Beating form spam with capchas and honey pots
We are seeing a significant increase in spam sent through web forms. Here are some tips on dealing with it.
Unfortunately spammers are getting more and more aggressive and we are seeing a very significant increase in the amount of spam sent through web forms. Rather than sending spam to email addresses, spammers are posting their information to forms on websites.
This approach has several benefits for spammers, the main one is that it makes it much harder to track down the original source of the email because the mail server associated with the spam will be that of the web form not the spammer.
In the worst case scenario, a poorly coded web form may be open to 'injection' attacks which involve the spammer submitting extra hidden values into the form which trick the mail server into sending out mail to new recipients thus using your web form as an open mail relay.
Because filling out forms is a laborious task, it is very unlikely that spammers do any of this manually - they use 'bot's programmed to hunt out forms, interrogate them and then automatically submit to them.
For these reasons it is very important that web forms are built by experts who know how to lock them down securely and that you consider adding additional features to limit non-human submission of the forms.
Firstly, it is vital that your forms are guarded against injection attacks. Those programming the form need to properly pre-process all submitted variables and strip them of any malicious data. If there is a small set of intended recipients to the form then extra code can be added to ensure that only those recipients are accepted. Many of the free 'formmail' scripts that can be downloaded and installed on a simple hosting account do not adequately guard against such attacks, so it is best to engage a developer with expertise in this area rather then try to do it yourself.
The capcha approach involves adding some form of image, or sound, or question that can only be identified by a human, this is probably the most effective approach if done well. The drawbacks of this option are that it provides more resistance to form submission and may turn off people, and it does add a few more hours work to the process, particularly if you want your form to comply with accessibility standards which prohibit the use of images.
The hidden form field 'honey pot' approach involves adding an extra field to the form which is hidden from humans but will be found by the bots. The bots will automatically submit something into the field and you will then be able to identify which submissions come from bots. This is even more effective if you name the hidden field 'email' as the bots will then be drawn to it and put email addresses in there. This approach has the nice advantage of not placing any extra burden on humans.
If you really want to be sure then implement both approaches - neither approach is perfect and the spam bots are constantly being re-engineered to thwart these techniques, really there is no level of protection that can be considered totally effective against spammers.