Nov 9, 2006

Website Contact form How the robots atack

If you have a website you likely have a contact form so you do not have to list your email address.

The rise of blogs has also created roving spambots that post to comment forms. They are atempting to find blogs and guestbooks but they are also posting to our website contact forms.

Here is an example of a robot that came from
70.87.63.146 92.3f.5746.static.theplanet.com

The robot read the form from my html page copied all the form fields including the hidden ones. It then submitted all the proper filelds leaving the ones not used blank. It added data to teh name and city.

The city field contained 'k o s t a n a y' (Spaces added) The name contained a random name. It is beleived that this was a test message designed to post to everything and then com back a month later and scan google to find out what sites end up displaying the test phrase which in this case is the city.

Once it finds out which sites it got into it will then come back and post its spam message.

Strange thing about this robot is that it has a bug. It doesnt understand your reset or clear button so it tries to submit that field also like this.
reset=Reset form

So if you find your reset filed being posted to your form you should reject the entry.

Posting a key field or password field won't help because it will read the field and repost it. However after detecting this bot I changed my key and found that its still trying to post under the old key so it reads your key once and then doesn't do any updates.

In order to protect your forms from this bot I recomend using php to create your form page and then post the current date as a hidden field along with a rotating key. Then test for these when the data is submitted. This type of bot may pass the first test but none of the ones after that. In fact it may not even pass the first test it it doesnt post on the same day it scans.


For my forms that are on html pages I have changed my php submission form. It now displays a page asking the user to press submit again to verify the post. This inserts another date and key code in the input that the robots can not duplicate. Not only do they not know what the key will be before time but they would have to submit the data twice with diffrent keys to get in, something they are not programmed to do.

The verify button takes the place of the capata and works just as good so far.

No comments: