Web form using PHP is sending spam even with CAPTCHA

Question

I have a form on my website that has started sending through a lot of spam even though the Captcha on it works.

I have noticed that the spammer (trying to put links up to cheap training shoes even though our form is not posted to a blog) uses the captcha text repeatedly in filling out the form.

I would like a way to check if and entry is the same for three form field and reject the mail at that point. It has got to the point where we are missing genuine enquiries.

I tried the check for blank hidden field way of detecting spam and this did not work

I use a standard script using a public domain image generator called CaptchaSecurityImages.php which has worked well up till now here is an example of the SPAM

Submit: Submit    
Name: T Shirt Women Summer    
Email: *******@gmail.com   
Address Line 1: ksjj22   
Address Line 2: ksjj22   
Town: ksjj22    
City: ksjj22    
Postcode: ksjj22    
Telephone: ksjj22    
Make: ksjj22    
Model: ksjj22   
Registration: ksjj22
Collection Date: ksjj22
Security code: ksjj22
Other information: Great post but I was wanting to know if you could write a litte more on this topic? I'd be very grateful if you could elaborate a little bit further. Cheers!
<a href="spam web address" >T Shirt Women Summer</a> [url=spam web address]T Shirt Women Summer[/url]

any help gratefully received.

Answer 1

I ended up using the following code to detect the spam submissions. For the problem we have been having which seems to be one or two actual people entering information into the form on our site the following identifies the use of the captcha code in the phone field (it was being used for most fields) and dumps the script out preventing our inbox getting filled with SPAM (hopefully the spammer does not know this is the case)

$Telephone = $_POST['Telephone'];
$Security_code = $_POST['security_code'];

if ($Telephone == $Security_code) 

   header("Location: /");
else

Answer 2

I use a standard script using a public domain image generator called CaptchaSecurityImages.php

The more wide-spread your Turing test, the more chance a bot has explicitly targeted it, and is able to break it. Image recognition scripts are surprisingly advanced, and are getting more advanced all the time. Making an image "hard" to read for a computer, is surprisingly difficult in 2014.

What I have done on several small websites, is to do:

Please enter the number 42 here to prove you're a human: [   ]

This has worked surprisingly well, so far. In the code, all you need to do is check if the number matches, so it's very easy to implement, and will work for all your customers (including those who may be blind, or have other accessibility needs), which is not always the case with image-based Turing tests ("CAPTCHA" being the hip word I believe).

This works because parsing a line of text, figuring out the meaning, and giving the correct answer, is still a hard problem for computers (although this may change in the future), so even a very simple question such as this will suffice.

You could also expand on this, and ask simple questions, such as "What year is it", or "how much is six by seven". You want to make sure that your target audience has a good change of actually knowing the answer.

You can, of course, alternate between all of this randomly. So far, I haven't had a need to do this, though, and I would recommend starting by just asking the simple question.

Note that this will only work for comparatively small websites. As soon as your website or product reaches a certain size, it becomes interesting enough to target explicitly; at which point a human sits down, and writes a bot to answer all the questions you've written down.
However, from your description I think your website is "small enough" for this.

Answer 3

You may also want to implement HoneyPot. Honeypot main idea is to have an empty input form that is hidden. Spam bots will fill out every input field with some value even if it's hidden with css. You can then call isempty() in your php submit form. If its not, then you have spam. This is a hassle free alternative to capta.

At any rate, this does not prevent attackers from spamming if they set up a bot specifically for your site. If you still receive attacks. Grab the IP address of the one sending the information, then block them if they post more than 5 times. And if you have the IP address of a repeated offender, you can block that IP address from accessing the site at all.