I'm actually surprised you are getting spammed but there are many ways to prevent it. The process.php file can be modified to prevent most attacks. The most common is to only allow form data from teh url where your form1.html file is located.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
My apologies, I did not explain myself fully. The spammer is using the form on my site -- process.php is modified to only accept submissions from my domain. What is happening is that the spammers have a bot that is filling out and submitting the form, but most of the spam submissions include:
Add this stuff near the top of your process.php file. Is this what you are looking for? This requires that the data com from your form1.html file. There are other methods to make sure your form1.html file is not being populated by some automated task.
Hi,
I added the suggested code, but unfortunately still get plenty of spam because they seem to be using cheap labour HUMANS.
The only reason for them to spam, is to add loads of links into the comments field in the hope we click on them. I have managed to strip the URL's but they obviously don't know so keep submitting their spam.
Can anyone suggest the PHP code to actuall stop the form from being submitted if it contains any URL in the comments field, and redirect them to a 'sorry-no-links-allowed.html' page?
Appreciate your help.
- Vince
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Hi TNTEverett,
Thanks for the suggestion, but captcha does help in this case as you may have missed I mentioned they are using real humans to post the spam comments.
Somene on Sitepoint forums mentioned the following code, but I don't know how to implement into phpFormGenerator:
if (eregi("your pattern here", $message)) { header('Location: nolinks.html'); }
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I did not miss anything. You have to ask yourself some basic questions.
1.) Why would anybody want to spam your form?
2.) Why would anyone hire bodies to do nothing but fill forms with no gain?
You can provide all kinds of security and form filters for what you think is the issue but if someone wants to spam your form they will find a way.
Take a look here, maybe you can use a variation on this domain name check. My guess would be that if you take out the beginning of line "^" from the front it should check the whole variable for any occurance of a domain name. http://us.php.net/eregi
This is a simple function that uses eregi() function to validate a domain name (according to the RFC 1034).
function check_host($host) {
if (
eregi("^[[:alpha:]]+([-[:digit:][:alpha:]]*
[[:digit:][:alpha:]])*(\.[[:alpha:]]+
([-[:digit:][:alpha:]]*[[:digit:][:alpha:]])*)
*$",$host)
) {
return 1;
} else return 0;
};
NOTE: This expression must be written on a single line to work
I had to brake it on separate lines to post on the site.
Returns 1 if $host is an RFC compliant domain name else returns 0.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I am having a similar problem though not as many spam as Vince is having. I have installed the fixes mentioned here and still get some. I am using the previous version to ver 3. Besides the URL check and CAPTCHA, what other forms of security against spam are available? Thanks you in advance for the help.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Depends on the type of spam you are receiving. You could block URLs from specific domains, block emails from specific domains, make more fields required, make more specific field entry checks, and many more but less is better.
If you have done the URL check correctly then people must be accessing the form through your site and therefore you are getting exposure to your site. If you have done the CAPTCHA correctly then there must be a person filling in the form so you have to ask yourself "why would someone want to spam your form?".
See if you can track the form entry by adding the ENV field type to your form and add some textr to the form warning users that their IP address is being recorded. You may also be able to track form entry with your web log files.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I just switched from FORMMAIL to phpFormGenerator. Everything is going well, but I am getting tons of spam submitted through forms.
I am pretty sure that I can identify the spam patterns. Is there a way to reject the submission based on rules that I create?
Thanks!
James
I'm actually surprised you are getting spammed but there are many ways to prevent it. The process.php file can be modified to prevent most attacks. The most common is to only allow form data from teh url where your form1.html file is located.
TNTEverett, thanks for the reply.
My apologies, I did not explain myself fully. The spammer is using the form on my site -- process.php is modified to only accept submissions from my domain. What is happening is that the spammers have a bot that is filling out and submitting the form, but most of the spam submissions include:
http://mywebpage.netscape.com/...
http://freewebtown.com/...
http://hometown.aol.com/...
etc...
What I am asking is that is there a way to reject or delete submissions that begin with the above?
Does that make sense or did I confuse it?
I have to do something because yesterday along I got 1000+ submissions.
Thanks!
James
Add this stuff near the top of your process.php file. Is this what you are looking for? This requires that the data com from your form1.html file. There are other methods to make sure your form1.html file is not being populated by some automated task.
$ref = getenv("HTTP_REFERER");
$uri=getenv("REQUEST_URI");
$adr=getenv("REMOTE_ADDR");
$error.="<br>Referred from: ".$ref."<br>IP: ".$adr;
$match = ereg('^http://url_path_to_your_form/form1.html',$ref);
if(!$match) {$errors=1;}
Hi,
I added the suggested code, but unfortunately still get plenty of spam because they seem to be using cheap labour HUMANS.
The only reason for them to spam, is to add loads of links into the comments field in the hope we click on them. I have managed to strip the URL's but they obviously don't know so keep submitting their spam.
Can anyone suggest the PHP code to actuall stop the form from being submitted if it contains any URL in the comments field, and redirect them to a 'sorry-no-links-allowed.html' page?
Appreciate your help.
- Vince
Try adding this simple CAPTCHA example.
https://sourceforge.net/forum/message.php?msg_id=4304698
Hi TNTEverett,
Thanks for the suggestion, but captcha does help in this case as you may have missed I mentioned they are using real humans to post the spam comments.
Somene on Sitepoint forums mentioned the following code, but I don't know how to implement into phpFormGenerator:
if (eregi("your pattern here", $message)) { header('Location: nolinks.html'); }
I did not miss anything. You have to ask yourself some basic questions.
1.) Why would anybody want to spam your form?
2.) Why would anyone hire bodies to do nothing but fill forms with no gain?
You can provide all kinds of security and form filters for what you think is the issue but if someone wants to spam your form they will find a way.
Take a look here, maybe you can use a variation on this domain name check. My guess would be that if you take out the beginning of line "^" from the front it should check the whole variable for any occurance of a domain name.
http://us.php.net/eregi
This is a simple function that uses eregi() function to validate a domain name (according to the RFC 1034).
function check_host($host) {
if (
eregi("^[[:alpha:]]+([-[:digit:][:alpha:]]*
[[:digit:][:alpha:]])*(\.[[:alpha:]]+
([-[:digit:][:alpha:]]*[[:digit:][:alpha:]])*)
*$",$host)
) {
return 1;
} else return 0;
};
NOTE: This expression must be written on a single line to work
I had to brake it on separate lines to post on the site.
Returns 1 if $host is an RFC compliant domain name else returns 0.
I am having a similar problem though not as many spam as Vince is having. I have installed the fixes mentioned here and still get some. I am using the previous version to ver 3. Besides the URL check and CAPTCHA, what other forms of security against spam are available? Thanks you in advance for the help.
Depends on the type of spam you are receiving. You could block URLs from specific domains, block emails from specific domains, make more fields required, make more specific field entry checks, and many more but less is better.
If you have done the URL check correctly then people must be accessing the form through your site and therefore you are getting exposure to your site. If you have done the CAPTCHA correctly then there must be a person filling in the form so you have to ask yourself "why would someone want to spam your form?".
See if you can track the form entry by adding the ENV field type to your form and add some textr to the form warning users that their IP address is being recorded. You may also be able to track form entry with your web log files.