[thelist] how to stop email form spam
Bill Moseley
moseley at hank.org
Fri Sep 28 05:28:31 CDT 2007
On Thu, Sep 27, 2007 at 08:57:14PM -0700, Erika wrote:
> I have a very simple perl cgi email form on a client's site that about a
> year ago started being attacked by spammers.
In addition to the other suggestions to test for a human, I've used a
token that needed to be returned with the form. Means they have to
fetch the form before posting, and then post within some time period,
and the token is only valid once.
Some bots are smart enough to fetch the forms first, but for the most
part this is proving to be still effective.
There's easy caching CPAN modules that don't require maintenance to
the cache (Cache::FastMmap, for example) where you can remember the
token.
I even have one setup where the token is an md5 of a secret and the
time truncated to a minutes, and the token is only valid for a short
amount of time. So, no need to store the token on the server. Very
easy to implement. That form is still in use and still doesn't
produce any spam that I'm aware of, where without the token it was a
problem. They didn't want to do captchas.
--
Bill Moseley
moseley at hank.org
More information about the thelist
mailing list