XUpload - Big problems with spambots. Javascript useless?

Message
Author
jimrws
Posts: 21
Joined: Feb 05, 2008 8:29 am

Big problems with spambots. Javascript useless?

#1 Postby jimrws » Jul 09, 2008 8:20 am

Hi,

As soon as my website went live with my Xupload forms I've been getting fake forms posted. All required fields are filled out with rubbish spam, and they get through our spam filter as they look like ordinary inquiries apart from the obvious rubbish posted insdie the form.

I've played around with some Javascript code but nothing seems to work, I'm guess the bots are bypassing this and just posting directly to the cgi script.

I also have file uploads as optional in my webforms, so I can't rely on this to stop fake forms.

Is there anything I can add to the backend code or maybe some php I can add to the form, to stop these fake submissions?

I don't really want to use CAPTCHA or anything that involves user intervention, unless it's unavoidable.

Any help would be gratefully recieved.
Thanks.

User avatar
PilgrimX182
Posts: 2186
Joined: Mar 22, 2006 1:39 pm

#2 Postby PilgrimX182 » Jul 09, 2008 8:24 am

Hmm...you can require file upload.
Don't you have this code in your upload.cgi?

Code: Select all

if($#files==-1)
{
   &lmsg("ERROR: No files uploaded");
   sleep 2;
   &DelData($temp_dir);
   &xmessage("ERROR: No files uploaded");
}
PS: Pro version, right?

jimrws
Posts: 21
Joined: Feb 05, 2008 8:29 am

#3 Postby jimrws » Jul 09, 2008 10:51 am

As I mentioned above, I need to leave file upload as optional, as it's not mandatory for our users to upload files.

Any more ideas?

jimrws
Posts: 21
Joined: Feb 05, 2008 8:29 am

#4 Postby jimrws » Jul 09, 2008 11:45 am

Using a similar method to the file upload check above, is it possible to check other form fields in the cgi?? What code could I use for this?

Maybe in upload.cgi it could check for a hidden field or a timestamp so it knows whether the form was submitted by a human and not a bot??

User avatar
PilgrimX182
Posts: 2186
Joined: Mar 22, 2006 1:39 pm

#5 Postby PilgrimX182 » Jul 10, 2008 6:18 am

You can require JS on client side. Bots don't have JS I think :)

Code: Select all

unless($ENV{QUERY_STRING}!~/js_on=1)
{ 
   &lmsg("ERROR: No files uploaded"); 
   sleep 2; 
   &DelData($temp_dir); 
   &xmessage("ERROR: No files uploaded"); 
}

toobigforemail.com
Posts: 8
Joined: Nov 20, 2008 1:48 am

#6 Postby toobigforemail.com » Jan 07, 2009 5:18 am

What about checking HTTP_HOST? That way unless they are posting from your site they cant POST. :)

Code: Select all

if (($ENV{'HTTP_HOST'} eq "yourdomain.com")||
    ($ENV{'HTTP_HOST'} eq "www.yourdomain.com"))
{ 

#do some stuff

} else {

#dont do some stuff

}