You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Charles Gregory <cg...@hwcn.org> on 2010/01/29 19:35:49 UTC
Re: Web Form Spam
On Fri, 29 Jan 2010, terry@cnysupport.com wrote:
> little uncomfortable making the form submit any more complicated than
> necessary, since the people who use it are generally already stressed, and
> I'd prefer to not make them decipher swirly letters.
I find that most form-fillers are robots and stupid, and can be easily
defeated by inserting a 'hidden' field into the HTML that is invitingly
labelled something like 'e-mail' and then have your form handler test
whether it is empty. If not, then a robot has generated an input string
rather than using your actual form.
Also, if any fields like phone number can reasonably be expected to be
all-numeric, make this a test condition, and it will stop the
alphabet-soup kinds of random field entry.
If the form is intended to report URL's for your own site, test to make
sure any URL *is* one of yours - any other URL, just toss it..... :)
> Really, I was just trying to figure out what the point would be for
> someone to fill out the form with obviously invalid data.
You would be amazed how many different bulletin boards and forums rely on
a simple HTML form to post to a message/report to a large list of people.
Or the form is for a 'comment' page whose output is visible to all website
visitors. Guestbooks are frequent victims of form spam.
- C