How to block spam bots from filling out forms?

0
votes

We're trying to come up with a solution to a major spam and bot issue we've been having. Basically, we have an entry form for people to fill out asking for basic information (name, email, address, etc. --sometimes we ask for just email).

Our forms are posted on thousands of websites and domains, and so we've started to see incoming spam and bots executing the forms, submitting fake information.

So far we've employed these things to stop them:

1) IP is blocked after 3 submissions from the same IP.

2) We check the http referrer to ensure its coming from the expected page. If is not, we kill the entry.

3) If an email has already been entered once, the system won't record it again.

4) We've added captcha, but most of our customers don't want to use it since it reduces form submissions.

Our form is submitted via AJAX request. Currently the bots are submitting the request to the AJAX file and the HTTP_REFERRER is coming from the expected page, and no information is coming across that would suggest they are using a proxy.

I could be incorrect, but it appears as though they have a macro set up that is rotating through IPs using a new one each time, and automatically filling in our form fields, and submitting them, exactly as a human would do.

As of late we've seen these bots submitting our forms thousands of times, all using the same type of address (like @yahoo or @hotmail) but the submissions are all coming from different IP addresses, so we can't detect and block them. After entering some of these IP's into an IP checker, it looks like a majority of them are coming from proxy servers.

One idea we've come up with to try and stop the spam is that when a user types into one of the fields, javascript invokes a cookie. When they go to submit the form, if the cookie isn't found, we drop the entry. Would this work?

We haven't implemented the Honeypot method because the forms are submitted using AJAX, plus we've read that many bots know easily get around the method.

Any suggestions/ideas on how to best combat this would be greatly appreciated!

2
botsspamspam-prevention
try using content delivery network (CDN) cloudflare.com/wafrishal
You can drop the ip addresses coming from proxies all together.Carlitos

2 Answers

0
votes

You do not need a cookie. Just have an onload() javascript set a value in a hidden form field. If the submitted form has this field empty, toss it.

Of course, you do realize that any javascript-based solution requires the actual client's browser to have javascript enabled, and there are various privacy-oriented tools that let users control whether javascript is enabled, or not, for a particular web site. That's something for you to decide, whether or not it's a problem for you.

But this simple, javascript-based hack should be simple enough to work; at least until spambots evolve to the point of being able to handle it, too.

0
votes

You could ask really simple verification questions like "What's 2 + 3 = ?". They aren't quite as annoying as CAPTCHA but obviously not the most effective. It should cut down on the amount of spam though.