"Join our next webcast with Maxwell Rowe from @mackeycreativelab as he discusses ways to help students reach their educational goals using the guided pathways model on your website. http://bit.ly/2zhdcIt"
University Web Developers
Web Form Spam
Recently we have begun to experience an increase in spam generated from some of our web (HTML) forms. How do you deal with this? I'm concerned that some solutions may be inaccessible (I.e. CAPTCHA).
Views: 140
Replies to This Discussion
-
Permalink Reply by Chris Pollock on
-
nice.. I was not aware that this was available.
-
Permalink Reply by Mike Adams on
-
I got the idea from someone on uwebd. It's worth twice the price of admission!
-
Permalink Reply by Rik Williams on
-
You're all wrong, you need to apply the Land Before Time method!
The W3C has an interesting piece discussing this issue.
-
Permalink Reply by Edward Terry on
-
We are experimenting with the recaptcha API for some of our forms. The audio feature of it was quite appealing. It may not be a system wide solution, but to us it was worth a look.
http://recaptcha.net/learnmore.html
-
Permalink Reply by Richard Orelup on
-
Another interesting method I have seen is to add
enctype="multipart/form-data"
to your form and check for that when processing. I guess most bots don't know to change their encode type. Granted this is another short fix till they decide to do that.
The other ones I know of are mostly Javascript based which I won't use on the off chance they don't have it enabled.
-
Permalink Reply by Stephanie Leary on
-
Here's Jonathan Snook's method.
-
Permalink Reply by Scott Crevier on
-
I recently tried a concept that seems to work well. It's based on the fact that most bots only visit a form page once, so that it can harvest the form and all its field names, action URL, etc. This info about the form is then stored in their database somehow, and is then used to constantly hammer the action URL by sending values for all the fields.
(Before continuing, let me say that I took a pretty detailed look at my server logs, found IP addresses of bots sending form spam, and discovered that those IP addresses were not actually visiting the form page itself. They were only submitting to the action URL.)
So, knowing this, I created a method that logs the IP address of every visit to a form. So when you visit a web page with a form on it, your IP address is logged, and you now have permission to actually submit the form. Then I changed my form handling program to check the incoming IP address against that log, to make sure that it has permission to submit the form.
In other words, you're not allowed to submit a form unless you actually visit the form web page first. Most bots do not visit the form web page first, and therefore most all form submissions are now coming from humans.
The main reason I like this solution is that it's all server-based. No javascript. No CAPTCHA. Nothing extra for users to do. And I got fantastic response from the form submission recipients. Form spam dropped to virtually zero!
Then came a problem. A number of visitors started reporting that they could not submit our forms. After investigating IP addresses, I found that they are all AOL users. It seems that AOL is doing some stuff with their IP address allocation, so that a user's IP address can actually change during their online session. This of course throws my whole theory out the window.
So, I currently have this whole thing turned off, and I'm hoping to figure out a way to still use it. I figured I'd post it here anyway, with the hope that maybe someone else can expand on it with a good idea.
-
Permalink Reply by Anthony on
-
Scott,
AOL uses proxy servers that make many users look like one IP address and, as you discovered, makes the same user look like different IP addresses sometimes.
You can check the referrer in the script for the action url to verify it came from the form page and achieve about the same amount of security without all the extra work; and avoid the AOL problem. Referrers can be spoofed, but so can IPs.
-
-
Most the bots I have dealt with are smart enough to spoof the referrer so that method hasn't been that fruitful for me.
Though Scott I think a better was to handle your situation is instead of putting an IP address in your DB, make a random seed and put that in the DB and place it in a hidden field in the form. After the person submits the form delete it from the database (to remove the chance you later generate the same seed and the person can't submit) and now when the bots attempt to keep doing it they won't be able to.
I think that method would fix the issues had with the previous solution.
-
-
Interesting, very interesting Richard. That seems to make sense. I'm definitely going to think about that a bit.
-
-
Yeah, when I did my initial look into the form spam in my server logs, I found a lot of spoofed HTTP_REFERERs. Their initial harvesting process just logged the URL of the original form and simply sent that with the form submissions. I know that IP addresses can be spoofed too, but after banging heads with a couple of other IT minds, we figured that using IP address is more reliable (less spoofed).
I also know about AOL's caching system (as well as the ability for any ISP to do the same). But I only thought that the risk would be multiple visitors with the same IP address. What I didn't realize is that an AOL user doesn't use the same cache server throughout the life of a single online session, hence the possibility of changing IP addresses.
I still like my original concept of insuring that a user actually visits the form first before submitting. I like a couple other ideas posted here too.
-
-
I haven't had a chance to try it yet, but the honeypot method seems to be working pretty well for people.
http://www.modernblue.com/web-design-blog/fighting-spam-with-css/
Or the simple question method:
"Please enter the letter a in the box at left."
http://www.subtraction.com
I've also seen, "Is ice cream hot or cold?"
Unfortunately, I don't think I have the ability to do any of this on the server site within our CMS.
- ‹ Previous
- 1
- 2
- Next ›
Elsewhere
Latest Activity
"Frustrated with student retention efforts and low graduation rates? Maybe it’s time to consider the guided pathways model for your institution's website. Check out our latest white paper for all the details! http://bit.ly/38rNild"
"OmniUpdate is excited to be in the running for a People’s Choice Stevie Award for Favorite Customer Service! If you’d like to show your support, cast your vote now! You can vote as many times as you’d like."
"Take a ½ hour out of your day to learn 4 important tips on keeping your website accessible! Join Ryan from Paskill Stapleton & Lord @PSandL as he shares the accessibility guidelines for your university website. http://bit.ly/2zhdcIt"
"Get up to speed on GDPR and how it affects your higher ed institution and student recruitment. http://bit.ly/2YZZtRQ"
"Web governance should not be an afterthought; when it’s done right, it can actually enhance your workflow and make your job easier. http://bit.ly/33vIZU0"
"Exciting news... OmniUpdate has merged with Destiny Solutions! Learn more on our blog. http://bit.ly/332KSr8"
"Switching to a new CMS? Join our next webcast with Briana Johnson from @OSUIT to learn how to convince decentralized web content authors to tolerate the switch, actively participate, and enjoy it! http://bit.ly/2zhdcIt"
"Your website is the front door to your college or university. Your website design has to accommodate for the way that students interact with and use the information your institution provides. http://bit.ly/2P8VldR"
"Learn how a new website design and CMS helped Florida Gulf Coast University increase new visits to the school’s website with improved SEO. http://bit.ly/2ByaQq4"
"Join our next webcast with Kelly Rushing from @uofsouthalabama to learn how to create accessible PDFs for your website by starting with your source documents. http://bit.ly/2zhdcIt"
"Learn why your college or university should choose SaaS across the board, especially for your next CMS. http://bit.ly/2Iy0SZE"
"Join us for our next webcast with OmniUpdate CEO Lance Merker, who will delve into key insights about Generation Z’s online search behaviors to help you refine your school's web marketing strategy. http://bit.ly/2zhdcIt"
"Our newest guide will help you learn what it means to be accessible, how to implement accessibility best practices, quick fixes to try as well as a long-term plan, plus tools to help you in your website accessibility efforts. Download it now!"
"Are online forms more efficient? Learn how El Camino College used Formstack to create online forms that expedited processing, improved communications, increased transparency, and promoted accountability across campus. http://bit.ly/2zhdcIt"
"It's important to understand the science behind your web pages to better engage and ultimately attract prospective students to your site. http://bit.ly/2ZYK8FZ"
"If you’re struggling with web challenges such as accessibility, SEO, design consistency, workflow, content governance, or how to start a website redesign, you’re not alone. Join our next webcast to learn how other higher ed institutions…"
"eQAfy confirms that OU Campus is still the #1 commercial CMS for colleges and universities in the United States. http://bit.ly/2Lir9Mn"
"Here’s an outline of everything you need to know about OCR compliance, including what it is, what your college or university can do to stay compliant, and resources for OCR compliance. #accessibility http://bit.ly/2rcPDgG"
UWEBD has been in existence for more than 10 years and is the very best email discussion list on the Internet, in any industry, on any topic
About
© 2020 Created by Mark Greenfield.
Powered by
