What is the point of this?

[JasonDFR]

About a week ago I started getting a ton of emails from my website's contact form like this:

From: Huruwomuzoy

Email: puguclis@gmail.com

Message:

Eduin snapped strictions upon gray banded illard
capital that would wellbutrin and toprol xl
interaction and hot decided that laughed despite
when there than spoken zyrtec pravachol nexium
yasmin our way mad dreams those still drawing the
that their what is tadalafil tab 20mg had
accompanie hreatening worse expected for poisoning
every entripolar position tussionex suspension
side effects the building moved aside the center
staggered only the riot psilocybin psilocyn based
drugs for clusters her beauty rose the arolin
sensed doers who first moment generic equivelant
for lotrel hat his met with fire has are grateful
people waited


I think I have the form locked down pretty well. At least I don't think that it can be used to send email to anyone other than me. I hope.

But what is the point of spam like this? Is someone trying to hack my form to do something other than what was intended?

I've been getting about 10 of these a day. I really would like to avoid using CAPTCHA images or anything that makes a user have to do more work to fill out the form.

What do you guys think?

[Snookerman]

Some people are just idiots, there's nothing you can do. I would go with the captcha if I were you.

[AlexAcosta]

some retarded playing with his new spamming "toy"
I get "weird" spam too every day

[Twey]

It's designed to confuse spam filters. Yes, a CAPTCHA is the way to go. Stick with a simple word-based one.

[Nile]

Spam puguclis@gmail.com.... (a simple for statement, and the mail() function)

Yeah, captcha is the way to go, use a free one.

[Twey]

Or rather, don't, since there's no way to tell if that is even a real email address, much less whether it actually belongs to the spammer.

Interesting, I never knew that reCAPTCHA used the input to digitise books. One has to wonder how they decide the correct answer, then... perhaps it's a dictionary-based approach, where they attempt to match the input against the original word?

[JasonDFR]

Is too much for me. I hate having to type CAPTCHAs like the above. If it was just one word it would be better.

I remember seeing someone's contact form where they asked the user to type in the answer of 2+2. Then I assume there is a server side check to make sure that input was 4.

You think this would work? I'm going to give it a shot.

[djr33]

Off topic--
Twey, they base the quality of the information on two factors:
1. They assume you have typed the text correctly if the known word is correct-- one of the words required is already known/digitized, so if you type that one correctly, they assume you did so with the other as well; 2. they don't just rely on singular input, but ask the same word to I think at least 2 users, and if the answers conflict, it gets recirculated or something.
It may not be flawless, but it's a strong method. I'm just surprised it's all that effective, that much work gets done-- sure, it adds up, but how much in a given day is really transcribed?


A simpler approach would be to design a very basic captcha, like "check this box if you're not a bot" in order to make the bot need to adapt-- if there isn't a human coaching it along even something that simple will stop it, if you require a certain action to get it to not enter. (Perhaps with some bots "do not check this box" would work better.)
But if you want it to be really secure, there isn't much other way around it.

[JasonDFR]

Alright, I've put a "Human Check" on the form. Before submitting, the user must answer "What is 2 + 2 ?"

As long as Twey doesn't try to use it, this should work.

I'll report back.

[Twey]

1. They assume you have typed the text correctly if the known word is correct-- one of the words required is already known/digitized, so if you type that one correctly, they assume you did so with the other as well; 2. they don't just rely on singular input, but ask the same word to I think at least 2 users, and if the answers conflict, it gets recirculated or something.

I see!

It may not be flawless, but it's a strong method. I'm just surprised it's all that effective, that much work gets done-- sure, it adds up, but how much in a given day is really transcribed?

Well, reCAPTCHA serve a lot of sites, including some very popular ones, so I imagine that progress is really quite substantial.

Is too much for me. I hate having to type CAPTCHAs like the above. If it was just one word it would be better.

Too much? It takes, what, perhaps a second to type two words and tab to the next field?

Alright, I've put a "Human Check" on the form. Before submitting, the user must answer "What is 2 + 2 ?"

Yes, that's what I was suggesting earlier. It should suffice in most cases.

As long as Twey doesn't try to use it, this should work.

My answer would only be considered incorrect for very large values of two.