[Gllug] Perl Question - Spam Filter for NMS Form Mail

Lesley Binks lesleyb at pgcroft.net
Sat Feb 7 17:14:29 UTC 2009


On Sat, Feb 07, 2009 at 11:45:40AM +0000, Henry Gilbert wrote:
> Hi All,
> 
> I've finished building an eco-holiday website - and have implemented a
> contact form (using NMS Form Mail). But uncustomized the form attracts
> a lot of spam!
> 
> So I began searching forums and so forth, copying and pasting
> "spam-trapping" code without really understanding much about Perl
> syntax.
> 
> Luckily, it has worked pretty well until now. The spam filter doesn't
> require any annoying "Captcha" and has trapped over 99.9% of spam
> messages.
> 
> So far this is what it does:
> 
> - It blocks any messages that contains characters "<" and ">"
> - It traps any message from spam-bots silly enough to fill in a hidden
> input field.
> 
> But this is what I want to do extra:
> 
> - Trap any message containing the following sequence of character "://"
> - Trap any message that is suspiciously long, say over 1000 characters
> in length.
> 
> If any of you is proficient in Perl and can help me out with this, I
> would be extremely grateful.
> 
> Here is the customized code so far:
> 
> use CGI;
> sub spam {
> my $q = new CGI;
> my $spamcheck = $q->param('trap') || '';
> my $messagecheck = $q->param('message') || '';
> if ($spamcheck ne '') {
> print "Location: http://www.google.com\n\n";
>  exit;
> }
> elsif ($messagecheck =~ /<(.|\n)*>/) {
> print "Location: http://www.google.com\n\n";
>  exit;
>  }
> }
> spam();
> 
> The NMS Form Mail can be downloaded here: http://nms-cgi.sourceforge.net/
> 
> And should you need to inspect the HTML code to the contact form, here
> it is: http://www.lucertola.info/contact-form.htm
> 
> Thanks for your attention and help,
> 
> Henry Gilbert
> 
Henry 

Some of what you are doing won't trap spam.  It will trap humans that
might be trying to use your form in some way.  

With any form submission you need to html_escape anything if you are
going to print out it on another webpage. You need to sql escape it
before you add it to a database.  This stops a few form hacks. 
Always prevent someone using the contact firm to send mail elsewhere 
by excluding anything that contains a ':' in the subject or
other email header such as originator's email or block actual newlines
added to header data you are allowing to be entered.

You basically need to look at what you are asking to be input and think
how a 'hax0r' might use it to subvert it for their own purposes.

You'd get more mileage out of this if you wrote your own contact form
and you could then add a recaptcha.net anti-spam offering. 

You only need two or three text fields, a text area and a submit button
plus the recaptcha.net javascript

Regards

L.
-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug




More information about the GLLUG mailing list