anti spam

i have a contact form with a honeypot and a captcha to help combat spam, but still get a regular throughput of offers for russian viagra, (which i don't need). ;-)

i was thinking, is there a way i can hide a select list item from display, which is visible to spambots but not to a user, (a variation on a honeypot i suppose) so i can further help filter out the rubbish we are constantly bombarded with ?

Craig,

Is your honeypot a hidden form element or an actual text input that is positioned off the page?

That may be the issue without knowing how you set the honeypot up. I know in the past, when I have used just a hidden form element for the honeypot with a blank value, it didn't work at all.

But, if you make a text input box and give it an id like "honey" and then add a class to it... call it .honey or whatever else. Then for the CSS in .honey, set the position to absolute and give it a left value of something like -9000px. That way, a bot will see it but a human won't. Then do your PHP check to make sure that $_POST['honey'] is empty or FALSE before letting the form continue to process.

Just some thoughts... sorry if I am telling you something you already know.

Best regards,

Brian

Hi Brian, Thanks for the reply.

My honeypot currently consists of a form element which has is set to display: none; in CSS.
Is it better to move the field off the page rather than just hide it ?

my php then looks for text in the field, which, if present, sets my suspect flag to true and then doesn't send the mail when the form is submitted.

My form ALSO has a captcha, but I still get some spam through.

My logic behind the original question, was that all the spam I seem to get has the first item from my select list as the mail title, so if i could hide the first item to humans, i could process the suspect list value accordingly.

Oops!
Just looked at the code on my page to refresh my memory, and I noticed a minor typo in my code which meant the suspect flag wasn't being set, even if the honeypot had some text input.
That would explain a lot.

Hi Craig,

While I am not 100% certain about the display issue being none or positioned off the page, I have read several books including the 2 PHP books from David Powers and a couple of CSS Mastery books and all of them suggested to use CSS to position them off the page rather than set the display to none. Perhaps, setting it to none, means it cannot get read at all by the bot because it won't be regular text and input inline with the actual form. So, I would probably recommend to position it off the page just to be sure; I know for a fact that it will then get picked up by the bot and probably filled in.

If you are still getting spam even through captcha... you may have a bot utilizing the script without even having to go through all the fields. One way to avoid this is to have the script on another page - so if captcha checks, it then moves to the process page. Personally, though, I would prefer to have the process right on the same page. To do this, you could not only run the checks on validation of the honeypot and captcha, but if they fail - add both a header redirect and the "end;" command to ensure that the script cannot be used in any way. I think if you put the end command in after your redirects, it will solve a lot of problems as the script will completely be killed at that point.

It is just a matter of hiding it from the bot. Some bots may be smart enough to not edit hidden form elements, some may check visibility or even position. The nature of the honeypot is such that not every bot will get their hand stuck in the jar.

Captcha and obvious question should be much more reliable, but unfortunately not all spam is done by a bot.

I an getting fewer spam messages now, and i have noticed that those i receive have a message title which doesn't correspond to any of the titles i have available on my mail form, which leads me to suspect that what is getting through is not beating my honeypot and captcha at all, but simply using root@domainname to spam me.

Anyone have any tips / suggestions to help counteract this ?

I'm not sure I fully understand what you mean by "using root@domainname to spam me"... can you explain a little further and maybe I can try to help.

Hi Ray,

what i mean is that all of the spam emails have root@domainname as the recipient.

I'm not sure of the security hole or issue regarding root@domainname. I did some research but couldn't find anyone else with similar reports either. Do you have any more information other than the common to address?

Hi Ray.

Sorry, i may be being dumb here.

An example of a mail i get would be along the lines of the attached image.

On my contact form, the message title 'Message from Website visitor' is not one of the options available, so I am thinking that the junk i am receiving is not coming via my contact form.

if I were to send junk mail to root@webassist.com, what would happen to it ?