We had a live submission form live for about a year and naturally some spammer started abusing it. I mounted a form verification code (where you need to re-enter a displayed random number) and to my surprise the next day, the form is spammed again. I checked that spammed document’s field values - and to my even greater surprise, the user-entered verification number does not match my form’s random number - Meaning the spammer has most likely not used our currently live form to submit, but has probably copied our old HTML and keeps submitting it, bypassing the protection. Is this possible? If so, is there a way to block our server from receiving those spammed submissions?
Greatly appreciate the help!
Subject: Spammer copied our form’s HTML and keeps submitting. How to block it?
As long as your verification is done by a javascript with data which are available in the html source code, the spammer can bypass easily your javascript using your source code on a html page on the local machine of the spammer.
What I have put in place to avoid this is the following.
-
In your Notes DB, create a profile doc with a field which holds a random code.
-
Create an agent which runs daily, which changes this random code in the profile doc. Run it during the night.
-
create an agent which returns the random code from the profile document.
-
In your html form, create an html field (type=hidden) which is empty at load time.
-
Using an ajax request, which calls the agent from point 3 and at the end of the ajax request, set the value of the field you defined in point 4.
-
Invoke this ajax request on the onload event of your code
-
In your form, but on the notes side this time, in the webquerysave agent, run another agent which will compare the value in the form field (see point 4.) and the one in the profile document. If the values are different => it’s a spam,so either discard it or flag it the be able to show it only in a specific view (might be useful for control).
This method works because if the spammer uses a local html file which contains your form content, when he will try to invoke the ajax request, it will fail because the server of the html file and the server where you invoke the ajax request are not the same. So the security of the browser will reject it.
This way, the html field from point 4. will be empty when the spammer submits it and it will be catched by your webquerysave agent.
I hope it’s clear, because it’s not easy to explain on a forum… ;-))
Best regards
Renaud
Subject: RE: Spammer copied our form’s HTML and keeps submitting. How to block it?
Thanks a lot!It does make sense, I think I will try experimenting with the webquerysave alone, first. I haven’t though about it and hope simple comparison at this stage will block the sumbmission. If not, will use Ajax as you have suggested (neat idea!).
I was thinking somethine else, too. I could basically run another agent couple times a day which would basically compare the two values and each saved document and remove the mismatch docs. However, that’s dealing with the problem after it occurs, not before, so that would be my last resort.
Also, next time I create any long-term form for like this, I will use the graphical image verification code (hope it’s open source). Or will this still not help - since the spammer can again grab my HTML and remove the verification part? Is that possible?
Subject: RE: Spammer copied our form’s HTML and keeps submitting. How to block it?
FWIW I have written a java agent that creates a CAPTCHA. Out of curiosity, really; I like to play with things :-). At present, I don’t use it in production. If you want to see what’s possible, check out http://microstar-computers.net/grukker.nsf/captcha. It’s running on a version 7 server. The code’s open source and written as a standard Notes Java agent, so if you want it, you’re welcome. Although CAPTCHA’s widely regarded as being broken, even a basic level CAPTCHA is generally effective if you’re not hotmail/ebay/google.
Subject: RE: Spammer copied our form’s HTML and keeps submitting. How to block it?
OK, just when I though this approach (the first response) would work, it has occurred to me that the guy already knows my SUBMIT url and the names of the fields, so how in the world can I protect myself and ban the server from receiving the submissions???
Again - he is not using my form to submit anymore, so no protection will work - he is sending it from his copy of my form. What can be done? (other than renaming the form, which I’m thinking might help, but would rather not do that). Thanks!
Subject: RE: Spammer copied our form’s HTML and keeps submitting. How to block it?
You can’t prevent the server from receiving the submissions. But you can prevent it from storing them. You have to change your form in such a way that the submitted data won’t work unless it contains the correct information – and then make sure the correct information automatically changes from time to time – or with each submission – such that it’s too much trouble for the spammer to bother with your site. The goal is to just make sure that there are plenty of easier sites than yours to spam – it doesn’t have to be impossible.
The Domino blog template uses a pretty effective technique for blocking spam comments – it contains JavaScript code which assigns a value to a field on the browser side, which if it’s not assigned correctly, makes the server reject the page. Spammers don’t sit at a web browser entering messages – they just have automatic programs that post data. These programs don’t execute JavaScript code. So if it’s not possible to post correctly without running the JavaScript, they fail.
Yet another possibility is to keep a log of recent requests for a form. If you get a submission from an IP address which hasn’t recently requested the form HTML, or has requested it too recently – in the last five seconds, say – then it is a spam.
Subject: RE: Spammer copied our form’s HTML and keeps submitting. How to block it?
Hi Simon,
do you mind sharing the code with me?.. thank you inadvance
Tony