Abzetdin Adamov's IT Blog

IT is about doing more with less!

Archive for January, 2012

How to prevent robots (spambots) from automatically spamming up your WEB Form?

Posted by Abzetdin Adamov on January 12, 2012

randomized field names to prevent spambots to automatically submitting your form

Randomized field names to prevent spambots to automatically submitting your form

The Internet boom reinforces the security problems and unfortunately increases the number of unfair users that are using technology in improper way. At the same time the interactive nature of Web increases the number such opportunities. Actually, the main purpose of using spambots is to spread unsolicited information mainly for advertisement purposes.

So, how to prevent spambots from automatically submitting your WEB Form? It’s quite old problem and have several solutions:

1. Most common and effective way is the use of Captcha. Many people give up because they don’t want to type additional field or it’s too difficult to recognize symbols on Captcha.  Captcha is not always very good at keeping spam away because computer software already can recognize letters as well as humans do. Sometimes developers trying to make Captcha more complex for spambots, in fact make it harder to read just for humans (Example: low text-to-background contrast or bad color combination does nothing to stop computer, since in this sense computers have plenty of advantages over human).

2. Text-based logical Captcha is another methods, however its just slightly different approach to the same common image-based Captcha. The idea is that, web forms shows some instructions and human is expected to enter to input some data according to those instruction. For example, “If tomorrow is Monday, what day is today?”, or “Enter the third word of this sentence.”, etc.

3. Another way is to add to form additional input(s) and hide them through CSS (<input type=”text” name=”login” style=”display:none”>). After this application on server side should check if additional field has been filled out or not and accept form datas if field is empty and reject if not. The point here is that for spambot this field is just one of thers and will fill it in, on the other hand humans don’t see it at all so its going to be empty. Its obvious that this method is not effective against targeted attacks or if the form was examined by human to determine fields those have to be left unchanged.

4. And finally, proposed method of spambot prevention the idea of which is that, actually any spambot must know the names of inputs of the web form in order to spam repeatedly, in other words input names have to be constant. So, why don’t we specify input names randomly. In this way all input names will change randomly after each submission. Since, spambot can’t predict the filed names, the continues spamming will be complicated.

However, even this approach can’t prevent spamming totally. For example, in the case when spambot does not store field names and each time request web form content newly, this method will not help… Because, in this case spambot does not care about field names and just takes what is there…

PHP code to enable randomized field names and prevent some kind of spambots to automatically submit your form:


<html>
<head>
</head>
<body>
<?php
   session_start();

   if (isset($_SESSION['fld_name'])) {   // Check if appropriate form field has session declared for it...
      if (isset($_GET[$_SESSION['fld_name']])) {
         echo "<br>".$_GET[$_SESSION['fld_name']];
         echo "<br>".$_GET[$_SESSION['fld_sname']];
         echo "<br>".$_GET[$_SESSION['fld_email']];
      }
   }
   $_SESSION['fld_name'] = randName(5);   // Creates sessions for each field-input with random value (for example, string with length 5)
   $_SESSION['fld_sname'] = randName(5);
   $_SESSION['fld_email'] = randName(5);
?>

<!-- HTML Code of Web Form -->
<form>
<input type="text" name="<? echo $_SESSION['fld_name'];?>"><br>   // The name parameter of each input is assigned randomly
<input type="text" name="<? echo $_SESSION['fld_sname'];?>"><br>
<input type="text" name="<? echo $_SESSION['fld_email'];?>"><br>

<input type="submit" value="Submit">
</form>

<!-- Function to generate random string -->
<?php
   function randName($len) {
      $rnd = array_merge(range('a', 'z'));
      $out ='';
      for($i = 0; $i < $len; $i++) {
         $out .= $rnd[mt_rand(0, count($rnd)-1)];
      }
      return $out;
   }
?>

</body>
</html>
Advertisements

Posted in Programming and Development | 2 Comments »