Trying to Implement a Simple Spam Blocker

Question

I have taken over the maintenance of a website which was built by someone else. This site is mainly HTM/CSS, however it uses the odd javascript code along with PHP which was implemented by a back-end programmer that was contracted in.

The issue I'm having is this - the site consists of a lot of pages, each one with its own unique e-mail form. Each one of these forms were created without concern for spam. Now these forms are receiving a ton of spam, and I am expected to rectify the issue (regardless of the fact that I am neither a Javascript nor PHP programmer). I need some help, as I can't try and guesstimate a solution due to the importance of this e-mail system.

I'm hoping I can post the code up and have someone guide me through the process of implementing a honeypot or an easy mathematical equation (I know that isn't 100% foolproof, but these are just poorly made spambots, and this site likely won't be actively targeted).

The Form Page: This page consists of some PHP, some Javascript but mostly just content which I will avoid posting as it is of little importance. However, I'll post the scripts in order. (Also, the productformvalidation.js file is a simple Javascript script that throws pop-up messages if the e-mail/phone number doesn't have correct characters. I can provide that too if necessary)

<?php

/* validation function for when they press the submit button */
function validateFields($fields, $form_vars) {
$errors = array();
    foreach($fields as $field_name => $error_msg) {
    $value_entered = trim(@$form_vars[$field_name]);
    if(empty($value_entered)) {
        $errors[$field_name] = $error_msg;
    }
}
return $errors;
}

function safe($str) { return htmlentities(strip_tags($str)); }

?>

<head>

<script type="text/javascript" src="js/productFormValidation.js"></script>

</head>

<body>

<div class="contact_links">
<form name="contact" method="post" action="/sendmail/send-mail-start.php" enctype="multipart/form-data" onsubmit="return checkForm(this);">


                            <label>Name: (required) </label><input class="input1" id="name" name="name" type="text" value="" />


                            <label>Email: (required) </label><input class="input1" id="email" name="email" type="text" value="" /><br />


                            <label>Phone: (required) </label><input class="input1" id="phone" name="phone" type="text" value="" />
                            <label>Company: (required)  </label><textarea class="input2" name="comments" id="comments" cols="" rows="1"></textarea><br />
                            <input type="image" src="images/individualProducts/submit.png" alt="" value="" class="submit" />


                            </form>  

<!-- INDIVIDUAL CONTACT LINK ENDS --></div>

</body>

The "Action" Page:

<?php

    $date1=date("F d,Y");

    $nameField=$_POST['name'];
    $companyField=$_POST['company'];
    $countryField=$_POST['country'];
    $stateField=$_POST['state'];
    $emailField=$_POST['email'];
    $phoneField=$_POST['phone'];
    $urlField=$_POST['url'];



    $messageField=nl2br($_POST['comments']);


    $body=" 

    $body is followed by the table setup which contains the code. Basically just font-specifications, padding etc.

   //$from=$firstNameField;
   $sub="Contact Form - From the Start Page".$titleField;

   $name=$firstNameField."< ".$emailField." >";
   $to="info@mysite.com";

    if (mail($to,$sub,$body,"From:".$name."\nContent-Type: text/html; charset=iso-8859-1"))
    {
    print "<meta http-equiv=\"refresh\" content=\"3;URL=/start.php\">";
    }
    else{
    print "<meta http-equiv=\"refresh\" content=\"0;URL=error.php\">";
    }

?>

That is then followed by the HTML that basically thanks them for contacting. So these are the scripts involved.

I'd be able to implement CAPTCHA myself had I created the site myself, simply by finding the right guide and following the steps. Unfortunately someone else has organized this mail structure, and I'm forced to work with a setup I don't fully understand - nor did I learn to understand. I get syntax errors, I'm not sure where to paste pieces of code etc.

I need someone who can see what I've got on my plate, that understands what is happening, to help me implement a simple spam solution that will prevent the annoying bot mail from happening.

Also - reCaptcha is not an option due to its size and difficulty reading.

Thank you in advance.

Answer 1

Another simple method is to capture the time the page loads and compare it to the time the form was submitted. If the difference was too short, exit the page. spambots are quick; people are slow. Spambots may figure out various fields - even do math - but they are never going to wait around for more than a few seconds.

It takes only two lines, one in the form:

    <input name="timeloaded" type="hidden" value="<?php echo time();?>" />

and one in the form processing code:

    if(!(is_numeric($_POST['timeloaded'])) || time()-$_POST['timeloaded']<30) {header("Location: index.php"); exit;} 

This one is for a form that no human can fill out in less than 30 seconds. Change that for the length of form you use.

Answer 2

A quick (but not perfect) solution would be to add a hidden field that bots would fill out (call it "username" and hide it with CSS), and cancel submission if this field has content. That would at least remove a lot of the spam submissions.

Your form would look something like this:

<form name="contact" method="post" action="/sendmail/send-mail-start.php" enctype="multipart/form-data" onsubmit="return checkForm(this);">

  <label>Name: (required)</label>
  <input class="input1" id="name" name="name" type="text" value="" />

  <label class="hidethis">Username: (required)</label>
  <input class="input1 hidethis" id="username" name="username" type="text" value="" />

  <label>Email: (required)</label>
  <input class="input1" id="email" name="email" type="text" value="" />
  <br />
  <label>Phone: (required)</label>
  <input class="input1" id="phone" name="phone" type="text" value="" />
  <label>Company: (required) </label>
  <textarea class="input2" name="comments" id="comments" cols="" rows="1">
  </textarea>
  <br />
  <input type="image" src="images/individualProducts/submit.png" alt="" value="" class="submit" />
</form>

and /sendmail/send-mail-start.php would begin like this:

<?php
  if($_POST['username']!= "") {die("No spam");}
  $date1=date("F d,Y");
  $nameField=$_POST['name'];
  $companyField=$_POST['company'];
  $countryField=$_POST['country'];
  ... // Rest of your code

Answer 3

In addition to a hidden field as mentioned in the other answers here, you could also add a disabled attribute to the submit button, then enable it on document ready with javascript.

This works mainly because most bots aren't javascript enabled. Additionally, to hinder the ones that are, you can set a 1-2 second timeout before removing the 'disabled' attribute.

Answer 4

To prevent spam-bots from abusing my forms on my website, I used a relatively simple trick (described here by the way: http://www.sitepoint.com/easy-spam-prevention-using-hidden-form-fields/); first, add an additional input field to each form, for example:

<span class="hide"><label>Username: (required) </label><input name="Username" type="text" value="" /></span>

Then hide the field using CSS (that's why I wrapped it in a span); spam-bots generally ignore CSS, so they won't notice it's hidden:

.hide { display: none; }

Last but not least, check in the PHP code (before you send the data in an email!) whether the new input-field was filled out when someone submits the form, so for example:

if ($_POST['Username']) {
    echo('F*** off you nasty spam-bot.');
    return false;
}

It's not perfect by far, but it's helped me a lot ^^