How to prevent from spammers on contact form?

Status
Not open for further replies.

Dosyhost

Member
23
2018
3
925
Hello,

We tried many spammer prevention codes into contact.html . But none of them worked. Still getting spam messages/links.
Can you suggest me a proper contact form code to prevent from spammers?

Here is our contact html:

Code:
  <Script type="text/javascript">
    function CheckForm(f)
    {
        var err=new Array();
        if(f.name.value=='')err.push("<TMPL_VAR lang_name_required>");
        if( !f.email.value.match(/^([a-zA-Z0-9_\.\-])+\@(([a-zA-Z0-9\-])+\.)+([a-zA-Z0-9]{2,4})+$/) )err.push("<TMPL_VAR lang_invalid_email>");
        if(f.message.value.length<5)err.push("<TMPL_VAR lang_message_too_short>");
        if(err.length>0){alert(err.join('\n'));return false;}
        if(preg_match('/http|www/i',$comments)) {
        $error_message .= "We do not allow a url in the comment.<br />";
      }
        f.btn.disabled=true;
        return true;
    }
    </Script>
    
    <div class="rrd col-5">
    <Form method="post" action="<TMPL_VAR site_url>/" onSubmit="return CheckForm(this);">
    <input type="hidden" name="op" value="contact">
    <input type="hidden" name="token" value="<TMPL_VAR token>">
    <input type="hidden" name="rand" value="<TMPL_VAR rand>">
    <!-- within your existing form add this field -->
    <input type="text" id="website" name="website"/>
    <input type="checkbox" name="contact_me_by_fax_only" value="1" style="display:none !important" tabindex="-1" autocomplete="off">
    
        <Table width="90%" style="margin-bottom:0px;">    
            <tr>
                <td>
                    <h2><TMPL_VAR lang_contact_us></h2>
                    E-mail Support/Contact: contact[at]mysite[dot]com
                    </br>
                    Please use ***.
                </td>
            </tr>
        </Table>
        <div class="cont_text">
            ****. Please take a minute reading both our <a href="faq.html">FAQ</a> and our <a href="tos.html"><TMPL_VAR lang_terms_of_service></a> before sending any messages regarding our services.
        </div>
        <Table width="90%">        
            <tr>
                <td><TMPL_VAR lang_name>:<br /><input type="text" name="name" value="<TMPL_VAR name>" maxlength=32></td>
            </tr>
            <tr>
                <td><TMPL_VAR lang_email>:<br /><input type="text" name="email" value="<TMPL_VAR email>" size=24 maxlength=32></td>
            </tr>
            <tr>
                <td class="editor"><textarea id="message" name="message" rows=7><TMPL_VAR message></textarea></td>
            </tr>    
    
            <TMPL_IF ihtml>
            <tr>
                <td align=center><TMPL_VAR ihtml></td>
            </tr>
            </TMPL_IF>
            <tr>
                <td align=center><font class="err"><TMPL_VAR msg></font><label for="turingtest"> <strong>Anti-Spam Question:</strong> Which is the wrong name of this host?: site or site2? *</label>
    <br>
    <input type="text" required="required" pattern="[ ]*(site)[ ]*" title="Pick the *****"/>
    <br><input name="send" type="submit" name="btn" value="<TMPL_VAR lang_send_message>"></td>
            </tr>
            
    
        </table>
    
    </div></Form>
    
    
    <br><br><br><br>
    
    <TMPL_IF my_login>
        <link rel="stylesheet" type="text/css" href="<TMPL_VAR site_url>/css/dashboard-menu.css"/>
        <style type="text/css">
        @media (min-width: 1025px){
        .holderPanel{background:#444;}
        }
        </style>
    </TMPL_IF>
    <style type="text/css">
    .rrd input[type="text"], .rrd input[type="password"]{width:100%}
    .SidemenuPanel ul.otherMenus li.activecnt{background:#363636; border-left:2px solid #131313; cursor:pointer}
    .SidemenuPanel ul.otherMenus li.activecnt i{color:#fff;}
    .SidemenuPanel{height:100%;}
    @media (min-width: 980px) and (max-width: 1024px){
    .rrd{width:70%;}
    }
    /*in your css hide the field so real users cant fill it in*/
    form #website{ display:none; }
    </style>
    <TMPL_INCLUDE nic_edit.html>

What we do wrong on the above?
 
10 comments
1. http|www -> i think most spammer send linkls without http/s or www. you should search for complete url regex and test it with online checker like regex101.com

2. use captchas to reduce spam
 
I had contact form spam many times a day, messages always contained non ascii chars. I stopped the form being submitted if the message contained one 'Ð'.
Are there any special chars or keywords you could block?
Or add a few Q&A unique to your site.
 
edit: deleted
Post automatically merged:

Code:
   if(err.length>0){alert(err.join('\n'));return false;}
        if(preg_match('/http|www/i',$comments)) {
        $error_message .= "We do not allow a url in the comment.<br />";
      }

change too

Code:
if(preg_match('/http|www/i',$comments)) {
   err.push("We do not allow a url in the comment.<br />");
}
if(err.length>0){alert(err.join('\n'));return false;}

as it looks, $error_message is never used, you stop form submit if err array has entrys
Post automatically merged:

and sure change $comments to f.message.value
 
Last edited:
edit: deleted
Post automatically merged:

Code:
   if(err.length>0){alert(err.join('\n'));return false;}
        if(preg_match('/http|www/i',$comments)) {
        $error_message .= "We do not allow a url in the comment.<br />";
      }

change too

Code:
if(preg_match('/http|www/i',$comments)) {
   err.push("We do not allow a url in the comment.<br />");
}
if(err.length>0){alert(err.join('\n'));return false;}

as it looks, $error_message is never used, you stop form submit if err array has entrys
Post automatically merged:

and sure change $comments to f.message.value

Modificated to this:

Code:
<Script type="text/javascript">
function CheckForm(f)
{
    var err=new Array();
    if(f.name.value=='')err.push("<TMPL_VAR lang_name_required>");
    if( !f.email.value.match(/^([a-zA-Z0-9_\.\-])+\@(([a-zA-Z0-9\-])+\.)+([a-zA-Z0-9]{2,4})+$/) )err.push("<TMPL_VAR lang_invalid_email>");
    if(f.message.value.length<5)err.push("<TMPL_VAR lang_message_too_short>");
if(preg_match('/http|www/i',$f.message.value)) {
   err.push("We do not allow a url in the comment.<br />");
}
if(err.length>0){alert(err.join('\n'));return false;}
    f.btn.disabled=true;
    return true;
}
</Script>

Is it true now?
 
Is it true now?

err.push("We do not allow a url in the comment.<br />");
to
err.push("We do not allow a url in the comment,");
because its a alert window

but you need a better regex expression, because with this you only search for "www" or "http" in the comment string. but there are hundreds examples ofr url regex at the internet, cant tell you whats the best
 
err.push("We do not allow a url in the comment.<br />");
to
err.push("We do not allow a url in the comment,");
because its a alert window

but you need a better regex expression, because with this you only search for "www" or "http" in the comment string. but there are hundreds examples ofr url regex at the internet, cant tell you whats the best

ok
I found this:

Code:
Regex if you want to ensure URL starts with HTTP/HTTPS:

https?:\/\/(www\.)?[-a-zA-Z0-9@:%._\+~#=]{1,256}\.[a-zA-Z0-9()]{1,6}\b([-a-zA-Z0-9()@:%_\+.~#?&//=]*)

If you do not require HTTP protocol:

[-a-zA-Z0-9@:%._\+~#=]{1,256}\.[a-zA-Z0-9()]{1,6}\b([-a-zA-Z0-9()@:%_\+.~#?&//=]*)

should i copy those codes into :
if(preg_match('/http|www/

?
 
first its look s not valid

[-a-zA-Z0-9@:%._\+~#=]{1,256}\.[a-zA-Z0-9()]{1,6}\b([-a-zA-Z0-9()@:%_\+.~#?&//=]*)[
should be
[-a-zA-Z0-9@:%._\+~#=]{1,256}\.[a-zA-Z0-9()]{1,6}\b([-a-zA-Z0-9()@:%_\+.~#?&\/\/=]*)[

second:

this will catch comments like "blablabla blaa.bla bla blaa" because of blaa.bla

you can check its with this online tool https://regex101.com/r/ABNeFX/1/

maybe you should focus first on a captcha, if you have too much spam but not very good coding skills
Post automatically merged:

ignore the last [ at the regex
 
Last edited:
ok
I found this:

Code:
Regex if you want to ensure URL starts with HTTP/HTTPS:

https?:\/\/(www\.)?[-a-zA-Z0-9@:%._\+~#=]{1,256}\.[a-zA-Z0-9()]{1,6}\b([-a-zA-Z0-9()@:%_\+.~#?&//=]*)

If you do not require HTTP protocol:

[-a-zA-Z0-9@:%._\+~#=]{1,256}\.[a-zA-Z0-9()]{1,6}\b([-a-zA-Z0-9()@:%_\+.~#?&//=]*)

should i copy those codes into :
if(preg_match('/http|www/

?

first its look s not valid

[-a-zA-Z0-9@:%._\+~#=]{1,256}\.[a-zA-Z0-9()]{1,6}\b([-a-zA-Z0-9()@:%_\+.~#?&//=]*)[
should be
[-a-zA-Z0-9@:%._\+~#=]{1,256}\.[a-zA-Z0-9()]{1,6}\b([-a-zA-Z0-9()@:%_\+.~#?&\/\/=]*)[

second:

this will catch comments like "blablabla blaa.bla bla blaa" because of blaa.bla

you can check its with this online tool https://regex101.com/r/ABNeFX/1/

maybe you should focus first on a captcha, if you have too much spam but not very good coding skills
Post automatically merged:

ignore the last [ at the regex

Using regexes to try and deal with spam is almost always a terrible idea. Might as well remove the form entirely at that point.
 
Last edited:
first its look s not valid

[-a-zA-Z0-9@:%._\+~#=]{1,256}\.[a-zA-Z0-9()]{1,6}\b([-a-zA-Z0-9()@:%_\+.~#?&//=]*)[
should be
[-a-zA-Z0-9@:%._\+~#=]{1,256}\.[a-zA-Z0-9()]{1,6}\b([-a-zA-Z0-9()@:%_\+.~#?&\/\/=]*)[

second:

this will catch comments like "blablabla blaa.bla bla blaa" because of blaa.bla

you can check its with this online tool https://regex101.com/r/ABNeFX/1/

maybe you should focus first on a captcha, if you have too much spam but not very good coding skills
Post automatically merged:

ignore the last [ at the regex
already using google recaptcha but still getting spam..
So alternative ways are a must.
 
Recaptcha and other popular captcha solutions are super easy to bypass even without using a captcha-solving service because they always provide fallback challenges for people with disabilities. So all it does is slightly reduce the spam/flood rate when you're dealing with advanced spam bots. A custom solution could (temporarily) solve it, but that's obviously no easy task. Beyond that your best bet is to look for easily identifiable patterns.
 
Status
Not open for further replies.
Back
Top