[thelist] what's the hole in my contact form anti-spam?

Jon Molesa rjmolesa at consoltec.net
Thu Sep 10 00:01:17 CDT 2009

*On Wed, Sep 09, 2009 at 09:16:18PM -0700 Joel Canfield <joel at bizba6.com> wrote:

> Date: Wed, 9 Sep 2009 21:16:18 -0700
> From: Joel Canfield <joel at bizba6.com>
> Subject: Re: [thelist] what's the hole in my contact form anti-spam?
> To: "thelist at lists.evolt.org" <thelist at lists.evolt.org>
> >
> > They are including the hidden field as part of the submit
> >
> > okay, I guess that's logical; how? they're parsing the contact page, then
> going to the response page?

Several scripting languages make this a trivial exercise, including PHP.
Using PHP and curl one can write a scrapping bot.  It's easy enough to
assume that all fields including hidden ones are required for a form to
submit and process.  So just like a browser, the script downloads the
page, adds information to the form and submits it to the action url for
processing.  There's nothing tricky about it.  A 'hidden' field is still
visible client side.

Once the get a successful post they no longer even need to grab the
form.  They can just post the same fields with different values to your
processing script.

As an exercise save your form to another PHP enabled webserver, perhaps
a development machine.  Change the action to reflect the full URL of the
processing script.  Then open that page in a browser and fill it out and

That's all the scrappers are doing.

You need some way to either test for a human sitting at the form loaded
into the browser, or some way to test weather the data received actually
came from the form loaded into a browser.

> joel
> -- 
> * * Please support the community that supports you.  * *
> http://evolt.org/help_support_evolt/
> For unsubscribe and other options, including the Tip Harvester 
> and archives of thelist go to: http://lists.evolt.org 
> Workers of the Web, evolt ! 

Jon Molesa
rjmolesa at consoltec.net
if you're bored or curious

More information about the thelist mailing list