Discussion:
How to prevent contact form spam?
(too old to reply)
majica_films
2008-07-28 13:08:47 UTC
Permalink
I've spent HOURS looking for a way to stop spam through the form on my website.
I've looked at various solutions but they either cost too much money, or flat
out don't work (tutorials are great....but not when what they tell you do
doesn't match the files you've been given)

I've given up now, I'd rather take the spam than waste several more hours
trying to stop it, but, should anyone here have a quick easy solution that
won't take several hours and give me a headache, I'd really appriciate it.

Below is the code of the page the form is on (with the bits that don't matter
taken out), I'm using formmail.cgi. You can view the page here:
http://www.controlshop.co.uk/Contact/ContactForm.html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>The Control Shop</title>
<style type="text/css">
<!--
<script type="text/javascript">
<!--
function MM_validateForm() { //v4.0
if (document.getElementById){
var i,p,q,nm,test,num,min,max,errors='',args=MM_validateForm.arguments;
for (i=0; i<(args.length-2); i+=3) { test=args[i+2];
val=document.getElementById(args[i]);
if (val) { nm=val.name; if ((val=val.value)!="") {
if (test.indexOf('isEmail')!=-1) { p=val.indexOf('@');
if (p<1 || p==(val.length-1)) errors+='- '+nm+' must contain an
e-mail address.\n';
} else if (test!='R') { num = parseFloat(val);
if (isNaN(val)) errors+='- '+nm+' must contain a number.\n';
if (test.indexOf('inRange') != -1) { p=test.indexOf(':');
min=test.substring(8,p); max=test.substring(p+1);
if (num<min || max<num) errors+='- '+nm+' must contain a number
between '+min+' and '+max+'.\n';
} } } else if (test.charAt(0) == 'R') errors += '- '+nm+' is
required.\n'; }
} if (errors) alert('The following error(s) occurred:\n'+errors);
document.MM_returnValue = (errors == '');
} }
//-->
</script>
</head>

<form action="/cgi-bin/formmail" method="post" name="form1" id="form1"
onsubmit="MM_validateForm('Contact name','','R','Telephone','','RisNum','What
are you looking for?','','R');return document.MM_returnValue">
<input type="hidden" name="recipient" VALUE="***@controlshop.co.uk">
<label>
<div align="right"><span class="style8">*</span> - Required fields<br />
<br />
</div>
<div align="right"> <span class="style8">*</span>Contact name:
<input type="text" name="Contact name" id="Contactname" />
<br />
<br />
Company name:
<input type="text" name="Company name" id="Companyname" />
<br />
<br />
<span class="style8">*</span>Telephone:
<input type="text" name="Telephone" id="Telephone" />
<br />
<br />
Fax:
<input name="Fax" type="text" id="Fax" value="" />
<br />
<br />
E-mail:
<input type="text" name="E-mail" id="E-mail" />
<br />
<br />
<span class="style8">*</span>What are you looking for?<br />
<textarea name="What are you looking for?" id="Whatareyoulookingfor"
cols="22" rows="5"></textarea>
<br />
<br />
<input name="Send" type="submit" id="Send" value="Submit" />
<br />
<br />
<input type="reset" name="Reset" id="button" value="Reset" />
<br />
<input TYPE="hidden" NAME="redirect"
VALUE="http://www.controlshop.co.uk/thankyou.htm">
<input TYPE="hidden" NAME="return_link_url"
VALUE="http://www.controlshop.co.uk/thankyou.htm">
</div>

</label>
<p align="right">&nbsp;</p>
<div align="center"></div>
</form>
<script type="text/javascript">
<!--
var MenuBar1 = new Spry.Widget.MenuBar("MenuBar1",
{imgRight:"../SpryAssets/SpryMenuBarRightHover.gif"});
//-->
</script>
</body>
</html>
P@tty Ayers ~ACE
2008-07-28 13:31:13 UTC
Permalink
How much of that form-spam do you get? Is it really enough to be a problem?
I just delete it.
--
Patty Ayers | www.WebDevBiz.com
Free Articles on the Business of Web Development
Web Design Contract, Estimate Request Form, Estimate Worksheet
--
Post by majica_films
I've spent HOURS looking for a way to stop spam through the form on my website.
I've looked at various solutions but they either cost too much money, or flat
out don't work (tutorials are great....but not when what they tell you do
doesn't match the files you've been given)
I've given up now, I'd rather take the spam than waste several more hours
trying to stop it, but, should anyone here have a quick easy solution that
won't take several hours and give me a headache, I'd really appriciate it.
Below is the code of the page the form is on (with the bits that don't matter
http://www.controlshop.co.uk/Contact/ContactForm.html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>The Control Shop</title>
<style type="text/css">
<!--
<script type="text/javascript">
<!--
function MM_validateForm() { //v4.0
if (document.getElementById){
var
i,p,q,nm,test,num,min,max,errors='',args=MM_validateForm.arguments;
for (i=0; i<(args.length-2); i+=3) { test=args[i+2];
val=document.getElementById(args[i]);
if (val) { nm=val.name; if ((val=val.value)!="") {
if (p<1 || p==(val.length-1)) errors+='- '+nm+' must contain an
e-mail address.\n';
} else if (test!='R') { num = parseFloat(val);
if (isNaN(val)) errors+='- '+nm+' must contain a number.\n';
if (test.indexOf('inRange') != -1) { p=test.indexOf(':');
min=test.substring(8,p); max=test.substring(p+1);
if (num<min || max<num) errors+='- '+nm+' must contain a number
between '+min+' and '+max+'.\n';
} } } else if (test.charAt(0) == 'R') errors += '- '+nm+' is
required.\n'; }
} if (errors) alert('The following error(s) occurred:\n'+errors);
document.MM_returnValue = (errors == '');
} }
//-->
</script>
</head>
<form action="/cgi-bin/formmail" method="post" name="form1" id="form1"
onsubmit="MM_validateForm('Contact
name','','R','Telephone','','RisNum','What
are you looking for?','','R');return document.MM_returnValue">
<label>
<div align="right"><span class="style8">*</span> - Required fields<br />
<br />
</div>
<input type="text" name="Contact name" id="Contactname" />
<br />
<br />
<input type="text" name="Company name" id="Companyname" />
<br />
<br />
<input type="text" name="Telephone" id="Telephone" />
<br />
<br />
<input name="Fax" type="text" id="Fax" value="" />
<br />
<br />
<input type="text" name="E-mail" id="E-mail" />
<br />
<br />
<span class="style8">*</span>What are you looking for?<br />
<textarea name="What are you looking for?" id="Whatareyoulookingfor"
cols="22" rows="5"></textarea>
<br />
<br />
<input name="Send" type="submit" id="Send" value="Submit" />
<br />
<br />
<input type="reset" name="Reset" id="button" value="Reset" />
<br />
<input TYPE="hidden" NAME="redirect"
VALUE="http://www.controlshop.co.uk/thankyou.htm">
<input TYPE="hidden" NAME="return_link_url"
VALUE="http://www.controlshop.co.uk/thankyou.htm">
</div>
</label>
<p align="right">&nbsp;</p>
<div align="center"></div>
</form>
<script type="text/javascript">
<!--
var MenuBar1 = new Spry.Widget.MenuBar("MenuBar1",
{imgRight:"../SpryAssets/SpryMenuBarRightHover.gif"});
//-->
</script>
</body>
</html>
eclipsme
2008-07-28 13:42:37 UTC
Permalink
Post by majica_films
I've spent HOURS looking for a way to stop spam through the form on my website.
I've looked at various solutions but they either cost too much money, or flat
out don't work (tutorials are great....but not when what they tell you do
doesn't match the files you've been given)
Google honeypot.

Add an empty field to your form and hide it through css. It will not
show to users, but will to bots.

In your script, test that the field is still empty. If not, toss it.

Harvey
SnakEyez02
2008-07-28 14:06:17 UTC
Permalink
Have you tried using CAPTCHA? This is the image that shows numbers, letters,
etc and asks the user to match it. You would probably have to use Javascript
to create the CAPTCHA image because you are serving HTML pages and not another
server-side language like PHP or ASP. That will help a little.

I'm not sure what else you have tried but if you list some examples I can try
not to repeat them.
A.Translator
2008-07-28 14:17:40 UTC
Permalink
Post by SnakEyez02
Have you tried using CAPTCHA? This is the image that shows numbers, letters,
etc and asks the user to match it.
Most people find these things very annoying.

A while ago Joe Makowiec posted a similar solution to the one Harvey just
mentioned but Jooe uses javascript, not css. This is what Joe wrote:

What I've taken to doing is adding a hidden field using an external
javascript, and adding a noscript element for those few (live) people
who don't have javascript enabled, thus:

In foil.js:

// JavaScript Document
document.write("<input name='foil' type='hidden' value='orange' />");

and in the mail form:

<script language="JavaScript" src="foil.js"
type="text/JavaScript"></script>
<noscript>
<tr>
<td>Enter 'orange' here:</td>
<td><input name='foil' /></td>
</tr>
</noscript>

Then check in the processing script for a field named 'foil' with a
value of 'orange'. Until form-spam-bots start running javascript,
this should be effective.
--
Regards,
Adriana.
[ put out the rubbish if you need to reach me by e-mail ]
www.spinsister.nl
Michael Fesser
2008-07-28 14:23:55 UTC
Permalink
.oO(A.Translator)
Post by A.Translator
A while ago Joe Makowiec posted a similar solution to the one Harvey just
What I've taken to doing is adding a hidden field using an external
javascript, and adding a noscript element for those few (live) people
// JavaScript Document
document.write("<input name='foil' type='hidden' value='orange' />");
<script language="JavaScript" src="foil.js"
type="text/JavaScript"></script>
<noscript>
<tr>
<td>Enter 'orange' here:</td>
<td><input name='foil' /></td>
</tr>
</noscript>
Then check in the processing script for a field named 'foil' with a
value of 'orange'. Until form-spam-bots start running javascript,
this should be effective.
Not all users have JS! There are better methods. "Honeypot" was already
mentioned, another one is described in this thread:

An unobtrusive partial alternative to CAPCHA
<http://groups.google.com/group/comp.infosystems.www.authoring.html/browse_thread/thread/f02329c126cb94db>

(Msg-ID: <news:***@bsb.me.uk>)

Micha
A.Translator
2008-07-28 14:29:11 UTC
Permalink
Post by Michael Fesser
Not all users have JS!
That is a myth ;-)

Of course you are right. I will have a look at the method you suggest, but it
doesn't seem as easy as Joe's solution.
--
Regards,
Adriana.
[ put out the rubbish if you need to reach me by e-mail ]
www.spinsister.nl
Michael Fesser
2008-07-28 14:34:15 UTC
Permalink
.oO(A.Translator)
Post by A.Translator
Post by Michael Fesser
Not all users have JS!
That is a myth ;-)
On my sites 2-10%. Quite a lot.

Micha
A.Translator
2008-07-28 14:36:12 UTC
Permalink
Post by Michael Fesser
On my sites 2-10%. Quite a lot.
So it is. I was only kidding.
--
Regards,
Adriana.
[ put out the rubbish if you need to reach me by e-mail ]
www.spinsister.nl
Michael Fesser
2008-07-28 14:51:12 UTC
Permalink
.oO(A.Translator)
Post by A.Translator
Post by Michael Fesser
On my sites 2-10%. Quite a lot.
So it is. I was only kidding.
Yep, I saw the smiley. ;)

Micha
majica_films
2008-07-28 14:43:59 UTC
Permalink
I tried captchas as a last resort, got no where with them. Also hate them and
would rather not use them.

Looked at hidden fields but can't that get you taken off search engine
databases? (Not an option, we rely on people finding us on search engines)

I was thinking more along the lines of having an untitled jpeg of one or
several easily readable words that never change, asking the user to type in the
word (one would be highlighted of there was more than one) and only allowing
the form to be sent if what was entered matched.
e.g. the jpeg would say "orange", and unless that field of the form contained
the word "orange" it wouldn't send.

Is this possible or at all any more secure? Any ideas (if it would work) how I
go about doing that? (my knowledge of forms etc isn't huge)
Murray *ACE*
2008-07-28 15:03:22 UTC
Permalink
Post by majica_films
Looked at hidden fields but can't that get you taken off search engine
databases? (Not an option, we rely on people finding us on search engines)
Not at all.
Post by majica_films
Is this possible or at all any more secure? Any ideas (if it would work) how I
go about doing that? (my knowledge of forms etc isn't huge)
It's secure, but not accessable. Honeypot is the way to go.
--
Murray --- ICQ 71997575
Adobe Community Expert
(If you *MUST* email me, don't LAUGH when you do so!)
==================
http://www.projectseven.com/go - DW FAQs, Tutorials & Resources
http://www.dwfaq.com - DW FAQs, Tutorials & Resources
==================
Post by majica_films
I tried captchas as a last resort, got no where with them. Also hate them and
would rather not use them.
Looked at hidden fields but can't that get you taken off search engine
databases? (Not an option, we rely on people finding us on search engines)
I was thinking more along the lines of having an untitled jpeg of one or
several easily readable words that never change, asking the user to type in the
word (one would be highlighted of there was more than one) and only allowing
the form to be sent if what was entered matched.
e.g. the jpeg would say "orange", and unless that field of the form contained
the word "orange" it wouldn't send.
Is this possible or at all any more secure? Any ideas (if it would work) how I
go about doing that? (my knowledge of forms etc isn't huge)
Michael Fesser
2008-07-28 15:40:50 UTC
Permalink
.oO(majica_films)
Post by majica_films
I tried captchas as a last resort, got no where with them. Also hate them and
would rather not use them.
Looked at hidden fields but can't that get you taken off search engine
databases? (Not an option, we rely on people finding us on search engines)
I was thinking more along the lines of having an untitled jpeg of one or
several easily readable words that never change, asking the user to type in the
word (one would be highlighted of there was more than one) and only allowing
the form to be sent if what was entered matched.
But that's exactly what a graphical CAPTCHA does! With all its
accessibility problems (thought about users who can't see the image?)
Post by majica_films
e.g. the jpeg would say "orange", and unless that field of the form contained
the word "orange" it wouldn't send.
Such simple CAPTCHAs are almost trivial to break even with the most
simple OCR technique. And even more complicated ones are not safe, as
the most recent attacks against Google's CAPTCHAs show:

Google’s CAPTCHA busted in recent spammer tactics
http://securitylabs.websense.com/content/Blogs/2919.aspx

Here's another quite nice example for "social engineering" - sex sells:

CAPTCHA fun
http://honeyblog.org/archives/165-CAPTCHA-fun.html
(Caution: the linked movie contains adult content!)

Micha
Michael Fesser
2008-07-28 14:18:58 UTC
Permalink
.oO(SnakEyez02)
Post by SnakEyez02
Have you tried using CAPTCHA?
Please don't! It's the worst and most inaccessible of all methods.

Micha
Murray *ACE*
2008-07-28 14:18:34 UTC
Permalink
Honeypot is way better than captcha in my opinion.
--
Murray --- ICQ 71997575
Adobe Community Expert
(If you *MUST* email me, don't LAUGH when you do so!)
==================
http://www.projectseven.com/go - DW FAQs, Tutorials & Resources
http://www.dwfaq.com - DW FAQs, Tutorials & Resources
==================
Post by SnakEyez02
Have you tried using CAPTCHA? This is the image that shows numbers, letters,
etc and asks the user to match it. You would probably have to use Javascript
to create the CAPTCHA image because you are serving HTML pages and not another
server-side language like PHP or ASP. That will help a little.
I'm not sure what else you have tried but if you list some examples I can try
not to repeat them.
Vix
2008-07-28 14:46:39 UTC
Permalink
Ask a simple question, that only a human would know the answer to, e.g.
is the sun hot or cold or is grass green or blue and only submit the
form if the field contains the word "hot" or "green".
Post by majica_films
I've spent HOURS looking for a way to stop spam through the form on my website.
I've looked at various solutions but they either cost too much money, or flat
out don't work (tutorials are great....but not when what they tell you do
doesn't match the files you've been given)
I've given up now, I'd rather take the spam than waste several more hours
trying to stop it, but, should anyone here have a quick easy solution that
won't take several hours and give me a headache, I'd really appriciate it.
Below is the code of the page the form is on (with the bits that don't matter
http://www.controlshop.co.uk/Contact/ContactForm.html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>The Control Shop</title>
<style type="text/css">
<!--
<script type="text/javascript">
<!--
function MM_validateForm() { //v4.0
if (document.getElementById){
var i,p,q,nm,test,num,min,max,errors='',args=MM_validateForm.arguments;
for (i=0; i<(args.length-2); i+=3) { test=args[i+2];
val=document.getElementById(args[i]);
if (val) { nm=val.name; if ((val=val.value)!="") {
if (p<1 || p==(val.length-1)) errors+='- '+nm+' must contain an
e-mail address.\n';
} else if (test!='R') { num = parseFloat(val);
if (isNaN(val)) errors+='- '+nm+' must contain a number.\n';
if (test.indexOf('inRange') != -1) { p=test.indexOf(':');
min=test.substring(8,p); max=test.substring(p+1);
if (num<min || max<num) errors+='- '+nm+' must contain a number
between '+min+' and '+max+'.\n';
} } } else if (test.charAt(0) == 'R') errors += '- '+nm+' is
required.\n'; }
} if (errors) alert('The following error(s) occurred:\n'+errors);
document.MM_returnValue = (errors == '');
} }
//-->
</script>
</head>
<form action="/cgi-bin/formmail" method="post" name="form1" id="form1"
onsubmit="MM_validateForm('Contact name','','R','Telephone','','RisNum','What
are you looking for?','','R');return document.MM_returnValue">
<label>
<div align="right"><span class="style8">*</span> - Required fields<br />
<br />
</div>
<input type="text" name="Contact name" id="Contactname" />
<br />
<br />
<input type="text" name="Company name" id="Companyname" />
<br />
<br />
<input type="text" name="Telephone" id="Telephone" />
<br />
<br />
<input name="Fax" type="text" id="Fax" value="" />
<br />
<br />
<input type="text" name="E-mail" id="E-mail" />
<br />
<br />
<span class="style8">*</span>What are you looking for?<br />
<textarea name="What are you looking for?" id="Whatareyoulookingfor"
cols="22" rows="5"></textarea>
<br />
<br />
<input name="Send" type="submit" id="Send" value="Submit" />
<br />
<br />
<input type="reset" name="Reset" id="button" value="Reset" />
<br />
<input TYPE="hidden" NAME="redirect"
VALUE="http://www.controlshop.co.uk/thankyou.htm">
<input TYPE="hidden" NAME="return_link_url"
VALUE="http://www.controlshop.co.uk/thankyou.htm">
</div>
</label>
<p align="right">&nbsp;</p>
<div align="center"></div>
</form>
<script type="text/javascript">
<!--
var MenuBar1 = new Spry.Widget.MenuBar("MenuBar1",
{imgRight:"../SpryAssets/SpryMenuBarRightHover.gif"});
//-->
</script>
</body>
</html>
bregent
2008-07-28 15:51:34 UTC
Permalink
Is projecthoneypot.org the only/best one?
No. Honeypot is simply a technique. Anyone that can write server side code can
script it in minutes. Do you need to use perl/cgi or can you use another
scripting language?
majica_films
2008-07-28 16:05:10 UTC
Permalink
The current form uses perl (I think, can't seem to get to the file using my FTP program) but it might br cgi...can use either.
bregent
2008-07-28 16:07:51 UTC
Permalink
Post by majica_films
The current form uses perl (I think, can't seem to get to the file using my
FTP program)
Post by majica_films
but it might br cgi...can use either.
What I mean is can you use PHP or ASPVBscript instead of perl/cgi? Check your
hosting plan.
Nancy O
2008-07-28 18:08:21 UTC
Permalink
If your server supports PHP, this ***@ailer script from DB Masters
conceals your email address from prying eye email harvesters and it has
several spam controls built into its script including hidden field
(honeypot), "sorta captcha," and time limits on submissions to keep robots
from exploiting your forms. Free to use if you credit the author; $20 if
you don't.

http://dbmasters.net/index.php?id=4

Q&A Forum - http://dbmasters.net/forum.php?id=3&fid=9


--Nancy O.
Alt-Web Design & Publishing
www.alt-web.com
Post by majica_films
I've spent HOURS looking for a way to stop spam through the form on my website.
I've looked at various solutions but they either cost too much money, or flat
out don't work (tutorials are great....but not when what they tell you do
doesn't match the files you've been given)
I've given up now, I'd rather take the spam than waste several more hours
trying to stop it, but, should anyone here have a quick easy solution that
won't take several hours and give me a headache, I'd really appriciate it.
Below is the code of the page the form is on (with the bits that don't matter
http://www.controlshop.co.uk/Contact/ContactForm.html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>The Control Shop</title>
<style type="text/css">
<!--
<script type="text/javascript">
<!--
function MM_validateForm() { //v4.0
if (document.getElementById){
var
i,p,q,nm,test,num,min,max,errors='',args=MM_validateForm.arguments;
Post by majica_films
for (i=0; i<(args.length-2); i+=3) { test=args[i+2];
val=document.getElementById(args[i]);
if (val) { nm=val.name; if ((val=val.value)!="") {
if (p<1 || p==(val.length-1)) errors+='- '+nm+' must contain an
e-mail address.\n';
} else if (test!='R') { num = parseFloat(val);
if (isNaN(val)) errors+='- '+nm+' must contain a number.\n';
if (test.indexOf('inRange') != -1) { p=test.indexOf(':');
min=test.substring(8,p); max=test.substring(p+1);
if (num<min || max<num) errors+='- '+nm+' must contain a number
between '+min+' and '+max+'.\n';
} } } else if (test.charAt(0) == 'R') errors += '- '+nm+' is
required.\n'; }
} if (errors) alert('The following error(s) occurred:\n'+errors);
document.MM_returnValue = (errors == '');
} }
//-->
</script>
</head>
<form action="/cgi-bin/formmail" method="post" name="form1" id="form1"
onsubmit="MM_validateForm('Contact
name','','R','Telephone','','RisNum','What
Post by majica_films
are you looking for?','','R');return document.MM_returnValue">
<label>
<div align="right"><span class="style8">*</span> - Required fields<br />
<br />
</div>
<input type="text" name="Contact name" id="Contactname" />
<br />
<br />
<input type="text" name="Company name" id="Companyname" />
<br />
<br />
<input type="text" name="Telephone" id="Telephone" />
<br />
<br />
<input name="Fax" type="text" id="Fax" value="" />
<br />
<br />
<input type="text" name="E-mail" id="E-mail" />
<br />
<br />
<span class="style8">*</span>What are you looking for?<br />
<textarea name="What are you looking for?" id="Whatareyoulookingfor"
cols="22" rows="5"></textarea>
<br />
<br />
<input name="Send" type="submit" id="Send" value="Submit" />
<br />
<br />
<input type="reset" name="Reset" id="button" value="Reset" />
<br />
<input TYPE="hidden" NAME="redirect"
VALUE="http://www.controlshop.co.uk/thankyou.htm">
<input TYPE="hidden" NAME="return_link_url"
VALUE="http://www.controlshop.co.uk/thankyou.htm">
</div>
</label>
<p align="right">&nbsp;</p>
<div align="center"></div>
</form>
<script type="text/javascript">
<!--
var MenuBar1 = new Spry.Widget.MenuBar("MenuBar1",
{imgRight:"../SpryAssets/SpryMenuBarRightHover.gif"});
//-->
</script>
</body>
</html>
majica_films
2008-07-29 09:40:22 UTC
Permalink
Can use PHP but can't get that ***@iler to work.
With PHP 5 enabled I get a "Page cannot be displayed" error, with PHP 4
enabled it just goes to a blank page.
Perhaps messed something up when customizing it. That seems to be where my
problem lies with most things I've tried....getting them to work with the
working form I already have. No doubt I could get these to work if I used the
plain boring not-quite-what-I-need forms that come ready made, but if the form
doesn't tell me what I need to know then it's kinda useless having it in the
first place.

I've tried signing up on projecthoneypot as the website appears to be working
today.....the e-mail varification doesn't seem to be working though.

Perhaps I'll just go with the simple "ask a question only a human could answer"
What would I need to put where to only allow the form to be sent if field "x"
contains word "y"?
majica_films
2008-07-29 15:09:50 UTC
Permalink
[q][i]Originally posted by: [b][b]majica_films[/b][/b][/i]
Perhaps I'll just go with the simple "ask a question only a human could answer"
What would I need to put where to only allow the form to be sent if field "x"
contains word "y"?[/q]

Would this work? Or does it also rely on the user having JS turned on?
Murray *ACE*
2008-07-29 15:11:52 UTC
Permalink
It does not rely on that. It's just an unnecessary intrusion, when other,
less intrusive and completely passive methods work so well.
--
Murray --- ICQ 71997575
Adobe Community Expert
(If you *MUST* email me, don't LAUGH when you do so!)
==================
http://www.projectseven.com/go - DW FAQs, Tutorials & Resources
http://www.dwfaq.com - DW FAQs, Tutorials & Resources
==================
Post by majica_films
[q][i]Originally posted by: [b][b]majica_films[/b][/b][/i]
Perhaps I'll just go with the simple "ask a question only a human could answer"
What would I need to put where to only allow the form to be sent if field "x"
contains word "y"?[/q]
Would this work? Or does it also rely on the user having JS turned on?
majica_films
2008-07-29 15:40:15 UTC
Permalink
Well I seem to have tried everything else with no luck.

If someone can tell me a free, easy, quick, simple way I can protect my
current form (so without having to redo it or completely re-design it etc) that
I haven't already tried then I'll give it a go....but I'm now coming up to 2
solid days of trying to come up with a solution and i've just about had enough.
True, the amount of spam I'm getting at the moment isn't really a problem, but
i'd rather stop it now than wait until I'm getting thousands of e-mails a day
that clog up the system.
Murray *ACE*
2008-07-29 16:00:30 UTC
Permalink
The honeypot method is the best. But it does mean that you have to get into
the code.
--
Murray --- ICQ 71997575
Adobe Community Expert
(If you *MUST* email me, don't LAUGH when you do so!)
==================
http://www.projectseven.com/go - DW FAQs, Tutorials & Resources
http://www.dwfaq.com - DW FAQs, Tutorials & Resources
==================
Post by majica_films
Well I seem to have tried everything else with no luck.
If someone can tell me a free, easy, quick, simple way I can protect my
current form (so without having to redo it or completely re-design it etc) that
I haven't already tried then I'll give it a go....but I'm now coming up to 2
solid days of trying to come up with a solution and i've just about had enough.
True, the amount of spam I'm getting at the moment isn't really a problem, but
i'd rather stop it now than wait until I'm getting thousands of e-mails a day
that clog up the system.
majica_films
2008-07-30 09:10:17 UTC
Permalink
I don't mind having to get into the code, I just don't want to have to start
from scratch.

As I've said before, I'm not paying for that webformanti-spam or whatever it
is that has been mentioned, not even going to try it. I'm also not going to use
a captcha....they annoy the hell outta me and I'm not putting one on my website.

Either, I want to ask a simple question and only allow the form to be
submitted if the field contains a certain word
or
I want to hide a field and not submit the form if it isn't empty.

I don't know how to do to either and would just like either an explanation of
how to do one/both, or at least a kick in the right direction. (Link to a
tutorial or something)



[q][i]Originally posted by: [b][b]Newsgroup User[/b][/b][/i]
The honeypot method is the best. But it does mean that you have to get into
the code.

--
Murray --- ICQ 71997575
Adobe Community Expert
(If you *MUST* email me, don't LAUGH when you do so!)
==================
http://www.projectseven.com/go - DW FAQs, Tutorials & Resources
http://www.dwfaq.com - DW FAQs, Tutorials & Resources
==================[/q]
eclipsme
2008-07-30 11:30:24 UTC
Permalink
added to form:

<input name="add2" value="" class="diebot">

added to css:

.diebot {display: none;}


added to processing script:

// checks if bot
if ($_POST['add2'] != '' )
{
// The hidden fields have been changed
// Do something
die("Changed field");
}
// Continue the script...

Hope that helps (and hope I got all the squiggles right!) With a nod to
Murray.

Harvey
Post by majica_films
I don't mind having to get into the code, I just don't want to have to start
from scratch.
majica_films
2008-07-30 12:34:01 UTC
Permalink
Thank you.
Having a bit of trouble getting that to work though. (I'm assuming that to
test it I just don't upload the CSS so that the field shows up, try typing
something in it and submitting the form as normal) I still receive the e-mail.

Perhaps someone could spot where I've gone wrong?:

(can see the full code here:
http://www.controlshop.co.uk/Contact/ContactForm.html if attached code doesn't
give enough info)

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>The Control Shop</title>

</style>
<script type="text/javascript">
<!--
function MM_validateForm() { //v4.0
if (document.getElementById){
var i,p,q,nm,test,num,min,max,errors='',args=MM_validateForm.arguments;
for (i=0; i<(args.length-2); i+=3) { test=args[i+2];
val=document.getElementById(args[i]);
if (val) { nm=val.name; if ((val=val.value)!="") {
if (test.indexOf('isEmail')!=-1) { p=val.indexOf('@');
if (p<1 || p==(val.length-1)) errors+='- '+nm+' must contain an
e-mail address.\n';
} else if (test!='R') { num = parseFloat(val);
if (isNaN(val)) errors+='- '+nm+' must contain a number.\n';
if (test.indexOf('inRange') != -1) { p=test.indexOf(':');
min=test.substring(8,p); max=test.substring(p+1);
if (num<min || max<num) errors+='- '+nm+' must contain a number
between '+min+' and '+max+'.\n';
} } } else if (test.charAt(0) == 'R') errors += '- '+nm+' is
required.\n'; }
} if (errors) alert('The following error(s) occurred:\n'+errors);
document.MM_returnValue = (errors == '');
} }
// checks if bot
if ($_POST['add2'] != '' )
{
// The hidden fields have been changed
// Do something
die("Changed field");
}
//
//-->
</script>
<link href="../SpryAssets/diebit.css" rel="stylesheet" type="text/css" />
</head>

<body>

<div id="apDiv13">
<form action="/cgi-bin/formmail" method="post" name="form1" id="form1"
onsubmit="MM_validateForm('Contact name','','R','Telephone','','RisNum','What
are you looking for?','','R');return document.MM_returnValue">
<input type="hidden" name="recipient" VALUE="***@controlshop.co.uk">
<label>
<div align="right"><span class="style8">*</span> - Required fields<br />
<br />
</div>
<div align="right"> <span class="style8">*</span>Contact name:
<input type="text" name="Contact name" id="Contactname" />
<br />
<br />
Company name:
<input type="text" name="Company name" id="Companyname" />
<br />
<br />
<span class="style8">*</span>Telephone:
<input type="text" name="Telephone" id="Telephone" />
<br />
<br />
Fax:
<input name="Fax" type="text" id="Fax" value="" />
<br />
<br />
E-mail:
<input type="text" name="E-mail" id="E-mail" />
<br />
<br />
<span class="style8">*</span>What are you looking for?<br />
<textarea name="What are you looking for?" id="Whatareyoulookingfor"
cols="22" rows="5"></textarea>
<br />
<br />
<input name="add2" value="" class="diebot">
<br />
<input name="Send" type="submit" id="Send" value="Submit" />
<br />
<br />
<input type="reset" name="Reset" id="button" value="Reset" />
<br />
<input TYPE="hidden" NAME="redirect"
VALUE="http://www.controlshop.co.uk/thankyou.htm">
<input TYPE="hidden" NAME="return_link_url"
VALUE="http://www.controlshop.co.uk/thankyou.htm">
</div>

</label>
<p align="right">&nbsp;</p>
<div align="center"></div>
</form>
</div>
<img src="../Images/background.png" alt="" width="1280" height="905"
border="0" usemap="#Map" />
<map name="Map" id="Map">
</body>
</html>
Murray *ACE*
2008-07-30 12:40:19 UTC
Permalink
In your code, change this -

<input name="add2" value="" class="diebot">

to this -

<input name="add2" value="simulated bot attack" class="diebot">

Save/upload/submit. What happens?
--
Murray --- ICQ 71997575
Adobe Community Expert
(If you *MUST* email me, don't LAUGH when you do so!)
==================
http://www.projectseven.com/go - DW FAQs, Tutorials & Resources
http://www.dwfaq.com - DW FAQs, Tutorials & Resources
==================
Post by majica_films
Thank you.
Having a bit of trouble getting that to work though. (I'm assuming that to
test it I just don't upload the CSS so that the field shows up, try typing
something in it and submitting the form as normal) I still receive the e-mail.
http://www.controlshop.co.uk/Contact/ContactForm.html if attached code doesn't
give enough info)
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>The Control Shop</title>
</style>
<script type="text/javascript">
<!--
function MM_validateForm() { //v4.0
if (document.getElementById){
var
i,p,q,nm,test,num,min,max,errors='',args=MM_validateForm.arguments;
for (i=0; i<(args.length-2); i+=3) { test=args[i+2];
val=document.getElementById(args[i]);
if (val) { nm=val.name; if ((val=val.value)!="") {
if (p<1 || p==(val.length-1)) errors+='- '+nm+' must contain an
e-mail address.\n';
} else if (test!='R') { num = parseFloat(val);
if (isNaN(val)) errors+='- '+nm+' must contain a number.\n';
if (test.indexOf('inRange') != -1) { p=test.indexOf(':');
min=test.substring(8,p); max=test.substring(p+1);
if (num<min || max<num) errors+='- '+nm+' must contain a number
between '+min+' and '+max+'.\n';
} } } else if (test.charAt(0) == 'R') errors += '- '+nm+' is
required.\n'; }
} if (errors) alert('The following error(s) occurred:\n'+errors);
document.MM_returnValue = (errors == '');
} }
// checks if bot
if ($_POST['add2'] != '' )
{
// The hidden fields have been changed
// Do something
die("Changed field");
}
//
//-->
</script>
<link href="../SpryAssets/diebit.css" rel="stylesheet" type="text/css" />
</head>
<body>
<div id="apDiv13">
<form action="/cgi-bin/formmail" method="post" name="form1" id="form1"
onsubmit="MM_validateForm('Contact
name','','R','Telephone','','RisNum','What
are you looking for?','','R');return document.MM_returnValue">
<label>
<div align="right"><span class="style8">*</span> - Required fields<br />
<br />
</div>
<input type="text" name="Contact name" id="Contactname" />
<br />
<br />
<input type="text" name="Company name" id="Companyname" />
<br />
<br />
<input type="text" name="Telephone" id="Telephone" />
<br />
<br />
<input name="Fax" type="text" id="Fax" value="" />
<br />
<br />
<input type="text" name="E-mail" id="E-mail" />
<br />
<br />
<span class="style8">*</span>What are you looking for?<br />
<textarea name="What are you looking for?" id="Whatareyoulookingfor"
cols="22" rows="5"></textarea>
<br />
<br />
<input name="add2" value="" class="diebot">
<br />
<input name="Send" type="submit" id="Send" value="Submit" />
<br />
<br />
<input type="reset" name="Reset" id="button" value="Reset" />
<br />
<input TYPE="hidden" NAME="redirect"
VALUE="http://www.controlshop.co.uk/thankyou.htm">
<input TYPE="hidden" NAME="return_link_url"
VALUE="http://www.controlshop.co.uk/thankyou.htm">
</div>
</label>
<p align="right">&nbsp;</p>
<div align="center"></div>
</form>
</div>
<img src="../Images/background.png" alt="" width="1280" height="905"
border="0" usemap="#Map" />
<map name="Map" id="Map">
</body>
</html>
majica_films
2008-07-30 13:44:13 UTC
Permalink
I get taken to the Thank you page and promptly recieve this e-mail in my inbox:
Below is the result of your feedback form. It was submitted by
() on Wednesday, July 30, 2008 at 13:41:30
---------------------------------------------------------------------------

Contact name: test

Telephone: 333

What are you looking for?: test

add2: simulated bot attack

Send: Submit

---------------------------------------------------------------------------
Murray *ACE*
2008-07-30 14:44:44 UTC
Permalink
Good grief.

There are other changes you need to make.

Change this -

} if (errors) alert('The following error(s) occurred:\n'+errors);
document.MM_returnValue = (errors == '');
} }
// checks if bot
if ($_POST['add2'] != '' )
{
// The hidden fields have been changed
// Do something
die("Changed field");
}
//
//-->
</script>

to this -

} if (errors) alert('The following error(s) occurred:\n'+errors);
document.MM_returnValue = (errors == '');
} }
//-->
</script>

and this -

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"

to this -

<?php

if (isset($_POST['submit']) && $_POST['submit'] == 'Submit') {
// checks if bot
if ($_POST['add2'] != '' )
{
// The hidden fields have been changed
// Do something
die("Changed field");
}
}

?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"

Save the page with a *.php extention, upload, and submit it.
--
Murray --- ICQ 71997575
Adobe Community Expert
(If you *MUST* email me, don't LAUGH when you do so!)
==================
http://www.projectseven.com/go - DW FAQs, Tutorials & Resources
http://www.dwfaq.com - DW FAQs, Tutorials & Resources
==================
Post by majica_films
Below is the result of your feedback form. It was submitted by
() on Wednesday, July 30, 2008 at 13:41:30
---------------------------------------------------------------------------
Contact name: test
Telephone: 333
What are you looking for?: test
add2: simulated bot attack
Send: Submit
---------------------------------------------------------------------------
Murray *ACE*
2008-07-30 15:31:23 UTC
Permalink
Is there really nothing that I can add to my page, without changing the
extention etc, that will check if a hidden field has something in it and,
if it
has, will simply not submit the form?
You would be able to do this in javascript (something that executes
client-side), but the spam bots don't do javascript, so it would be
ineffective against the very things you want to prevent.

I am willing to stick with you on this, but I would need to see the code on
the page as you last saved it.

You can keep the *.html extension, but only if you add this PHP code to the
script that is processing the form. I would need to see that code as well
(<form action="/cgi-bin/formmail")
--
Murray --- ICQ 71997575
Adobe Community Expert
(If you *MUST* email me, don't LAUGH when you do so!)
==================
http://www.projectseven.com/go - DW FAQs, Tutorials & Resources
http://www.dwfaq.com - DW FAQs, Tutorials & Resources
==================
Yup, still receiving the e-mails.
Also, changing .html to .php will render all the links on my site to
....Contact/ContactForm.html usesless, will it not?
Not an option, I'm not going to spend hours chaning the link to the html
contact form to the php contact form (there is a link to it on all pages)
and I
don't trust "Find and replace"
Is there really nothing that I can add to my page, without changing the
extention etc, that will check if a hidden field has something in it and,
if it
has, will simply not submit the form?
majica_films
2008-07-30 15:26:25 UTC
Permalink
Yup, still receiving the e-mails.

Also, changing .html to .php will render all the links on my site to
....Contact/ContactForm.html usesless, will it not?
Not an option, I'm not going to spend hours chaning the link to the html
contact form to the php contact form (there is a link to it on all pages) and I
don't trust "Find and replace"

Is there really nothing that I can add to my page, without changing the
extention etc, that will check if a hidden field has something in it and, if it
has, will simply not submit the form?
eclipsme
2008-07-30 16:36:54 UTC
Permalink
This part needs to be in whatever script is processing the form, not th
epage that has the form. In your case /cgi-bin/formmail (shouldn't that
br formail.php?)
Post by eclipsme
if ($_POST['add2'] != '' )
{
// The hidden fields have been changed
// Do something
die("Changed field");
}
//
//-->
Harvey
Murray *ACE*
2008-07-30 11:56:03 UTC
Permalink
Should be the ticket, Harvey.
--
Murray --- ICQ 71997575
Adobe Community Expert
(If you *MUST* email me, don't LAUGH when you do so!)
==================
http://www.projectseven.com/go - DW FAQs, Tutorials & Resources
http://www.dwfaq.com - DW FAQs, Tutorials & Resources
==================
Post by eclipsme
<input name="add2" value="" class="diebot">
.diebot {display: none;}
// checks if bot
if ($_POST['add2'] != '' )
{
// The hidden fields have been changed
// Do something
die("Changed field"); }
// Continue the script...
Hope that helps (and hope I got all the squiggles right!) With a nod to
Murray.
Harvey
Post by majica_films
I don't mind having to get into the code, I just don't want to have to
start from scratch.
eclipsme
2008-07-30 16:38:18 UTC
Permalink
Post by Murray *ACE*
Should be the ticket, Harvey.
Ooh! Now I feel all warm and fuzzy.
Murray *ACE*
2008-07-30 16:45:24 UTC
Permalink
<cootchy cootchy coo> 8)
--
Murray --- ICQ 71997575
Adobe Community Expert
(If you *MUST* email me, don't LAUGH when you do so!)
==================
http://www.projectseven.com/go - DW FAQs, Tutorials & Resources
http://www.dwfaq.com - DW FAQs, Tutorials & Resources
==================
Post by eclipsme
Post by Murray *ACE*
Should be the ticket, Harvey.
Ooh! Now I feel all warm and fuzzy.
eclipsme
2008-07-30 16:56:17 UTC
Permalink
Post by Murray *ACE*
<cootchy cootchy coo> 8)
stop that. i'm ticklish.
P@tty Ayers ~ACE
2008-07-29 18:46:55 UTC
Permalink
Post by majica_films
Well I seem to have tried everything else with no luck.
If someone can tell me a free, easy, quick, simple way I can protect my
current form (so without having to redo it or completely re-design it etc) that
I haven't already tried then I'll give it a go....but I'm now coming up to 2
solid days of trying to come up with a solution and i've just about had enough.
True, the amount of spam I'm getting at the moment isn't really a problem, but
i'd rather stop it now than wait until I'm getting thousands of e-mails a day
that clog up the system.
For what it's worth, I have about 5-10 forms on various sites for years now,
and I've never gotten more than the occasional "form spam". It hasn't
increased over time, at all.

I've never been able to figure out why it's a big deal..
--
Patty Ayers | www.WebDevBiz.com
Free Articles on the Business of Web Development
Web Design Contract, Estimate Request Form, Estimate Worksheet
--
Murray *ACE*
2008-07-29 18:52:33 UTC
Permalink
Would it be a big deal if you were getting 50 a day? 25? 10? 5? I thought
so. 8)
--
Murray --- ICQ 71997575
Adobe Community Expert
(If you *MUST* email me, don't LAUGH when you do so!)
==================
http://www.projectseven.com/go - DW FAQs, Tutorials & Resources
http://www.dwfaq.com - DW FAQs, Tutorials & Resources
==================
Post by ***@tty Ayers ~ACE
Post by majica_films
Well I seem to have tried everything else with no luck.
If someone can tell me a free, easy, quick, simple way I can protect my
current form (so without having to redo it or completely re-design it etc) that
I haven't already tried then I'll give it a go....but I'm now coming up to 2
solid days of trying to come up with a solution and i've just about had enough.
True, the amount of spam I'm getting at the moment isn't really a problem, but
i'd rather stop it now than wait until I'm getting thousands of e-mails a day
that clog up the system.
For what it's worth, I have about 5-10 forms on various sites for years
now, and I've never gotten more than the occasional "form spam". It hasn't
increased over time, at all.
I've never been able to figure out why it's a big deal..
--
Patty Ayers | www.WebDevBiz.com
Free Articles on the Business of Web Development
Web Design Contract, Estimate Request Form, Estimate Worksheet
--
P@tty Ayers ~ACE
2008-07-29 20:32:22 UTC
Permalink
"If", but that's not the case, for me *or* the OP. The OP says she isn't
getting many now, but feared that she might in the future, as if this type
of spam gathers momentum and increases over time. I have found that not to
be the case at all, and so was mentioning that.
--
Patty Ayers | www.WebDevBiz.com
Free Articles on the Business of Web Development
Web Design Contract, Estimate Request Form, Estimate Worksheet
--
Post by Murray *ACE*
Would it be a big deal if you were getting 50 a day? 25? 10? 5? I
thought so. 8)
--
Murray --- ICQ 71997575
Adobe Community Expert
(If you *MUST* email me, don't LAUGH when you do so!)
==================
http://www.projectseven.com/go - DW FAQs, Tutorials & Resources
http://www.dwfaq.com - DW FAQs, Tutorials & Resources
==================
Post by ***@tty Ayers ~ACE
Post by majica_films
Well I seem to have tried everything else with no luck.
If someone can tell me a free, easy, quick, simple way I can protect my
current form (so without having to redo it or completely re-design it etc) that
I haven't already tried then I'll give it a go....but I'm now coming up to 2
solid days of trying to come up with a solution and i've just about had enough.
True, the amount of spam I'm getting at the moment isn't really a problem, but
i'd rather stop it now than wait until I'm getting thousands of e-mails a day
that clog up the system.
For what it's worth, I have about 5-10 forms on various sites for years
now, and I've never gotten more than the occasional "form spam". It
hasn't increased over time, at all.
I've never been able to figure out why it's a big deal..
--
Patty Ayers | www.WebDevBiz.com
Free Articles on the Business of Web Development
Web Design Contract, Estimate Request Form, Estimate Worksheet
--
Dooza
2008-07-30 08:00:14 UTC
Permalink
Post by ***@tty Ayers ~ACE
"If", but that's not the case, for me *or* the OP. The OP says she isn't
getting many now, but feared that she might in the future, as if this
type of spam gathers momentum and increases over time. I have found that
not to be the case at all, and so was mentioning that.
My experience is almost the opposite. In my previous job where I
maintained a site that was high volume once we started getting the form
spam it increased rapidly, and it was obvious from the timing that it
was a bot doing the deed.

But in my current job we have only had one form spam.

We have decided that if it starts to become obvious that its a bot doing
the submissions we will implement honeypot, but until then I have more
important jobs.

Steve
Joe Makowiec
2008-07-29 19:28:55 UTC
Permalink
Post by ***@tty Ayers ~ACE
For what it's worth, I have about 5-10 forms on various sites for
years now, and I've never gotten more than the occasional "form
spam". It hasn't increased over time, at all.
I've never been able to figure out why it's a big deal..
I can show you logs... On one site, one form - 38 attempts this week.
(None made it.) Far more available on request.

The other thing that's a big deal is: other than crap landing in my inbox
(which I have to deal with), on a poorly coded form, the form can be used
as a spam relay, sending out spam from my IP address to random recipients
I never intended.
--
Joe Makowiec
http://makowiec.net/
Email: http://makowiec.net/contact.php
timW22374100
2008-07-29 10:50:58 UTC
Permalink
Try a cheap little program called Web form anti-spam against automatical
generated spam from spambots (http://www.webformantispam.com/). It uses a
javascript which encrypts part of your page ( only the form ) and works
perfectly for my clients. There is a little delay in coming up of the partly
encrypted page. Look at http://estella-villas.gr/info.html . Don't forget to
have a backup of the original page! :-)

jml
Murray *ACE*
2008-07-29 11:30:34 UTC
Permalink
Anything that uses javascript is useless against formbots. What a scam.
--
Murray --- ICQ 71997575
Adobe Community Expert
(If you *MUST* email me, don't LAUGH when you do so!)
==================
http://www.projectseven.com/go - DW FAQs, Tutorials & Resources
http://www.dwfaq.com - DW FAQs, Tutorials & Resources
==================
Post by timW22374100
Try a cheap little program called Web form anti-spam against automatical
generated spam from spambots (http://www.webformantispam.com/). It uses a
javascript which encrypts part of your page ( only the form ) and works
perfectly for my clients. There is a little delay in coming up of the partly
encrypted page. Look at http://estella-villas.gr/info.html . Don't forget to
have a backup of the original page! :-)
jml
bb
2008-07-29 14:35:03 UTC
Permalink
Doesn't sound like much of a solution if someone has Javascript turned off.
Michael Fesser
2008-07-29 17:19:20 UTC
Permalink
.oO(timW22374100)
Post by timW22374100
Try a cheap little program called Web form anti-spam against automatical
generated spam from spambots (http://www.webformantispam.com/). It uses a
javascript which encrypts part of your page ( only the form ) and works
perfectly for my clients.
It doesn't. Code obfuscation is _never_ a solution, but just creates a
lot of new problems, especially accessibility problems. If you've really
paid for this crap, you've totally wasted your money, sorry. You should
have given it to me instead - it would be in better and honest hands.

These guys talk about accessibility problems of graphical CAPTCHAs, but
of course don't mention the problems created by their own "solution".
Calling it "user-friendly" on the cover is a blatant lie. Someone should
also tell them, that

| This method also protects against plagiarism – although it is still
| possible to copy final text, a potential thief will be unable to view
| your source HTML code because it is encoded.

is not true.

They even call Internet Explorer a "web browser" ... SCNR
Post by timW22374100
There is a little delay in coming up of the partly
encrypted page. Look at http://estella-villas.gr/info.html .
| JavaScript must be enabled in your browser to view this page.

Sorry, no go. Ctrl-F4.

Micha
Murray *ACE*
2008-07-29 17:23:15 UTC
Permalink
Snake oil, indeed....
--
Murray --- ICQ 71997575
Adobe Community Expert
(If you *MUST* email me, don't LAUGH when you do so!)
==================
http://www.projectseven.com/go - DW FAQs, Tutorials & Resources
http://www.dwfaq.com - DW FAQs, Tutorials & Resources
==================
Post by Michael Fesser
.oO(timW22374100)
Post by timW22374100
Try a cheap little program called Web form anti-spam against automatical
generated spam from spambots (http://www.webformantispam.com/). It uses a
javascript which encrypts part of your page ( only the form ) and works
perfectly for my clients.
It doesn't. Code obfuscation is _never_ a solution, but just creates a
lot of new problems, especially accessibility problems. If you've really
paid for this crap, you've totally wasted your money, sorry. You should
have given it to me instead - it would be in better and honest hands.
These guys talk about accessibility problems of graphical CAPTCHAs, but
of course don't mention the problems created by their own "solution".
Calling it "user-friendly" on the cover is a blatant lie. Someone should
also tell them, that
| This method also protects against plagiarism – although it is still
| possible to copy final text, a potential thief will be unable to view
| your source HTML code because it is encoded.
is not true.
They even call Internet Explorer a "web browser" ... SCNR
Post by timW22374100
There is a little delay in coming up of the partly
encrypted page. Look at http://estella-villas.gr/info.html .
| JavaScript must be enabled in your browser to view this page.
Sorry, no go. Ctrl-F4.
Micha
Xander Zerge
2008-07-29 22:10:55 UTC
Permalink
I am developing http://www.webformantispam.com utility and would like to
explain some things mentioned here.

Code obfuscation is a solution just because it works - it stops spam. It is
not bulletproof, but once we will have a report from our clients that their
forms are being spammed again, we will change and improve obfuscation methods
to stop those new bots too.

There are no accessibility problems, as web page looks in DOM exactly as if it
was created there with original HTML. What is not true about CAPTCHA ? screen
reader will not tell you what is painted there. CAPTCHA is a huge problem for
people who cannot see it because of disabled images, color blindness or weak
vision.

?User-friendly? means no problems for users ? web page looks for them with no
difference and needs no additional actions. The worst thing with CAPTCHA is
that webmaster solves his problems, saves his time, by hands of visitors, by
stealing their time! If form spam is a problem of webmaster, why people should
spend their time to solve it for webmaster?

JavaScript is widely spread, especially with so-called Web 2.0 sites, which
intensively use it (AJAX). It is hard to browse the web with JavaScript
disabled, and, accordingly to statistics, only 2% of people have it disabled.
Those who have JavaScript execution disabled may have it enabled for trusted
sites only and solve the problem by adding web site to trusted list ? this
needs to be done only once.

Encoding source HTML code against plagiarism will not work for advanced
webmasters, of course. However, if you are experienced enough to discover
original HTML from JavaScript generating it, you have no need to stole someone
HTML ? you can write it by yourself. By the way, you may want to hide some
content from spiders ? our utility will be also helpful for that.

Xander Zerge,
http://www.zerge.com
Michael Fesser
2008-07-30 01:01:12 UTC
Permalink
.oO(Xander Zerge)
Post by Xander Zerge
I am developing http://www.webformantispam.com utility and would like to
explain some things mentioned here.
At least you have the balls to respond here to a rather harsh critique
(and partly a flame, I admit) - this happens quite rarely, if at all.
Point for you.
Post by Xander Zerge
Code obfuscation is a solution just because it works - it stops spam.
It also stops users. That's reason enough for me to not use or even
recommend it. Never.
Post by Xander Zerge
It is
not bulletproof, but once we will have a report from our clients that their
forms are being spammed again, we will change and improve obfuscation methods
to stop those new bots too.
The harder you try to stop bots, the more difficult you will make it for
regular users. Learn how to use spam filters. They are a more effective
weapon with less collateral damage.

And as said before - I'm just waiting for the day when bots will be able
to run JS. The technology and CPU power is already there. Spammers would
be stupid if they would continue to ignore these "possibilities".
Post by Xander Zerge
There are no accessibility problems, as web page looks in DOM exactly as if it
was created there with original HTML.
Relying on JS _is_ an accessibility problem. Always.
Post by Xander Zerge
What is not true about CAPTCHA ? screen
reader will not tell you what is painted there. CAPTCHA is a huge problem for
people who cannot see it because of disabled images, color blindness or weak
vision.
Correct.
Post by Xander Zerge
?User-friendly? means no problems for users ? web page looks for them with no
difference and needs no additional actions. The worst thing with CAPTCHA is
that webmaster solves his problems, saves his time, by hands of visitors, by
stealing their time! If form spam is a problem of webmaster, why people should
spend their time to solve it for webmaster?
Good point, but contrary to what you said above. With code obfuscation
it's the users again who have to solve _your_ spam problem! Not only
will the site or at least a particular feature be inaccessible to people
without JS, but all the others will also have to do _your_ work. They
have to download a script and have their machines execute it in order to
solve _your_ spam problem. "There is a little delay" already came up in
the thread. In other words: You are stealing _their_ time and bandwidth!
Post by Xander Zerge
JavaScript is widely spread, especially with so-called Web 2.0 sites, which
intensively use it (AJAX).
IMHO "Web 2.0" and AJAX are far overestimated hypes and the reasons why
a lot of problems become more and more relevant and dangerous (phishing,
identity stealing, XSS, XSRF, all that ugly crap). Well, not the only
reasons, but they make it easier and easier for an attacker and also
much more attractive (and lucrative). The security problems in many "Web
2.0" applications, especially the "social networks", are countless (e.g.
remember that in at least one of those networks all uploaded photos were
accessible, even the "private" images, if you just knew the URL?)

"Web 2.0" can be a real curse. Even rather simple AJAX stuff may cause a
lot of accessibility and usability problems if you don't do it properly.
And unfortunately many people don't do it properly.
Post by Xander Zerge
It is hard to browse the web with JavaScript
disabled
Works very well here. Only a few trusted sites are allowed to execute
their code on my machine. And good sites offer non-JS alternatives.
There's nothing that could not be done with a server-side fallback.

IMHO one of the classic examples for AJAX stuff is Google Maps with its
drag feature. But other map services show that such a feature should be
just an addition to a basic non-JS functionality. There with JS enabled
you can seamlessly drag the map, without it you have to click a link to
move it one tile in any direction. This is what I consider userfriendly,
because it works _always_.
Post by Xander Zerge
and, accordingly to statistics, only 2% of people have it disabled.
And 98% have Flash and the earth is flat. I know these "statistics".
What really matters are your own site's logs and stats. And as said
before often enough: Even 2% can mean quite a lot in terms of profit.

Or in other words: Why should I intentionally(!) and without any valid
reason exclude users from my site? I would be really stupid to do so!

"I don't like you in my restaurant, because your nose is too big."
"I don't like you on my site, because you don't allow JavaScript."

Same thing.
Post by Xander Zerge
Those who have JavaScript execution disabled may have it enabled for trusted
sites only and solve the problem by adding web site to trusted list ? this
needs to be done only once.
Sure, but why should they do that for a single visit on a site they
don't know and which they don't intend to use more often? Either it
works or not. Ctrl-F4 is quite close. You have to get the visitor's
attention as quick as possible or he's gone. Speed matters, nowadays
even more than some years ago.
Post by Xander Zerge
Encoding source HTML code against plagiarism will not work for advanced
webmasters, of course.
It will not work at all. It's as useless as these scripts from the dark
ages that try to block right mouse clicks or the context menu.
Post by Xander Zerge
However, if you are experienced enough to discover
original HTML from JavaScript generating it, you have no need to stole someone
HTML
Exactly. And all other users are of no interest here. Some even say that
in many cases the people who obfuscate their code just have written such
crap which nobody would want to steal.

BTW: "Encoding" HTML in order to hide it from the users will also hide
it from current search engines. IMHO a well-done shot in the own foot.
Post by Xander Zerge
? you can write it by yourself. By the way, you may want to hide some
content from spiders
robots.txt exists. To hide just a part of a page from spiders, but show
it to users or the other way round may be seen as search engine spam.
Post by Xander Zerge
our utility will be also helpful for that.
I still doubt that and stand by what I've said. It doesn't serve any
purpose for the site's visitors, but shifts the webmaster's problems
upon them. And it's definitely not worth 30 bucks.

But as said, I appreciate your feedback.

Micha
Xander Zerge
2008-07-30 07:38:40 UTC
Permalink
Post by Xander Zerge
Code obfuscation is a solution just because it works - it stops spam.
It also stops users. That's reason enough for me to not use or even
recommend it. Never.

Not argumented. How can it stop users?
Post by Xander Zerge
It is
not bulletproof, but once we will have a report from our clients that their
forms are being spammed again, we will change and improve obfuscation methods
to stop those new bots too.
The harder you try to stop bots, the more difficult you will make it for
regular users. Learn how to use spam filters. They are a more effective
weapon with less collateral damage.
I would not agree. We are offering just an alternative way to stop spam bots,
and its essential advantage is full transparency for visitors.
Post by Xander Zerge
And as said before - I'm just waiting for the day when bots will be able
to run JS. The technology and CPU power is already there. Spammers would
be stupid if they would continue to ignore these "possibilities".
While you are waiting, our solution works. Once they will learn, we will make
countermeasures.
Post by Xander Zerge
There are no accessibility problems, as web page looks in DOM exactly as if it
was created there with original HTML.
Relying on JS _is_ an accessibility problem. Always.
Not argumented. Page sources are different for HTML and obfuscated HTML, page
content is the same for both sources. Where the problem with accessibilty goes
from?
Post by Xander Zerge
Good point, but contrary to what you said above. With code obfuscation
it's the users again who have to solve _your_ spam problem! Not only
will the site or at least a particular feature be inaccessible to people
without JS, but all the others will also have to do _your_ work. They
have to download a script and have their machines execute it in order to
solve _your_ spam problem. "There is a little delay" already came up in
the thread. In other words: You are stealing _their_ time and bandwidth!
Very funny. Little delay is less than a second, and user has no need to do
something. Page loads longer. Bandwidth increase is also smaller than captcha
does.
Post by Xander Zerge
and, accordingly to statistics, only 2% of people have it disabled.
And 98% have Flash and the earth is flat. I know these "statistics".
What really matters are your own site's logs and stats. And as said
before often enough: Even 2% can mean quite a lot in terms of profit.
Correct. My sites stats says the same about JS and Flash (not Earth).
Post by Xander Zerge
Or in other words: Why should I intentionally(!) and without any valid
reason exclude users from my site? I would be really stupid to do so!
No exclusion. Users, who have JS disabled, will be told about that and they
will have a chance to enable it for that particular site.
Post by Xander Zerge
Those who have JavaScript execution disabled may have it enabled for trusted
sites only and solve the problem by adding web site to trusted list ? this
needs to be done only once.
Sure, but why should they do that for a single visit on a site they
don't know and which they don't intend to use more often? Either it
works or not. Ctrl-F4 is quite close. You have to get the visitor's
attention as quick as possible or he's gone. Speed matters, nowadays
even more than some years ago.
Attention is already taken, because a user should be already interested, when
he tries to fill a feedback form.
Post by Xander Zerge
Encoding source HTML code against plagiarism will not work for advanced
webmasters, of course.
It will not work at all. It's as useless as these scripts from the dark
ages that try to block right mouse clicks or the context menu.
This is just a bonus. If you ever wish to hide something, you will be able to
do that.
Post by Xander Zerge
robots.txt exists. To hide just a part of a page from spiders, but show
it to users or the other way round may be seen as search engine spam.
Does e-mail harvesting crawlers read robots.txt?

Xander Zerge
Michael Fesser
2008-07-30 22:03:33 UTC
Permalink
.oO(Xander Zerge)
Post by Michael Fesser
Post by Xander Zerge
Code obfuscation is a solution just because it works - it stops spam.
It also stops users. That's reason enough for me to not use or even
recommend it. Never.
Not argumented. How can it stop users?
It stops users without JS.
Post by Michael Fesser
Post by Xander Zerge
It is
not bulletproof, but once we will have a report from our clients that their
forms are being spammed again, we will change and improve obfuscation methods
to stop those new bots too.
The harder you try to stop bots, the more difficult you will make it for
regular users. Learn how to use spam filters. They are a more effective
weapon with less collateral damage.
I would not agree. We are offering just an alternative way to stop spam bots,
and its essential advantage is full transparency for visitors.
You can't really stop bots, just make it more difficult at the risk of
building obstacles for regular users. But I've already said that.

What is more important to you - to fight spam bots or to make a site
userfriendly? It seems that you prefer the first, while I definitely do
the latter, even if that might mean 1 or 2 form spams a day. It's just a
small price I have to pay for the benefit of my visitors.
Post by Michael Fesser
Post by Xander Zerge
And as said before - I'm just waiting for the day when bots will be able
to run JS. The technology and CPU power is already there. Spammers would
be stupid if they would continue to ignore these "possibilities".
While you are waiting, our solution works. Once they will learn, we will make
countermeasures.
Yeah, sure. And the next bot or worm will find a way to break it again.
It's always the same and a battle you cannot win.
Post by Michael Fesser
Post by Xander Zerge
There are no accessibility problems, as web page looks in DOM exactly as if it
was created there with original HTML.
Relying on JS _is_ an accessibility problem. Always.
Not argumented. Page sources are different for HTML and obfuscated HTML, page
content is the same for both sources. Where the problem with accessibilty goes
from?
Read and understand what I've said six lines above.
Post by Michael Fesser
Post by Xander Zerge
Good point, but contrary to what you said above. With code obfuscation
it's the users again who have to solve _your_ spam problem! Not only
will the site or at least a particular feature be inaccessible to people
without JS, but all the others will also have to do _your_ work. They
have to download a script and have their machines execute it in order to
solve _your_ spam problem. "There is a little delay" already came up in
the thread. In other words: You are stealing _their_ time and bandwidth!
Very funny. Little delay is less than a second
A delay is a delay. Even many small delays may sum up to quite a lot.
Post by Michael Fesser
and user has no need to do
something.
Their browser and machine have to.
Post by Michael Fesser
Page loads longer. Bandwidth increase is also smaller than captcha
does.
A proper form would be even smaller and faster.
Post by Michael Fesser
Post by Xander Zerge
and, accordingly to statistics, only 2% of people have it disabled.
And 98% have Flash and the earth is flat. I know these "statistics".
What really matters are your own site's logs and stats. And as said
before often enough: Even 2% can mean quite a lot in terms of profit.
Correct. My sites stats says the same about JS and Flash (not Earth).
Mine do not. JS disabled: 2-10%. From the rest Flash enabled: 50-60%.
Post by Michael Fesser
Post by Xander Zerge
Or in other words: Why should I intentionally(!) and without any valid
reason exclude users from my site? I would be really stupid to do so!
No exclusion. Users, who have JS disabled, will be told about that and they
will have a chance to enable it for that particular site.
Yes, if they can! Not all browsers support JS and even if they do it
might not possible for a user to enable it.

The amount of users that can be reached with a properly built non-JS
site will _always_ be higher than with a site relying on JS, hence
relying on JS _is_ an exclusion of users.
Post by Michael Fesser
Post by Xander Zerge
Those who have JavaScript execution disabled may have it enabled for trusted
sites only and solve the problem by adding web site to trusted list ? this
needs to be done only once.
Sure, but why should they do that for a single visit on a site they
don't know and which they don't intend to use more often? Either it
works or not. Ctrl-F4 is quite close. You have to get the visitor's
attention as quick as possible or he's gone. Speed matters, nowadays
even more than some years ago.
Attention is already taken, because a user should be already interested, when
he tries to fill a feedback form.
It's not only about the form, but also about "encrypted" page content
and such stuff. If it's not there, the site does not work.
Post by Michael Fesser
Post by Xander Zerge
Encoding source HTML code against plagiarism will not work for advanced
webmasters, of course.
It will not work at all. It's as useless as these scripts from the dark
ages that try to block right mouse clicks or the context menu.
This is just a bonus. If you ever wish to hide something, you will be able to
do that.
Why should I wish to try to hide something, especially since there can't
be anything really hidden on a public website?
Post by Michael Fesser
Post by Xander Zerge
robots.txt exists. To hide just a part of a page from spiders, but show
it to users or the other way round may be seen as search engine spam.
Does e-mail harvesting crawlers read robots.txt?
No. And? If I want to protect mail addresses from being spammed I
wouldn't publish them at all. No reason to "encrypt" them, there are
better ways, which even work for users without JS.

Micha
majica_films
2008-07-31 08:15:41 UTC
Permalink
The code as I saved it last is how it is on the live site:
http://www.controlshop.co.uk/Contact/ContactForm.html

The script that processes it is here:
http://www.controlshop.co.uk/formmail.html
I would use attach code but it won't let me reply then, I just get taken to a
page cannot be displayed page.
Xander Zerge
2008-07-31 10:17:07 UTC
Permalink
Post by Michael Fesser
Post by Michael Fesser
It also stops users. That's reason enough for me to not use or even
recommend it. Never.
Not argumented. How can it stop users?
It stops users without JS.
So, images stops users with browsers with no images, and the whole web stops
users with no browsers? Not an argument.
Post by Michael Fesser
I would not agree. We are offering just an alternative way to stop spam bots,
and its essential advantage is full transparency for visitors.
You can't really stop bots, just make it more difficult at the risk of
building obstacles for regular users. But I've already said that.
I've stopped them really, actually, and right now! And risk of building
obstacles for *regular* users is much lower than captcha.
Post by Michael Fesser
What is more important to you - to fight spam bots or to make a site
userfriendly? It seems that you prefer the first, while I definitely do
the latter, even if that might mean 1 or 2 form spams a day. It's just a
small price I have to pay for the benefit of my visitors.
I am fighting spam bots with higher importance of user friendliess than
captcha has.
Post by Michael Fesser
Yeah, sure. And the next bot or worm will find a way to break it again.
It's always the same and a battle you cannot win.
No problem - I will make another improve. Currently, I am ahead of bots.
You must be offering cash messengers to not wear bulletproof jackets, because
gangsters will take grenade launchers and will win anyway. :-)
Post by Michael Fesser
Very funny. Little delay is less than a second
A delay is a delay. Even many small delays may sum up to quite a lot.
Why sum? One page - one second max., at slow machine. Captcha takes much more
time.
Post by Michael Fesser
and user has no need to do
something.
Their browser and machine have to.
Their machine and browser does something always. What is the problem here? :-)
Post by Michael Fesser
A proper form would be even smaller and faster.
Adding captcha image increases load size on few KB, and adds additional HTTP
request, what also takes time.
Post by Michael Fesser
Yes, if they can! Not all browsers support JS and even if they do it
might not possible for a user to enable it.
They can change a browser, like you, I suppose, if you are not calling IE a
web browser.
Post by Michael Fesser
The amount of users that can be reached with a properly built non-JS
site will _always_ be higher than with a site relying on JS, hence
relying on JS _is_ an exclusion of users.
The same is about captcha. The difference is in percentage of visitor losses.
Post by Michael Fesser
It's not only about the form, but also about "encrypted" page content
and such stuff. If it's not there, the site does not work.
This feature is only a bonus. Encrypting page content is not necessary in 99%
of cases. Regular site will have only feedback form protection needed.
Post by Michael Fesser
This is just a bonus. If you ever wish to hide something, you will be able to
do that.
Why should I wish to try to hide something, especially since there can't
be anything really hidden on a public website?
Who knows? Someone may wish to hide. Here is a tool for that.
Post by Michael Fesser
Post by Michael Fesser
robots.txt exists. To hide just a part of a page from spiders, but show
it to users or the other way round may be seen as search engine spam.
Does e-mail harvesting crawlers read robots.txt?
No. And? If I want to protect mail addresses from being spammed I
wouldn't publish them at all. No reason to "encrypt" them, there are
better ways, which even work for users without JS.
Your arguments are weak again. You are talking about something what is better
but you are not talking what that is. What are those "better ways"?
If you are talking about e-mail addresses rendered as images, requiring
visitors to type them by hands in e-mail client, instead of single click
opening new e-mail message window with address/subject prefilled, I will say
"no, thank you".
Not publishing e-mail address at all is also very user-friendly method. :-)

Xander Zerge
bb
2008-07-31 14:52:11 UTC
Permalink
Sorry, but you can try and make your product seem reputable.

The experienced developers know that it's of no use and most won't touch it
with a 10' pole.

We can only hope to inform the new developers to use better and accepted
methods.

Hopefully soon this streem of messages will appear in Google so that when
someone hunts for information on your product they'll find this.

Good luck.
Michael Fesser
2008-07-31 16:24:04 UTC
Permalink
.oO(Xander Zerge)
Post by Xander Zerge
Post by Michael Fesser
Post by Michael Fesser
It also stops users. That's reason enough for me to not use or even
recommend it. Never.
Not argumented. How can it stop users?
It stops users without JS.
So, images stops users with browsers with no images
Wrong.
Post by Xander Zerge
Post by Michael Fesser
What is more important to you - to fight spam bots or to make a site
userfriendly? It seems that you prefer the first, while I definitely do
the latter, even if that might mean 1 or 2 form spams a day. It's just a
small price I have to pay for the benefit of my visitors.
I am fighting spam bots with higher importance of user friendliess than
captcha has.
This wasn't my question. Maybe this is easier for you:

( ) fight spam bots
( ) make site userfriendly

Pick one.
Post by Xander Zerge
Post by Michael Fesser
and user has no need to do
something.
Their browser and machine have to.
Their machine and browser does something always. What is the problem here? :-)
Unnecessary overhead. Script execution can take a measurable amount of
time on less powerful machines.
Post by Xander Zerge
Post by Michael Fesser
A proper form would be even smaller and faster.
Adding captcha image increases load size on few KB, and adds additional HTTP
request, what also takes time.
This wasn't what I said. Form efficiency in descending order:

1) plain HTML form
2) JS-based "encryption"
3) CAPTCHAs
Post by Xander Zerge
Post by Michael Fesser
Yes, if they can! Not all browsers support JS and even if they do it
might not possible for a user to enable it.
They can change a browser
Yes, _if_ they can. If they can't enable JS, it's also quite unlikely
that they will be able to use another browser.
Post by Xander Zerge
Post by Michael Fesser
The amount of users that can be reached with a properly built non-JS
site will _always_ be higher than with a site relying on JS, hence
relying on JS _is_ an exclusion of users.
The same is about captcha. The difference is in percentage of visitor losses.
You seem to find it OK to lose visitors. I don't.
Post by Xander Zerge
Post by Michael Fesser
No. And? If I want to protect mail addresses from being spammed I
wouldn't publish them at all. No reason to "encrypt" them, there are
better ways, which even work for users without JS.
Your arguments are weak again. You are talking about something what is better
but you are not talking what that is. What are those "better ways"?
If you are talking about e-mail addresses rendered as images, requiring
visitors to type them by hands in e-mail client, instead of single click
opening new e-mail message window with address/subject prefilled, I will say
"no, thank you".
That was surely not what I meant. Some other general ideas in no
particular order:

* contact form
* user interaction (e.g. checkbox) to reveal the mail addresses
* addresses only shown to authenticated users
* server-side spam filters
* ...

Micha
Xander Zerge
2008-07-31 17:00:09 UTC
Permalink
Post by Xander Zerge
Post by Michael Fesser
It stops users without JS.
So, images stops users with browsers with no images
Wrong.

What is the difference? Just look from another side: without using full power
of visitors browsers, you are limiting their possibilities. Compare GMail JS
and HTML for example. First is much better. Without use of JS, you are
requiring 90% of your visitors to work with less powerful application than it
can be.

This wasn't my question. Maybe this is easier for you:

( ) fight spam bots
( ) make site userfriendly

Pick one.

Why one? I am picking both.

Unnecessary overhead. Script execution can take a measurable amount of
time on less powerful machines.

Yes, it can take. But let CPU work instead of visitors, who wanted to tell you
something, but you ask them to solve brain-teasers first.

You seem to find it OK to lose visitors. I don't.
You seem to have 0% bounce rate at your sites? :-)

That was surely not what I meant. Some other general ideas in no
particular order:

* contact form
NO. I prefer to contact by e-mail, to have message stored in "Sent", use CCs
and BCCs.

* user interaction (e.g. checkbox) to reveal the mail addresses

Bot can press checkbox easily.

* addresses only shown to authenticated users

Not every site is so important to register on it just to leave a message.

* server-side spam filters

Cheap shared hosting may have no such filter.

* ...

Yes, this one looks most powerful. :-)

Xander
majica_films
2008-07-29 11:24:44 UTC
Permalink
I'm not willing to spend money on a solution to this when so many free
solutions have failed....even if it has been through my lack of knowledge, no
point paying for something that I can't get to work. (Yes, I've tried the
trial. No, I can't get it to work right. If I protect the whole page the CSS
doesn't work, if I just protect the form code the page allignment isn't right
and my background image starts half way down the page.) Perhaps eventually I
would be able to get it to work, but I've already spent all of yesterday and
half of today trying to solve this and I don't have another few hours to spend
trying out 1 thing.
I just need a simple, easy solution to stop what is at the moment a small spam
problem, before it turns into a bigger problem.
timW22374100
2008-07-29 17:49:58 UTC
Permalink
[bullet][/bullet](Yes, I've tried the trial. No, I can't get it to work right.
If I protect the whole page the CSS doesn't work, if I just protect the form
code the page allignment isn't right and my background image starts half way
down the page.) [bullet][/bullet]

It works if you put in the requested comment lines
and if you do not interrupt tables with the encryption (i.e. encrypt all the
table/s used)

If somebody has Javascript disabled, that is really his/her problem. Paranoia
never leads to good results.

I love MIchael Fesser's comment. He'd better sell used cars.

Btw I am NOT endorsing that encryption program. It just works if you use it
correctly.

Greetings
jml
Murray *ACE*
2008-07-29 18:07:15 UTC
Permalink
Post by timW22374100
If somebody has Javascript disabled, that is really his/her problem. Paranoia
never leads to good results.
bots ALWAYS have javascript disabled. That would make it YOUR problem.
Post by timW22374100
It just works if you use it correctly.
You just think it works. It does not.
--
Murray --- ICQ 71997575
Adobe Community Expert
(If you *MUST* email me, don't LAUGH when you do so!)
==================
http://www.projectseven.com/go - DW FAQs, Tutorials & Resources
http://www.dwfaq.com - DW FAQs, Tutorials & Resources
==================
Post by timW22374100
[bullet][/bullet](Yes, I've tried the trial. No, I can't get it to work right.
If I protect the whole page the CSS doesn't work, if I just protect the form
code the page allignment isn't right and my background image starts half way
down the page.) [bullet][/bullet]
It works if you put in the requested comment lines
and if you do not interrupt tables with the encryption (i.e. encrypt all the
table/s used)
If somebody has Javascript disabled, that is really his/her problem. Paranoia
never leads to good results.
I love MIchael Fesser's comment. He'd better sell used cars.
Btw I am NOT endorsing that encryption program. It just works if you use it
correctly.
Greetings
jml
Michael Fesser
2008-07-29 18:46:41 UTC
Permalink
.oO(timW22374100)
Post by timW22374100
[bullet][/bullet](Yes, I've tried the trial. No, I can't get it to work right.
If I protect the whole page the CSS doesn't work, if I just protect the form
code the page allignment isn't right and my background image starts half way
down the page.) [bullet][/bullet]
It works if you put in the requested comment lines
and if you do not interrupt tables with the encryption (i.e. encrypt all the
table/s used)
If somebody has Javascript disabled, that is really his/her problem. Paranoia
never leads to good results.
This has nothing to do with paranoia. In most cases JS is just abused
for annoying things. In conjunction with insecure server scripts it can
even become a huge security hole (google XSS if you want). So there are
a lot of absolutely valid reasons to completely turn JS off and only
allow it for particular trusted sites. Modern browsers like Opera make
this very easy and convenient. Additionally there are user agents that
don't support JS at all. But the Web is for _all_ users!

Relying on JS to make a website work is alomost always a design mistake
and will exclude a lot of regular users. Even 2% can mean quite a lot in
terms of profit. If you want to lose that money - your decision.
Post by timW22374100
I love MIchael Fesser's comment. He'd better sell used cars.
Why should I do your work? I prefer building good and userfriendly(!)
websites instead of selling non-working second-hand code.
Post by timW22374100
Btw I am NOT endorsing that encryption program. It just works if you use it
correctly.
Such scripts never "work".

And it's just a matter of time until bots will be able to execute Java-
Scripts. Some may even do already, because there are a lot of free JS
engines available. Search engines start to index Flash, why should other
bots not start to overcome such stupid JS-"protections"? The technology
and the CPU power are already there.

Micha
Malcolm _
2008-07-29 20:33:16 UTC
Permalink
On Mon, 28 Jul 2008 13:08:47 +0000 (UTC), "majica_films"
Post by majica_films
I've spent HOURS looking for a way to stop spam through the form on my website.
I've looked at various solutions but they either cost too much money, or flat
out don't work (tutorials are great....but not when what they tell you do
doesn't match the files you've been given)
I've given up now, I'd rather take the spam than waste several more hours
trying to stop it, but, should anyone here have a quick easy solution that
won't take several hours and give me a headache, I'd really appriciate it.
I'm for always recommending this book

Dreamweaver CS3 with CSS, Ajax and PHP by David Powers - another
excellent book, very readable style on how to produce good websites
with Dw. It is NOT like your typical guide to Dw – that just
regurgitates the help files - including the bits of Dw that should
have been binned - David guides you on best practise and the parts of
Dw to avoid.
http://foundationphp.com/egdwcs3/index.php


It covers this subject in detail, starting with using JavaScript, but
adding php server side code to enhance security.
--
~Malcolm~*...
~*
ianhg
2008-07-31 15:27:07 UTC
Permalink
Hi Guys
I have been having problems with the spambots too on several sites.
I now am trying to use spry textfields for validation which seems ok . Is it
possible to use spry textarea and not allow url's to be entered?
I have tried a simple captcha which worked for awhile, but I like the
thanks.php script as it confirms the details entered on the form in the browser
and emails the client the details.<form action="thanks.php">
I see that majica_films is using spry in some areas but using the validation
is there a reason for this?
Could I use this in my thanks.php page.
<?php
if (isset($_POST['submit']) && $_POST['submit'] == 'Submit') {
// checks if bot
if ($_POST['add2'] != '' )
{
// The hidden fields have been changed
// Do something
die("Changed field");
}
}

?>
Appreciate any input
ianhg
2008-07-31 22:42:55 UTC
Permalink
Hi can anyone help please.
[q][i]Originally posted by: [b][b]ianhg[/b][/b][/i]
Hi Guys
I have been having problems with the spambots too on several sites.
I now am trying to use spry textfields for validation which seems ok . Is it
possible to use spry textarea and not allow url's to be entered?
I have tried a simple captcha which worked for awhile, but I like the
thanks.php script as it confirms the details entered on the form in the browser
and emails the client the details.<form action="thanks.php">
I see that majica_films is using spry in some areas but using the validation
is there a reason for this?
Could I use this in my thanks.php page.
<?php
if (isset($_POST['submit']) && $_POST['submit'] == 'Submit') {
// checks if bot
if ($_POST['add2'] != '' )
{
// The hidden fields have been changed
// Do something
die("Changed field");
}
}

?>
Appreciate any input
[/q]
Murray *ACE*
2008-07-31 23:23:23 UTC
Permalink
This whole thread is about how ineffective javascript methods are for
blocking spam bots. Spry is javascript.

'nuff said?
--
Murray --- ICQ 71997575
Adobe Community Expert
(If you *MUST* email me, don't LAUGH when you do so!)
==================
http://www.projectseven.com/go - DW FAQs, Tutorials & Resources
http://www.dwfaq.com - DW FAQs, Tutorials & Resources
==================
Post by ianhg
Hi can anyone help please.
[q][i]Originally posted by: [b][b]ianhg[/b][/b][/i]
Hi Guys
I have been having problems with the spambots too on several sites.
I now am trying to use spry textfields for validation which seems ok . Is it
possible to use spry textarea and not allow url's to be entered?
I have tried a simple captcha which worked for awhile, but I like the
thanks.php script as it confirms the details entered on the form in the browser
and emails the client the details.<form action="thanks.php">
I see that majica_films is using spry in some areas but using the validation
is there a reason for this?
Could I use this in my thanks.php page.
<?php
if (isset($_POST['submit']) && $_POST['submit'] == 'Submit') {
// checks if bot
if ($_POST['add2'] != '' )
{
// The hidden fields have been changed
// Do something
die("Changed field");
}
}
?>
Appreciate any input
[/q]
majica_films
2008-08-01 07:55:59 UTC
Permalink
I'm always up for a debate, but unfortunatly the one going on here isn't really
helping me stop the spam from my website.
Could we perhaps un-hijack this topic please? Or should I just try and get
help from somewhere else?
Murray *ACE*
2008-08-01 11:28:42 UTC
Permalink
Did you try the honeypot method detailed multiple times in this thread?
--
Murray --- ICQ 71997575
Adobe Community Expert
(If you *MUST* email me, don't LAUGH when you do so!)
==================
http://www.projectseven.com/go - DW FAQs, Tutorials & Resources
http://www.dwfaq.com - DW FAQs, Tutorials & Resources
==================
Post by majica_films
I'm always up for a debate, but unfortunatly the one going on here isn't really
helping me stop the spam from my website.
Could we perhaps un-hijack this topic please? Or should I just try and get
help from somewhere else?
majica_films
2008-08-04 08:43:57 UTC
Permalink
Well I've tried to try them.
I registered at projecthoneypot but never got the confirmation e-mail.
I downloaded ***@Home but it won't work so I've e-mailed support.

Do I have to add something to the code for that to work? I fail to see how a
program running on my computer can stop spam from a form I haven't even told it
about.
Murray *ACE*
2008-08-04 12:07:58 UTC
Permalink
As far as I can tell, "Project Honeypot" is not about the honeypot methods
we have described. Please just read back through the thread. You were
given explicit instructions for how to install a honeypot on your page.
--
Murray --- ICQ 71997575
Adobe Community Expert
(If you *MUST* email me, don't LAUGH when you do so!)
==================
http://www.projectseven.com/go - DW FAQs, Tutorials & Resources
http://www.dwfaq.com - DW FAQs, Tutorials & Resources
==================
Post by majica_films
Well I've tried to try them.
I registered at projecthoneypot but never got the confirmation e-mail.
Do I have to add something to the code for that to work? I fail to see how a
program running on my computer can stop spam from a form I haven't even told it
about.
majica_films
2008-08-04 13:10:20 UTC
Permalink
Have I?
It took me an age to figure out that honeypots and the hidden fields that stop
the form being submitted if they are filled in are the same thing.....googling
"honeypot" brings up things like projecthoneypot and ***@home...things that
don't appear to help. It's not very clear and I don't have time to waste entire
days looking at solutions that may or may not be what I'm looking for.

I've asked a couple times what I need to do to make the form be ignored if the
hidden field is filled in. I've tried everything suggested and nothing has
worked.
I have a form on a HTML page (not PHP etc) that is processed with a formmail
script (I posted a link to it a couple of replies back) but I have no idea what
I need to add where to get the form ignored if the hidden field is filled in.
(Without having to change the page to php, therefor also having to change the
link to that page on all 200+ pages of my site)

Sorry if I appear to be coming across as a little dumb, but as far as this
stuff goes I am....this is my first website, my first form, I'm almost
certainly not doing some things the right way.......but after over a week of
trying to stop this spam with no luck my patience is getting a little low.
I really do appriciate the help but none of the suggestions have worked so far.
Murray *ACE*
2008-08-04 13:53:32 UTC
Permalink
Post by majica_films
I have a form on a HTML page (not PHP etc) that is processed with a formmail
script (I posted a link to it a couple of replies back) but I have no idea what
I need to add where to get the form ignored if the hidden field is filled in.
(Without having to change the page to php, therefor also having to change the
link to that page on all 200+ pages of my site)
The form page would not need to be PHP. The processing script would need to
be. The determination as to whether the form would be processed or not
(i.e., whether the honeypot field were filled in or not) would be done in
the processing script.
Post by majica_films
(Without having to change the page to php, therefor also having to change the
link to that page on all 200+ pages of my site)
This is not an issue since the form page type doesn't need to be changed.
Post by majica_films
Sorry if I appear to be coming across as a little dumb, but as far as this
stuff goes I am....this is my first website, my first form, I'm almost
certainly not doing some things the right way.......but after over a week of
trying to stop this spam with no luck my patience is getting a little low.
I really do appriciate the help but none of the suggestions have worked so far.
That being the case, let's just say that given your current experience
level, you simply cannot do what is required to block this spam. You *can*
make it a bit more difficult for the spammers by doing the simple thing
mentioned early on of just adding a field for -

Should this form be submitted (yes/no): ______

and validating that the field contains "yes".
--
Murray --- ICQ 71997575
Adobe Community Expert
(If you *MUST* email me, don't LAUGH when you do so!)
==================
http://www.projectseven.com/go - DW FAQs, Tutorials & Resources
http://www.dwfaq.com - DW FAQs, Tutorials & Resources
==================
Post by majica_films
Have I?
It took me an age to figure out that honeypots and the hidden fields that stop
the form being submitted if they are filled in are the same
thing.....googling
don't appear to help. It's not very clear and I don't have time to waste entire
days looking at solutions that may or may not be what I'm looking for.
I've asked a couple times what I need to do to make the form be ignored if the
hidden field is filled in. I've tried everything suggested and nothing has
worked.
I have a form on a HTML page (not PHP etc) that is processed with a formmail
script (I posted a link to it a couple of replies back) but I have no idea what
I need to add where to get the form ignored if the hidden field is filled in.
(Without having to change the page to php, therefor also having to change the
link to that page on all 200+ pages of my site)
Sorry if I appear to be coming across as a little dumb, but as far as this
stuff goes I am....this is my first website, my first form, I'm almost
certainly not doing some things the right way.......but after over a week of
trying to stop this spam with no luck my patience is getting a little low.
I really do appriciate the help but none of the suggestions have worked so far.
timW22374100
2008-08-06 20:03:35 UTC
Permalink
What's the fuss? This topic seems to be turned into a sick "holy war" by
purists. We simple programmers are just trying to make a web form (not a bomb
shelter) that is easily usable for our clients and their visitors and - at the
moment - safe against spambots.
I must admit that I personally hate captchas as a user for aesthetical and
functionality reasons.
Therefore I used Xander's little program for some time at about 20 sites.
My clients are happy. I am too.

jml
Murray *ACE*
2008-08-06 20:16:42 UTC
Permalink
Post by timW22374100
Therefore I used Xander's little program for some time at about 20 sites.
My clients are happy. I am too.
Let us know how it goes. You haven't prevented any bots yet.... But I'll
pass your sites along so you can really test and see how it works out!
--
Murray --- ICQ 71997575
Adobe Community Expert
(If you *MUST* email me, don't LAUGH when you do so!)
==================
http://www.projectseven.com/go - DW FAQs, Tutorials & Resources
http://www.dwfaq.com - DW FAQs, Tutorials & Resources
==================
Post by timW22374100
What's the fuss? This topic seems to be turned into a sick "holy war" by
purists. We simple programmers are just trying to make a web form (not a bomb
shelter) that is easily usable for our clients and their visitors and - at the
moment - safe against spambots.
I must admit that I personally hate captchas as a user for aesthetical and
functionality reasons.
Therefore I used Xander's little program for some time at about 20 sites.
My clients are happy. I am too.
jml
Michael Fesser
2008-08-06 23:29:44 UTC
Permalink
.oO(timW22374100)
Post by timW22374100
What's the fuss? This topic seems to be turned into a sick "holy war" by
purists.
We care about usability and accessibility, while some others just care
about your money.
Post by timW22374100
We simple programmers are just trying to make a web form (not a bomb
shelter) that is easily usable for our clients and their visitors and - at the
moment - safe against spambots.
As I've already said earlier in this thread:

( ) fight spam bots
( ) make site userfriendly

Pick one. You can't have both, because they're mutually exclusive.
Post by timW22374100
I must admit that I personally hate captchas as a user for aesthetical and
functionality reasons.
Therefore I used Xander's little program for some time at about 20 sites.
My clients are happy. I am too.
You've been ripped-off. Try your sites without JS and you'll see what
useless crap you've wasted your money for. Want the same for free? It's
just a simple one-liner. I even allow you to choose your preferred
algorithm:

( ) rot13
( ) base64
( ) XOR

The latter doesn't even require an external lib, but still achieves the
same level of "security". Paying almost $30 for something like that is
just ridiculous. Would you pay for a bottle of hot air? No. But you did!

The bots are bad, no question. But even worse are the criminals who try
to make money out of the situation by selling snake oil.

Micha
Xander Zerge
2008-08-08 16:36:28 UTC
Permalink
[q]Want the same for free? It's
just a simple one-liner. I even allow you to choose your preferred
algorithm:

( ) rot13
( ) base64
( ) XOR

The latter doesn't even require an external lib, but still achieves the
same level of "security".[/q]

This is your biggest mistake here in thread (except calling me a criminal),
showing that you have no enough of experience there.
Those methods mentioned above needs no JS for decoding by spam bot, while we
are offering encoding algorithm, which produces a code which needs either
executing JS, decoding it, or cryptoanalysis methods. While both will cost
spammers more than effect achieved by spamming that form, their bots will be
simply ignoring such forms.

Xander
Michael Fesser
2008-08-08 23:03:54 UTC
Permalink
.oO(Xander Zerge)
Post by Xander Zerge
[q]Want the same for free? It's
just a simple one-liner. I even allow you to choose your preferred
( ) rot13
( ) base64
( ) XOR
The latter doesn't even require an external lib, but still achieves the
same level of "security".[/q]
This is your biggest mistake here in thread (except calling me a criminal),
You can keep the shoe if it fits. I have given enough valid and proven
arguments against such products. $30 is quite a lot for almost nothing.
Why not just $5? It hardly is worth more.
Post by Xander Zerge
showing that you have no enough of experience there.
Those methods mentioned above needs no JS for decoding by spam bot
They still require some scripting and analyzing of the source code.
Which language to use doesn't really matter. The required effort is
almost the same, hence it's as "secure" as yours.
Post by Xander Zerge
, while we
are offering encoding algorithm, which produces a code which needs either
executing JS, decoding it, or cryptoanalysis methods.
A script is a script. Whether a bot uses PHP, Perl or JS to decipher
such "encryption" doesn't really matter, even though JS would make the
most sense on an HTML page. They just have to do it, and one day they
definitely will.
Post by Xander Zerge
While both will cost
spammers more than effect achieved by spamming that form, their bots will be
simply ignoring such forms.
You still ignore the severe accessibility problems and the false sense
of security that you're selling to your customers. You're selling bugs,
not solutions.

Micha
Murray *ACE*
2008-08-08 23:39:59 UTC
Permalink
I'd like to see some proof that any of these methods are effective. Sadly,
there isn't any, other than (mostly) puffery and baldfaced assertions.
--
Murray --- ICQ 71997575
Adobe Community Expert
(If you *MUST* email me, don't LAUGH when you do so!)
==================
http://www.projectseven.com/go - DW FAQs, Tutorials & Resources
http://www.dwfaq.com - DW FAQs, Tutorials & Resources
==================
Post by Michael Fesser
.oO(Xander Zerge)
Post by Xander Zerge
[q]Want the same for free? It's
just a simple one-liner. I even allow you to choose your preferred
( ) rot13
( ) base64
( ) XOR
The latter doesn't even require an external lib, but still achieves the
same level of "security".[/q]
This is your biggest mistake here in thread (except calling me a criminal),
You can keep the shoe if it fits. I have given enough valid and proven
arguments against such products. $30 is quite a lot for almost nothing.
Why not just $5? It hardly is worth more.
Post by Xander Zerge
showing that you have no enough of experience there.
Those methods mentioned above needs no JS for decoding by spam bot
They still require some scripting and analyzing of the source code.
Which language to use doesn't really matter. The required effort is
almost the same, hence it's as "secure" as yours.
Post by Xander Zerge
, while we
are offering encoding algorithm, which produces a code which needs either
executing JS, decoding it, or cryptoanalysis methods.
A script is a script. Whether a bot uses PHP, Perl or JS to decipher
such "encryption" doesn't really matter, even though JS would make the
most sense on an HTML page. They just have to do it, and one day they
definitely will.
Post by Xander Zerge
While both will cost
spammers more than effect achieved by spamming that form, their bots will be
simply ignoring such forms.
You still ignore the severe accessibility problems and the false sense
of security that you're selling to your customers. You're selling bugs,
not solutions.
Micha
Xander Zerge
2008-08-09 06:37:51 UTC
Permalink
Post by Michael Fesser
You can keep the shoe if it fits. I have given enough valid and proven
arguments against such products. $30 is quite a lot for almost nothing.
You gave no arguments but "it uses JS, JS has accessibility problems", what
was also not proven.
Post by Michael Fesser
Why not just $5? It hardly is worth more.
Please, do not tell me how to sell my product and I will not say what you
should do.
Post by Michael Fesser
They still require some scripting and analyzing of the source code.
Which language to use doesn't really matter. The required effort is
almost the same, hence it's as "secure" as yours.
I am selling that "almost". It is "slightly" harder than your theoretically
suggested algorithms.
Post by Michael Fesser
A script is a script. Whether a bot uses PHP, Perl or JS to decipher
such "encryption" doesn't really matter, even though JS would make the
most sense on an HTML page. They just have to do it, and one day they
definitely will.
Here is a definite difference between us: while you are theoritising, I am
solving practical problems.
One day we all die. What live for?! :-)
Post by Michael Fesser
You still ignore the severe accessibility problems and the false sense
of security that you're selling to your customers. You're selling bugs,
not solutions.
It is so funny to see how you are giving your theoretical hypotheses as
"proved arguments". :-)

I've said enough, you are beginning second round of the same discussion, so I
see no reason for continuing answering your theoretical thoughts.
I hope everyone already understood, that JavaScript is one of browser tools
and we are using this tool for stopping spam bots. It simply works. It stops
bots with no need to program something on server-side, what is especially
helpful for those who uses FrontPage Server Extensions and wishes to know
nothing about php, asp, etc.

This is my last message here in thread.
I wish good luck everyone in fighting spam bots, and you all are welcome to
contact me directly for advices.

Xander Zerge
ZERGE.COM
(http://www.webformantispam.com)
eclipsme
2008-08-10 11:36:43 UTC
Permalink
Post by Xander Zerge
This is my last message here in thread.
Yay!
Michael Fesser
2008-08-10 17:30:58 UTC
Permalink
.oO(Xander Zerge)
Post by Xander Zerge
Post by Michael Fesser
You can keep the shoe if it fits. I have given enough valid and proven
arguments against such products. $30 is quite a lot for almost nothing.
You gave no arguments but "it uses JS, JS has accessibility problems", what
was also not proven.
As a programmer you should be capable of simple logical thinking. JS is
an optional feature, which is not always available. Relying on it will
make the site or at least a part of it completely inaccessible for many
people who don't have JS (dependent on the site usually around 2-8%),
while plain HTML without any JS-based obfuscation will work always.

Q.E.D.

That was easy.
Post by Xander Zerge
Post by Michael Fesser
They still require some scripting and analyzing of the source code.
Which language to use doesn't really matter. The required effort is
almost the same, hence it's as "secure" as yours.
I am selling that "almost". It is "slightly" harder than your theoretically
suggested algorithms.
Your code can be decrypted with every language. And whether to call
deZerge() or deXOR() doesn't really matter, some work has to be done
either way. I could easily write a little PHP bot to spam all the sites
"protected" by your script. I just don't want to help the real spammers.
Post by Xander Zerge
Post by Michael Fesser
A script is a script. Whether a bot uses PHP, Perl or JS to decipher
such "encryption" doesn't really matter, even though JS would make the
most sense on an HTML page. They just have to do it, and one day they
definitely will.
Here is a definite difference between us: while you are theoritising, I am
solving practical problems.
By causing other more severe practical problems for your visitors.
Post by Xander Zerge
One day we all die. What live for?! :-)
Sex and black beer. But Budweiser is also OK.
Post by Xander Zerge
Post by Michael Fesser
You still ignore the severe accessibility problems and the false sense
of security that you're selling to your customers. You're selling bugs,
not solutions.
It is so funny to see how you are giving your theoretical hypotheses as
"proved arguments". :-)
It's also quite funny to see how you ignore naked facts.
Post by Xander Zerge
I've said enough, you are beginning second round of the same discussion, so I
see no reason for continuing answering your theoretical thoughts.
You're still ignoring the practical thoughts, but OK.
Post by Xander Zerge
I hope everyone already understood, that JavaScript is one of browser tools
and we are using this tool for stopping spam bots.
And I hope that everyone understoods that applying snake oil doesn't
solve any problems, but causes other ones. Fighting spam bots the way
you do always means to also fight regular users, which can be easily
proven by most simple logic.
Post by Xander Zerge
It simply works. It stops
bots with no need to program something on server-side, what is especially
helpful for those who uses FrontPage Server Extensions and wishes to know
nothing about php, asp, etc.
It also stops regular users, but you still refuse to understand that.
Post by Xander Zerge
This is my last message here in thread.
I wish good luck everyone in fighting spam bots, and you all are welcome to
contact me directly for advices.
Indeed, good luck. And come back if you run into accessibility problems.
You've paid for the problem - the cure comes for free.

EOT
Micha

Paevo Kelley
2008-08-06 20:39:46 UTC
Permalink
Damn those bots!
seomax
2008-08-07 05:36:33 UTC
Permalink
yes captcha and human asked question wil deal good for avoiding spammers
P@tty Ayers ~ACE
2008-08-07 19:50:35 UTC
Permalink
Post by seomax
yes captcha and human asked question wil deal good for avoiding spammers
Wow - after all this discussion, finally someone comes along with a simple
answer! I hope you can show us how to deal good with some other problems
too.
--
Patty Ayers | www.WebDevBiz.com
Free Articles on the Business of Web Development
Web Design Contract, Estimate Request Form, Estimate Worksheet
--
actionscafe
2008-08-07 21:34:27 UTC
Permalink
Maybe this is a simplistic solution...

Create a field on your form that only accepts an exact match to a "value" that
you've entered in the field description text. This should stop SPAM robots.
This value must be entered by hand, by the applicant. Robots can't understand
text instructions so they wouldn't be able to fill it in.

Of course you'll need a form validation script that can test this field for
an exact match to a value entered in the validator. You should be able to find
one for free somewhere if you don't want to invest in commercial software. This
is the solution used in actionscaf?'s form validator, VerifyForm, and it seems
to work.
Continue reading on narkive:
Loading...