... ask anti-spam question on *contact* form?

rossharvey · 2014-07-27 15:00:26

I’m using zem_contact_reborn but the help doesn’t mention this kind of input, and a search on this forum yielded no results.

Something simple such as: 1 + 2 =, or a Q & A question.

Is it possible?

Getting lots of email spam as of late :/

colak · 2014-07-27 16:01:22

Hi Ross

did you try zem_prblock? Although the plugin is no longer available in Alex’s site its compressed version is available from the forum thread.

rossharvey · 2014-07-27 16:51:22

Hi Yannis,

It’s not for comments, it’s for the contact form itself; to stop bot/automated emails.

gomedia · 2014-07-27 21:39:37

adi_contact may be of use

Bloke · 2014-07-27 21:43:20

Or if you don’t mind a bit of PHP you can roll your own spam trap (which also has a link to the pap_contact_cleaner plugin that works with ZCR’s callbacks to help weed out spambots).

Q&A methods won’t stop human spammers employed by the pharma companies to just fill out forms, who seem to be making an annoying comeback of late…

colak · 2014-07-28 04:07:21

rossharvey wrote #282478:

Hi Yannis,

It’s not for comments, it’s for the contact form itself; to stop bot/automated emails.

ops… i had a brain pause there.

colak · 2014-07-28 04:38:18

Hi Ross, I just visited your site and the contact form page where I noticed that you do not use the inbuilt spam prevention

<txp:zem_contact_checkbox label="This is not spam" /> after the textarea field should reduce bot generated spam to the minimum. You can of course edit the message which will appear.

rossharvey · 2014-07-28 09:53:49

Thanks very much for the suggestions!

Very helpful (as always).

Bloke · 2014-07-28 11:58:26

colak wrote #282490:

<txp:zem_contact_checkbox label="This is not spam" />

I may be a little dim here so please excuse my ignorance, but I’ve seen this tip in a few places and I can’t see how it helps reduce spam. Does it actually work?

From my experience, one thing that differentiates a large chunk of spam bots from humans is that they are greedy. They vacuum up all content and use it, because any field they miss might be the one that generates a sale, or could be the one needed to complete the submission process (e.g. “I agree to the terms of submission”).

Put it this way: if I was writing a noddy spam bot, my first port of call after sniffing out a potential contact form would be to:

Find the message body/subject and insert my annoying content.
Find a name and/or email field and put some fake, yet valid, stuff in there.
Search for all remaining <input> or <select> elements and set them to 1. In other words, check all checkboxes, and choose the first radio/select option, just in case it’s important.

Because my spam bot isn’t very bright, doesn’t understand English, and I want to maximise my chance of the payload reaching its destination, that’s my default modus operandi. So adding an ‘are you human’ (or equivalent) checkbox means my spam bot ticks it by default and thwarts the anti-spam measure; a measure which, incidentally, happens to inconvenience real users who might miss the checkbox and have their message ignored or not delivered.

pap_contact_cleaner (and other custom spam-diminishers I’ve employed) uses the inverse approach. It randomly adds one or two form fields that are hidden via CSS (or even hidden using HTML, but that’s easier to detect automatically without Javascript). It doesn’t matter what field types they are: checkboxes, inputs, anything. Because they’re set as display:none, humans (and hopefully screen readers, but I don’t know) won’t see them so will not even know they exist to fill them out. But bots, being the voracious critters they are, will see the fields and go “om nom nom conteeeent shlurrp yum” and fill in the field(s).

Thus, upon form submission you can safely drop any message that has any content whatsoever in any of the hidden form fields, because it MUST be spam.

Clever bots may of course read the fields better, and if they smell a bit different to the others (e.g. if they detect the field’s visibility) might choose not to complete them. But that’s harder to do, as they won’t necessarily know if the fields are invisible because other fields might ‘trigger’ them to appear (e.g. as part of a form wizard or something). In fact, you can deliberately confound them by doing that very practice: have your legitimate contact form fields only appear after ticking a box, clicking a button, selecting a subject / message type, etc. That way, the bot will have little choice but to touch every inputtable element in the <form> because it won’t know which fields are hidden for spam purposes and which are real, initially-hidden fields that need filling out by humans.

Anyway, as I say, I might have missed something completely obvious in the ‘Are you human’ checkbox approach. Please would someone enlighten me on its effectiveness, and if it works, how it does so. Thanks!

rossharvey · 2014-07-28 12:06:51

^ Makes sense.

I’m testing it [the simple checkbox] as we speak.

So far it has stopped the barrage (from a singular source).

Bloke · 2014-07-28 12:35:08

rossharvey wrote #282500:

So far it has stopped the barrage (from a singular source).

Maybe I give spam bots too much credit then! If it works, it works, nice.

colak · 2014-07-28 12:57:14

Using the little snippet basically stopped all bot spam from my sites. I do get the occasional spam message but they are too few and too sparse to worry about.

Textpattern CMS

Textpattern CMS support forum

#1 2014-07-27 15:00:26