About a week ago I started getting a ton of emails from my website's contact form like this:

From: Huruwomuzoy

Email: puguclis@gmail.com

Message:

Eduin snapped strictions upon gray banded illard
capital that would wellbutrin and toprol xl
interaction and hot decided that laughed despite
when there than spoken zyrtec pravachol nexium
yasmin our way mad dreams those still drawing the
that their what is tadalafil tab 20mg had
accompanie hreatening worse expected for poisoning
every entripolar position tussionex suspension
side effects the building moved aside the center
staggered only the riot psilocybin psilocyn based
drugs for clusters her beauty rose the arolin
sensed doers who first moment generic equivelant
for lotrel hat his met with fire has are grateful
people waited


I think I have the form locked down pretty well. At least I don't think that it can be used to send email to anyone other than me. I hope.

But what is the point of spam like this? Is someone trying to hack my form to do something other than what was intended?

I've been getting about 10 of these a day. I really would like to avoid using CAPTCHA images or anything that makes a user have to do more work to fill out the form.

What do you guys think?

Some people are just idiots, there's nothing you can do. I would go with the captcha if I were you.

some retarded playing with his new spamming "toy"
I get "weird" spam too every day

It's designed to confuse spam filters. Yes, a CAPTCHA is the way to go. Stick with a simple word-based one.

Spam puguclis@gmail.com.... :p (a simple for statement, and the mail() function)

Yeah, captcha is the way to go, use a free one. (http://www.captcha.net/)

Or rather, don't, since there's no way to tell if that is even a real email address, much less whether it actually belongs to the spammer.

Interesting, I never knew that reCAPTCHA used the input to digitise books. One has to wonder how they decide the correct answer, then... perhaps it's a dictionary-based approach, where they attempt to match the input against the original word?

http://www.captcha.net/images/recaptcha-example.gif

Is too much for me. I hate having to type CAPTCHAs like the above. If it was just one word it would be better.

I remember seeing someone's contact form where they asked the user to type in the answer of 2+2. Then I assume there is a server side check to make sure that input was 4.

You think this would work? I'm going to give it a shot.

Off topic--
Twey, they base the quality of the information on two factors:
1. They assume you have typed the text correctly if the known word is correct-- one of the words required is already known/digitized, so if you type that one correctly, they assume you did so with the other as well; 2. they don't just rely on singular input, but ask the same word to I think at least 2 users, and if the answers conflict, it gets recirculated or something.
It may not be flawless, but it's a strong method. I'm just surprised it's all that effective, that much work gets done-- sure, it adds up, but how much in a given day is really transcribed?


A simpler approach would be to design a very basic captcha, like "check this box if you're not a bot" in order to make the bot need to adapt-- if there isn't a human coaching it along even something that simple will stop it, if you require a certain action to get it to not enter. (Perhaps with some bots "do not check this box" would work better.)
But if you want it to be really secure, there isn't much other way around it.

Alright, I've put a "Human Check" on the form. Before submitting, the user must answer "What is 2 + 2 ?"

As long as Twey doesn't try to use it, this should work.

I'll report back.

1. They assume you have typed the text correctly if the known word is correct-- one of the words required is already known/digitized, so if you type that one correctly, they assume you did so with the other as well; 2. they don't just rely on singular input, but ask the same word to I think at least 2 users, and if the answers conflict, it gets recirculated or something.I see!

It may not be flawless, but it's a strong method. I'm just surprised it's all that effective, that much work gets done-- sure, it adds up, but how much in a given day is really transcribed?Well, reCAPTCHA serve a lot of sites, including some very popular ones, so I imagine that progress is really quite substantial.
Is too much for me. I hate having to type CAPTCHAs like the above. If it was just one word it would be better.Too much? It takes, what, perhaps a second to type two words and tab to the next field?
Alright, I've put a "Human Check" on the form. Before submitting, the user must answer "What is 2 + 2 ?"Yes, that's what I was suggesting earlier. It should suffice in most cases.
As long as Twey doesn't try to use it, this should work.My answer would only be considered incorrect for very large values of two.

Q: What's 2 + 2?

A: A sum.

Ok, ok: Changed to What is the sum of 2+2?

A: 5 - 1

'What is the sum of 2 and 2, expressed as a normalised integer in Arabic numerals?'

Changed again. Now reads:

"Keep in mind these guidelines when answering the following question:
1) Your answer must be numerical.
2) Your answer must be one digit in length.
3) Your answer cannot be 0, 1, 2, 3, 5, 6, 7, 8, or 9
4) Your answer must be 4

The question is in multiple choice format. You must choose one of the following 4 answers where the letter signifies the answer and the number signifies the absolute integer value the following mathematical expression evaluates to.

Expression: 2 + 2

a. 4
b. 4
c. 4
d. 4

If you chose a, b, c, or d, enter 4 in the box.

Just in time for his birthday:


You may fool all the people sum of the time, you can even fool sum of the people all of the time, but you cannot fool all of the people all the time.

:rolleyes:

I would rather type in a couple of words (something I'm used to since most sites have that, many of them using reCAPTCHA) than having to calculate stuff and having to read through instructions.

Also, I think some boots can be set up to answer your question every time so if the answer is always 4, then a human (idiot spammer) can just set it up so it always answers 4. If you on the other hand have a captcha, it will always change and make it difficult/impossible for boots to spam your address. [citation needed]

So my suggestion: go with a captcha. Recommendation: reCAPTCHA

Good luck!

I just put What is 2+2?

So far so good. No spam since I did this.

Q: What's 4+4?

A: All wheel drive with all wheel anti-lock breaking.

http://answers.yahoo.com/question/index?qid=20090118005328AAG89xT (http://answers.yahoo.com/question/index?qid=20090118005328AAG89xT)

http://answers.yahoo.com/question/index?qid=20090118005328AAG89xT (http://answers.yahoo.com/question/index?qid=20090118005328AAG89xT)

I didn't realize spam bots had such ready resources.

Now that would be amusing... a spam-bot that used Yahoo! Answers to defeat CAPTCHAs... *considers coding it just for humour value*

I didn't realize spam bots had such ready resources.

Hehe. That's funny.