Hi Markus, Good points. However, we haven't had much trouble filtering outside spam from web forms, so I wasn't thinking of it from that perspective.
The main trouble we've had is filtering spammy form submissions to customers from their own websites. Those sites are using our internal servers, so they deliver directly, bypassing our filtering. For this CAPTCHA has been the answer, though checking the referring URL has been a 2-second fix that has been good enough in some cases where customers didn't want CAPTCHA or didn't want to pay us the minimal fee to implement it. Darin. ----- Original Message ----- From: Gufler Markus | Limitis To: declude.junkmail@declude.com Sent: Wednesday, April 09, 2008 10:53 AM Subject: RE: [Declude.JunkMail] form spam filter Matt, Darin would it possible that you both forget, that 99,9+% of all incomming formmail spam is send from millions of webservers all around the world and you have no control of it. Darin: It wouldn't be virtual impossible to keep a list af all this webservers. Some IP-Blacklists try to do this for years now. Also don't forget that great part of websites are hosted on shared web hosting servers and also if you would catch some spamy messages by flagging some IP you could never be sure that some legit message from the same server isntt catched as FP Markus ------------------------------------------------------------------------------ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Wednesday, April 09, 2008 4:24 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] form spam filter Darin, I think you missed what I was saying exactly. If the form spammer fills out the fields that are hidden by DIV's, the E-mail wouldn't be sent by the mailer script and it would pretend to have been successful. Spammers use programs to do this stuff, and although they are intelligent programs, they almost definitely will target fields named "Name" and "E-mail", and if on their first try they fill these fields in and they get a positive response from the script, their program will stop trying to fix issues. I won't claim that this method is 100% effective, but I have used it in some cases and no one ever said that it didn't do the trick for them. If they got through that trick, I would ban URL's with a JavaScript alert and then silently with the mailer script (figuring that no real people would get a URL to the mailer script). This is the easiest of all methods to implement. It takes 5 to 10 minutes to fix a form and you don't hinder your visitors with CAPTCHAs. It's not like there isn't code being used by spammers elsewhere that read CAPTCHA's anyway, though I suspect that the current form spammers are not doing that right now. Matt Darin Cox wrote: Hi Matt, Some do, some don't. I've seen both methods used on some customer sites. Setting session variables on the form page definitely wouldn't work, as a spammer that hits the form would receive the same session information anyone else would. Certainly checking data against constraints is _always_ important, whether to prevent hacking, avoid data exceptions, enforce business rules, etc. The method you outline seems like it would only work if the spammer doesn't submit to all fields. Some of the attempts we've seen populated all fields, so this wouldn't work on those. I'd stick with CAPTCHA as the best and most foolproof method to avoid these problems. It's fairly easy to implement (there are a number of free examples in public domain), is familiar to most people filling out the forms, and works well. Darin. ----- Original Message ----- From: Matt To: declude.junkmail@declude.com Sent: Wednesday, April 09, 2008 8:55 AM Subject: Re: [Declude.JunkMail] form spam filter The form spammers are smarter than to go directly to the mail script. They will hit for the form submission page with what appears to be IE and submit the form. They even handle cookies correctly. The trick for form spam is to take fields like your Name and E-mail and rename the variables to something like "ignore-old-data1" and "ignore-old-data2" and adjust your mailer script for the new names. Then you insert new form fields in the form page that are hidden with a DIV and call them Name and E-mail. Your mailer script should pretend that the E-mail was successful if these fields have data in them, but you should simply 86 the actual message. This will trick their testing software into thinking that they were successful, and the DIV's with visibility hidden will not be seen by normal visitors. You might also want to put some javascript in the form submission page that looks for a URL in the form and warn the submitter that they can't send URL's, and then also have the mailer script silently reject a submission that has a URL in it. RegEx would be required in both JavaScript and the ASP or whatever code to do the URL checking. As far as I know, this seems to work perfectly, but setting session variables on the form page doesn't do a damn thing. Matt Darin Cox wrote: Since forms all use different emailers, and the form content is different as well, your only hope is content filtering based on what the spammer submitted... like SURBL filtering or REGEX on the spammer submission. These days, web-based form processing pages should minimally check that the referring page is what it is supposed to be (i.e. the form page submit button was clicked as opposed to a spammer submitting directly to the form action URL), and better yet implement CAPTCHA, require a login, or some other similar security measure. Darin. ----- Original Message ----- From: Craig Edmonds To: declude.junkmail@declude.com Sent: Wednesday, April 09, 2008 3:16 AM Subject: [Declude.JunkMail] form spam filter Hi All, Is there a filter for form spam? Some clients complain that they get form spammers sending in junk via their web forms. Some clients have captchas on their forms some don't, but I would like to be able to filter out the junk at declude level. Any ideas? Kindest Regards Craig Edmonds 123 Marbella Internet W: www.123marbella.com E : [EMAIL PROTECTED] LEGAL DISCLAIMER - This message may contain confidential, proprietary or legally privileged information and is intended only for the use of the addressee named above. If you are not the intended recipient of this message you are hereby informed that you must not use, disseminate, copy it in any form or take any action in reliance on it. If you have received this message in error please delete it and any copies of it and notify it to the sender. AVISO LEGAL - Este mensaje puede contener informacion confidencial, en propiedad o legalmente protegida y esta dirigida unicamente para el uso de la persona destinataria. Si usted no es la persona destinataria de este mensaje, por la presente se le comunica que no debe usar, difundir, copiar de ninguna forma, ni emprender ninguna accion en relacion con ella. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
