locked
Question on Form Spam RRS feed

  • Question

  • Hello guy,

    I know a bit of information on form spam. There are bots that read forms and send spams. And if you have the "send email to friend" form using PHP, the bots can send spams using your form to other people. I have read some spam prevention. But I don't know how bot works to actually figure out which prevention works the best.

    Does anyone has a link or brief summary on how the bots work?

     

    How does bot read the form and save the form to send spam remotely?

    What kind of info a bot is capable to read: a field, auto-generated number, hidden field, in page scripts, remote scripts, images, or others?

    After the bot read the form, how does it keeps sending spam?

     

    Also for a related question, I keep getting that "ViAgrA" spam on my Pecbell/Yahoo account (not the form account, just a personal account). It is sending from different user, different subject, different content, but basically it is the same spam with minor difference. What should I do to fix that? It is extrememly annoying. If I freeze my account and reactivate, will they still send it to me?

     

    Thank you for the help.

    Monday, April 2, 2007 8:33 PM

Answers

  • Bots are typically hand-tweaked for each different application.  There isn't a lot of variance, though.  In many cases, all it has to do is send a form submission with proper field names and values provided; it doesn't necessarily need to read the original HTML at all.

     

    That's actually key to defeating them... add information to the form that the bots can't easily read.  A basic thing is to vary the field names.  More advanced strategies include a "CAPTCHA" filter--an image with text the user must interpret to submit a message.  Advanced bots can defeat these with OCR software.  So the CAPTCHA must be upgraded to mangle the image to thward OCR software but still enalbing humans to read it.  It's an arms race, really.

     

    Regarding your email account, once the spammers know your email address, it'll be spammed until the end of time, even if it is inactive or deleted.  The cost of sending a spam message is virtually zero, so there's no reason not to carpet bomb the whole internet with every spamming campaign.

     

    -Ryan / Kardax

    Tuesday, April 3, 2007 6:52 PM

All replies

  • Bots are typically hand-tweaked for each different application.  There isn't a lot of variance, though.  In many cases, all it has to do is send a form submission with proper field names and values provided; it doesn't necessarily need to read the original HTML at all.

     

    That's actually key to defeating them... add information to the form that the bots can't easily read.  A basic thing is to vary the field names.  More advanced strategies include a "CAPTCHA" filter--an image with text the user must interpret to submit a message.  Advanced bots can defeat these with OCR software.  So the CAPTCHA must be upgraded to mangle the image to thward OCR software but still enalbing humans to read it.  It's an arms race, really.

     

    Regarding your email account, once the spammers know your email address, it'll be spammed until the end of time, even if it is inactive or deleted.  The cost of sending a spam message is virtually zero, so there's no reason not to carpet bomb the whole internet with every spamming campaign.

     

    -Ryan / Kardax

    Tuesday, April 3, 2007 6:52 PM
  • Thank you for your help. I will try my own form submission and test it out. The part I don't understand is how does the form identify where the destination website is? Maybe the form ID contains the website address? Ehhee, I will figure that out myself, hopfully not to difficult.

     

    My company is using SalesForce. It has a web-form-to-case feature to convert the request into our Support Database. Based on a field "FromPage:", value: Career, Feedback, Support, etc, the case will be assigned to different employee. I think this way is pretty cool because if the spam use invalid value for the filter, the case will be assigned to a guy to deal with it. But the HTML embeded those value to field "FromPage:" in the page, will the bot be able to recognize that value and spam us? I have a feeling the bot can do it, ouch.

     

     

     

    Too bad about those Spams to my email address. Instead of fixing it, I think I will just delete the account and get a different one.

    Tuesday, April 3, 2007 8:49 PM