Zyra info //// Zyra's website //// Spam //// HTML Tricks //// Site Index

Form Spam

How to beat spam bots that fill your online form on your website.


Guestbooks and online forms are sometimes vulnerable to spam robots which go around looking for forms to fill in. Spam bots enter various daft spurious details and press "submit". They do this automatically. If you have no filtering to defend yourself, you may end up with pernicious items on your guestbook linking to online rackets and scams, porn sites, and dubious loans. Spam form fillings typically have a web link or two, phone number, e-mail address, and some attempt at a name. However, these are all false and the form is actually being filled by a robot, the idea behind it being to insert dodgy links on your site, to corrupt your e-mail database, to market spam ware to you, and various other noxious practices.

Note that the problem in this case isn't merely that the spam senders have harvested the e-mail address dedicated to your form, but that the robots are actually filling in the form and pressing "submit". How can they do this? You may wonder.

You may be asking What can I do to stop spam from coming via my FORM? Well, help is at hand. Whether you are having bulk spam entries on your guestbook or nuisance applications to your customer form, there are answers.

A while ago, Perceptions Forum (run by mad people for mad people) was attacked by spam bots which located the Perceptions form filling page and entered thousands of entirely spurious sets of details. Paranoids such as myself may feel "they are out to get us" but in fact the nuisance involved has no specific target and just attacks everyone's form filling page if they can find it. Several quite weak attempts have also been made at attacking the Zyra Newsletter form filling page, to no avail.

This is typical of the type of thing that arrived:

Perceptions Forum FORM

Name: hyip program / jorge Gonzales
Address: 198 Tremont Street, 506 or
[some bogus link]
Phone: 6175075939
Phone: hyip program 5001020 or 123456
e-mail:
[some made-up email address]

user?
survivor?

otherfield: New York
gender: female

E-newsletter:
Perceptions:
Join-Request:

No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.1.409 / Virus Database: 268.13.23/513 - Release Date: 2006/11/02

By the time this was stopped, over fourteen thousand stupid form fillings had arrived. However, this did not do the spam senders any good, and the problem was largely irrelevant. The reason is simple, and you may be able to use this technique to defeat a similar problem which may be happening to your website. On Perceptions Forum the form had most fields optional and the robot form filler made various half-hearted attempts to fill it in, but the signing up to such things as the newsletter were optional. Crucially, the robot ticked NONE of the boxes, which meant the form could be ignored. Humans always signed up to at least one option, so it was easy to tell the difference.

In a similar way, you could add to your form a simple question which must be answered correctly. What's two plus two? How do you spell the word BANANA? etc. Actual people will put the right answer in, but spam bots will completely fail to answer properly and their failure will make their nuisance form fillings easy to dismiss.

I've also noticed that as well as failing to enter any voluntary options, spambots filling forms also make poor decisions when confronted by a set of radio buttons. They seem to always enter the FIRST one, as they aren't clever enough to try to figure out what's being asked. Therefore you could have a form which has radio buttons as follows:

I am a spam bot. Please ignore this form.

I am a free thinking intelligent person. Please take heed of this form, as I am serious about entering my details.

I have no idea what this is about.

The spam bots will all enter the first option and you can ignore the form. As for the human visitors, it doesn't matter whether they are clever or not. Provided they don't enter the first option, they'll get their form through.

Some spam bots enter the last option, in which case, you need to configure your form accordingly. Also, having an "ignore" option is also good, as humans will intelligently ignore it whereas the bots will select it as they don't know any better.

If you implement some changes to your form-filling form it's worth knowing that some of these parasitic piratical systems may have cached your old form and be using that instead. If so, this can also be defeated, by making the new form different in such a way that submissions via the old form are no longer valid. You can do this by having a new option on your new form which says "tick this box if you want to be taken seriously and not ignored".

You can see a similar idea at the email address hiding page. Remember that the robots doing the dirty work for the spam companies are not very intelligent, and can be easily fooled. Plus, even if the spam companies get really clever geeks to program their systems to do something brilliant, they can still be defeated by a question which humans would find easy.

These techniques are simpler versions of those things where you are expected to enter a slightly obfuscated word or sequence of numbers and letters. Results: Humans 99%, SpamBots 0%

If your website form has not been attacked by bots yet, don't worry. When it happens, you'll have bookmarked this page and know a simple solution to fool the accursed spambots.

Also, if your form results have something specific about them, such as a subject title that says "WWW Form Filling" etc, then you have immediately defeated form address harvesters by filtering messages out that don't contain that. (Note that the bots harvesting the form send e-mail address are a lesser breed than the form-filling bots. Both can be defeated, relatively easily, though).

Another question: Why do they do it? What do these people have to gain by being a nuisance in filling in stupid forms? ...Answer: It's usually a form of search engine cheating. By infesting your form database or your guestbook with naff links to their sites they can get their site above others on searches without due merit. If they are selling something like impotence pills then that might make them some money for a short time until the search engines suss them out.

Anyway, you don't have to let them get away with it! Tweak your form and your filtering method and you'll have them foiled and seen off with short shrift!