pitzerwm]

Thankfully, Formmail and recaptcha stops the spam from getting into the database.

I put up my form yesterday and within 15 minutes, I was getting the def_alert emails, today, I'm getting 10 or more an hour.

What's with these stupid people behind these bots? I guess the trick is to just eliminate the def_alert email address.

[russellr]

Hi,

No, don't eliminate DEF_ALERT - that's the only way FormMail can report problems to you.

You should use these settings to stop the annoying messages:

http://www.tectite.com/fmdoc/alert_on_user_error.php
http://www.tectite.com/fmdoc/attack_...ore_errors.php

[pitzerwm]

Ok, Russell, thanks