Hi,
Not sure if this is the right section but it is to do with email in a way.
I run a small web site for a guest house which has an enquiry form, contact details dates for visit, type of room, any other requests etc.
This has only been online since January but already it is getting used by spammers for porn sites and now receive about two or three per day. I have validation on email, name, post code but they enter random digits that qualify and then put links to the porn site in the "other requests" box.

I have looked at the email addresses used and they are of the form "random"@"random".com or "random"@"random".ru so blocking a domain would not work.
I guess this is some sort of automated process they are using but is there any other sort
of validation at form submission I could use OR any settings within balcklisting I could use to zap these porn submissions?

Cheers

I've moved it to a more general forum as it is more about form submissions than the e-mail system provided by Powweb.

Which particular form for submission are you using?

There are many ways of reducing incoming spam and many for reducing hijacking of forms. Various validation techniques could be used to weed out the unwanted 'other requests' More information will be needed to give particular advice.

Hi,

Here is the link to the form,
http://www.elcortijo-losvillares.com/booking.htm

You could try including more validation of the form (eg making sure the dates aren't the default ones, that the check in and check out dates are in date order and that the stay length is limited (with appropriate error messages).

You could also try to develop some validation for the 'other requests' fields. Weeding out the web addresses may be more difficult but should be possible.

Look at other sites that do a similar job and see how they do things. I've used a number of sites for booking holidays online and they normally have features you don't currently employ.

I'm hesitant to suggest a CAPTCHA type system here but ...... as long as it works and won't put off too many people it may be a short term solution.

here's a routine I found somewhere online (perhaps with help from here!) to check for a properly formed email address, and make sure that the domain name of the email address actually exists...sorry I do not have time to make proper attributions!


//validate email address
$EmailAddy = $_POST['EmailAddy'];
if (!eregi("^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,3})$", $EmailAddy)) {
echo "Please provide a valid email address; $EmailAddy does not appear to be valid <br> <br> Please press the Back button on your browser and try again";
exit;
}
//added to put in mail server check
list ($Username, $Domain) = split ("@",$EmailAddy);
if (getmxrr($Domain, $MXHost)) {
$ConnectAddress = $MXHost[0];
} else {
//$ConnectAddress = $Domain;
echo "$EmailAddy does not appear to be valid.<br><br>If you believe this is in error, please contact me using the email address that failed
<br><br>Please press the Back button on your browser to return to the previous page";
exit;
}

Ian's ideas are good, too - checking that the check in/check out days are not equal would also help! take a look at the other form data, too

while it is annoying, it sounds like they are using the form to spam just you - not other people, since the email address is random and not valid(?)...I might consider just deleting the couple of spam emails a day over asking people to do CAPTCHA, in the name of customer service. If you are getting dozens per day, then it may be worth asking potential customers to do this.

oops; I see you are using perl for the form submission...my post above wont help, then.

I might suggest renaming the formmail script...and you are using javascript to validate; chances are very good that the spammers have javascript turned off :)

something in here might help...
http://www.google.com/search?q=email+validation+perl

I might suggest renaming the formmail script...and you are using javascript to validate; chances are very good that the spammers have javascript turned off

I agree. I prefer to validate input in the script. I rename the form processing script to something unusual but anyone can search for form ACTION without actually looking for known form processing scripts. Still, it does reduce the chances of your script being found.

It is best to make sure your form processing script must be used by a form hosted on the same ip address and/or domain name as the form itself. In other words, only YOUR form can use YOUR script. Of course, people find cached contact pages or forms and continue to use your form unless you change the URL of the form and/or the script by moving them to another directory or changing the file names.

FYI, I think I got the renaming the script idea from Yvette to begin with.

How often do prospective customers use the other request box? If it's very seldom, can you remove it? Or alter it so it won't take links?

The textarea box is the place where I get most spam, but I need it to know what the potential client needs. I can validate and deliberately reject ".ru" or ".in" which are common spam URLs.

How about a checkbox that says "If you have special needs or other requests, check here" and then the client could be asked what they are with the request response?

I just don't see the sense in opening a door that could otherwise be closed.

i'll reiterate my 2 cents...at 2-3 spams a day, pressing delete 2-3 times per day is a small price to pay for customer convenience. I'm not saying dont take some measures, but why swat a fly with with a brick when a magazine will do?

FWIW, I never get spam through my contact form. But the comment that tpoynton made about the spammer's bots running w/o javascript finally gave me a reason why. My form opens in a new window created by a javascript. Is that the real reason? Maybe, maybe not, but it's another, somewhat unintended, roadblock they have to negotiate.

My audience rarely answers questions correctly. They usually are not very skilled with computers. They often provide URLs of websites they like. I don't get too much spam, but for a short time, I did get more that a handful through the form.

Most of my spam are NOT from my form! Some of my clients like to forward ANYTHING to me. And they send mass emails, so anyone can get my email address. But I still watch the form.

For one of my clients, I had a drop down box to allow the visitor to choose a department (sales, parts, marketing, ...). There was a default for those who did not know what department or did not make a choice. The department input was compared to an array in the form processing script which had the corresponding email address, since I did NOT want the email addresses to be visible in the form source code.

That script could be modified for even better security. Instead of a drop down box, the visitor could be forced to choose one of the departments in the array. If the input is incorrect, the visitor would have to try again. But their visitors can't even spell or they are too lazy! Still, there are different options for different audiences.

My form opens in a new window created by a javascript.

Their popup blockers are probably blocking your forms! I had a client who replace MY tell a friend form with a crappy alternative that opened in a new windows with JavaScript. My popup blocker blocked it and that must have happened with many of his visitors. My form was used A LOT while the Javascript popup was NEVER used!

The client thought the JavaScript didn't work, but it did (technically) but it was blocked or closed manually by visitors! He was grateful that I got the old one working. (Long story about a new web host that did not support CGI is why the other script was replaced.)

I have had a contact form up for 4 years, using the same perl script the OP is using. I havent even changed the name, to be honest, and I have been spammed, literally, less than a dozen times. I dont remember the last time I was spammed through it. I'm not sure why...could part of it be that it only sends email to me?

I've setup other forms using PHP since then, and have been equally successful at not getting spam...

If you give me your URL, I can spam you so you won't feel left out, typoynton. :D

If you give me your URL, I can spam you so you won't feel left out, typoynton. :D

(combining with thought from another thread)

I'm sure your boss would find that useful!

If your contact page is found on Google, it has a higher chance of being spammed. My form emails go to my email address associated with my domain name and should not be able to go elsewhere.

Their popup blockers are probably blocking your forms! I had a client who replace MY tell a friend form with a crappy alternative that opened in a new windows with JavaScript. My popup blocker blocked it and that must have happened with many of his visitors. My form was used A LOT while the Javascript popup was NEVER used!

The browsers I run are pretty much "stock" without too many add-ons or gee-gaws or changes to settings, which is how I perceive most of the legitimate users of my site have their browsers set up. In looking through logs and stats, there are precious few times the contact page is requested that it isn't actually used to send a message. So I don't think legit users are getting blocked.

In fact, I had thought recently about redoing the behavior of that page and have it open in the same window. However, if it is blocking spammers I think I just may leave it as is.;)

I don't install popup blockers. Firefox already has them. If Javascript is used to open a link to a new window, that link does not open. I can allow it to be opened, but I don't normally do that. If the link opens in a new windows without JavaScript, it will open and I can close it when I choose.

If people do not visit your contact page often, even less people will click a link or have the popup open for the form. You must have contact info on other pages, if visitors don't bother visiting your contact page. My contact page gets high ranking and visits. I used to get legitimate form submissions every day. I removed contents to reduce the requests for "freebies".

You can try to increase or decrease visits to your contact page or form page. If you don't want (bad) people to use the form, simply put contact info on every page of your website but not a link to the form. You can "hide" a link to the form by putting a link on a page that is NOT listed on search engines. Or have the form page and script not listed on search engines.

I don't install popup blockers. Firefox already has them.

That's the thing though, Firefox doesn't (or hasn't) blocked my form from opening. I think the popup blocker in Firefox only blocks onLoad= -type popups. I used to get those all the time but fewer and fewer sites are using them -- probably because of the proliferation of blockers, as well as the annoyance factor; they just didn't achieve their purpose anymore because they annoyed people.

Hi,

I've been away fro the weekend, hence the absence of any reply.
I think I will approach this in small steps, so
1. I have changed the name of Formmail.pl to something unique, so lets see if that makes a difference.
2. We are deleting the spam emails but they are a nuisance so elimination is prederable.
3. If that doesn't work then I will implement captcha for , say, a month to see if that works.

Thanks for all the input.