Fairly decent spam-stopper form

RichardM · #1 (**permalink**) 02-21-08, 21:50

Hello. I have put together a pretty decent PHP spam stopper for contact forms. Briefly, this is what it does:

1. Compares the epoch time when the form loaded to the time when the contact form script is called, and kills it if less than eight seconds have transpired. (Robots would probably fill the form in less than eight seconds.)

2. Sets up a bogus captcha trap in an invisible DIV. Because robots ignore CSS, they will see the field and fill it in. If the value matches a random number generated by the script and presented as if it were a captcha, the script dies.

3. Checks the value of information entered into the bogus captcha field for "http://" or "@." If it contains those strings, the script dies.

4. Gets the client IP address at both the form and the processor stage. If they don't match, the script dies.

A working example of the script can be found at www.rjmwebdesign.com/spamproof.php . Here's the code for both pages:

Code for sending (form) page:

HTML Code:

<?php
$start = time();
$captcha = rand();
$ip1=$_SERVER['REMOTE_ADDR'];
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>Spamproof</title>
<link href="styles/mainstyle.css" rel="stylesheet" type="text/css" />
</head>
<body>
<div id="form">
  <form action="sizzle.php" method="post">
    <div id="swizzle">
      <?php
		echo $captcha, '<br />';
		echo '<input type="text" name="haha" size="15" />', " ", 'Ignore this field if you are human<br />';
		echo '<input type="hidden" name="start" value="', $start, '"> <br />';
		echo '<input type="hidden" name="ip1" value="', $ip1, '"> <br />';
		echo '<input type="hidden" name="captcha" value="', $captcha, '"> <br />';
	  ?>
    </div>
    <input type="text" name="stuff" size="25" />
    Please write some stuff in the line and take your time. <br />
    <input name="submit" type="submit" value="Send" />
    </p>
  </form>
</div>
</body>
</html>

Here's the PHP for the processing page:

PHP Code:


			
<?php

foreach($_POST AS $key => $value) {

    ${$key} = $value;

}

foreach($_GET AS $key => $value) {

    ${$key} = $value;

}

// get current epoch time

$timeNow = time();

// get IP address

$ip2=$_SERVER['REMOTE_ADDR'];

// get captcha response

$haha = Trim(stripslashes($_POST['haha']));

// die if submission is too fast for a human

if ($timeNow - $start < 8)

{

echo "Test failed. Less than eight seconds elapsed between when you loaded the form and when you submitted it.";

die;

// die if IP addresses don't match

} elseif ($ip1 !== $ip2)

{

echo "The IP addresses do not match. Test failed.";

die;

// die if captcha trap is filled in

} elseif ($captcha == $haha)

{

echo "The invisible captcha form was filled in. Test failed.";

die;

} elseif ($captcha == $haha)

{

echo "The invisible captcha form was filled in. Test failed.";

die;

}

// die if captcha field contains http:// or @

if (preg_match('@^(?:http://)?([^/]+)@i', $haha))

{

die;

}

echo "<strong>All tests passed!</strong><br /><br />";

echo "<strong>Test 1: Time</strong><br />";

echo "The epoch time when the form was loaded was ", $start, "<br />";

echo "The epoch time when the form was submitted was ", $timeNow, "<br />";

echo "It took ", ($timeNow - $start), " seconds to submit the form. A robot would have been faster.";

echo "<br /><br />";

echo "<strong>Test 2: Captcha Trap</strong><br />";

echo "'", $captcha, "'", " was the random number generated for the captcha trap.<br />";

echo "' ", $haha, "'", " was entered in the captcha trap field.<br />";

echo "Because ", $captcha, " does not equal ", "' ", $haha, "'", ", it doesn't appear that a robot filled this form.";

echo "<br /><br />";

echo "<strong>Test 3: Forbidden Characters</strong><br />";

echo "The value of the invisible string 'haha' is ", "' ", $haha, "' ", ". It does not contain http:// or @.<br /><br />";

echo "<strong>Test 4: IP Test</strong><br />";

echo "The form was submitted by IP Address ", $ip1, "<br />";

echo "The processing script was called by IP Address ", $ip2, "<br />";

echo "The IP addresses match.";

echo "<br /><br />";

$stuff = Trim(stripslashes($_POST['stuff']));

echo "Ohh... by the way... here is the stuff you entered:  ", $stuff;

?>

Comments Welcome.

Best,

Richard

RichardM · #2 (**permalink**) 02-22-08, 05:19

Some corrections and changes. (This is ongoing, as a friend is "hacking" my script at my request).

Second (form processor) page:

PHP Code:


			
<?php

foreach($_POST AS $key => $value) {

    ${$key} = $value;

}

// get current epoch time

$timeNow = time();

// get IP address

$ip2=$_SERVER['REMOTE_ADDR'];

// get captcha response

$haha=$_POST['haha'];

// die if submission is too fast for a human

if ($timeNow - $start < 8)

{

echo "Test failed. Less than eight seconds elapsed between when you loaded the form and when you submitted it.";

die;

// die if IP addresses don't match

} elseif ($ip1 !== $ip2)

{

echo "The IP addresses do not match. Test failed.";

die;

// die if captcha trap is filled in

} elseif ($captcha == $haha)

{

echo "The invisible captcha form was filled in. Test failed.";

die;

}

// die if captcha field contains http:// or @

if (preg_match('@^(?:http://)?([^/]+)@i', $haha))

{

die;

}

echo "<strong>All tests passed!</strong><br /><br />";

echo "<strong>Test 1: Time</strong><br />";

echo "The epoch time when the form was loaded was ", $start, "<br />";

echo "The epoch time when the form was submitted was ", $timeNow, "<br />";

echo "It took ", ($timeNow - $start), " seconds to submit the form. A robot would have been faster.";

echo "<br /><br />";

echo "<strong>Test 2: Captcha Trap</strong><br />";

echo "'", $captcha, "'", " was the random number generated for the captcha trap.<br />";

echo "' ", $haha, "'", " was entered in the captcha trap field.<br />";

echo "Because ", $captcha, " does not equal ", "' ", $haha, "'", ", it doesn't appear that a robot filled this form.";

echo "<br /><br />";

echo "<strong>Test 3: Forbidden Characters</strong><br />";

echo "The value of the invisible string 'haha' is ", "' ", $haha, "' ", ". It does not contain http:// or @.<br /><br />";

echo "<strong>Test 4: IP Test</strong><br />";

echo "The form was submitted by IP Address ", $ip1, "<br />";

echo "The processing script was called by IP Address ", $ip2, "<br />";

echo "The IP addresses match.";

echo "<br /><br />";

$stuff = Trim(stripslashes($_POST['stuff']));

echo "Ohh... by the way... here is the stuff you entered:  ", $stuff;

?>

RichardM · #3 (**permalink**) 02-22-08, 06:57

Form page:

HTML Code:

<?php
unset($start, $captcha, $ip1, $haha, $stuff);
$start = time();
$captcha = rand();
$ip1=$_SERVER['REMOTE_ADDR'];
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>Spamproof</title>
<link href="styles/mainstyle.css" rel="stylesheet" type="text/css" />
</head>
<body>
<div id="form">
  <form action="sizzle.php" method="post">
    <div id="swizzle">
      <?php
		echo $captcha, '<br />';
		echo '<input type="text" name="haha" size="15" />', " ", 'Ignore this field if you are human<br />';
		echo '<input type="hidden" name="start" value="', $start, '"> <br />';
		echo '<input type="hidden" name="ip1" value="', $ip1, '"> <br />';
		echo '<input type="hidden" name="captcha" value="', $captcha, '"> <br />';
	  ?>
    </div>
    <input type="text" name="stuff" size="25" />
    Please write some stuff in the line and take your time. <br />
    <input name="submit" type="submit" value="Send" />
    </p>
  </form>
</div>
</body>
</html>

Form Processor PHP Code:

PHP Code:


			
<?php

foreach($_POST AS $key => $value) {

    ${$key} = $value;

}

// get current epoch time

$timeNow = time();

// get IP address

$ip2=$_SERVER['REMOTE_ADDR'];

// get visible form field(s)

$stuff = $_POST['stuff'];

// get captcha response

$haha=$_POST['haha'];

// die if submission is too fast for a human

if ($timeNow - $start < 8)

{

echo "Test failed. Less than eight seconds elapsed between when you loaded the form and when you submitted it.";

die;

// die if IP addresses don't match

} elseif ($ip1 <> $ip2)

{

echo "The IP addresses do not match. Test failed.";

die;

// die if captcha trap is filled in

} elseif (!empty($haha))

{

echo "The invisible captcha form was filled in. Test failed.";

die;

// die if form field that shouldn't contains http

}

if (preg_match("/http/i", $stuff))

{

echo "Test failed. A field that should not have contained 'http' contained 'http'. The form was most likely filled out by a robot.";

die;

}

else;

echo "<strong>All tests passed!</strong><br /><br />";

echo "<strong>Test 1: Time</strong><br />";

echo "The epoch time when the form was loaded was ", $start, "<br />";

echo "The epoch time when the form was submitted was ", $timeNow, "<br />";

echo "It took ", ($timeNow - $start), " seconds to submit the form. A robot would have been faster.";

echo "<br /><br />";

echo "<strong>Test 2: Captcha Trap</strong><br />";

echo "'", $captcha, "'", " was the random number generated for the captcha trap.<br />";

echo "' ", $haha, "'", " was entered in the captcha trap field.<br />";

echo "It doesn't appear that a robot filled this field.";

echo "<br /><br />";

echo "<strong>Test 3: Forbidden Characters</strong><br />";

echo "The value entered for the visible field 'stuff' was ", "' ", $stuff, "' ", ", which does not contain 'http'.<br /><br />";

echo "<strong>Test 4: IP Test</strong><br />";

echo "The form was submitted by IP Address ", $ip1, "<br />";

echo "The processing script was called by IP Address ", $ip2, "<br />";

echo "The IP addresses match.";

echo "<br /><br />";

$stuff = Trim(stripslashes($_POST['stuff']));

echo "Ohh... by the way... here is the stuff you entered:  ", $stuff;

unset($start, $captcha, $ip1, $ip2, $haha, $stuff, $timeNow);

?>

RichardM · #4 (**permalink**) 02-22-08, 07:06

I've made the changes that if the phony captcha field contains anything at all, the script dies; and if a field that shouldn't contains http, the script dies.

This is not perfect, but if it works and no one can identify any glaring vulnerabilities, it could be quite useful.

Rich

Christina · #5 (**permalink**) 02-22-08, 07:54

True,

One of my friend has created a script where the spam is identified straight away and deletes them. But at times it ends up deleting the genuine ones..LOL..:D

RichardM · #6 (**permalink**) 02-22-08, 08:09

Quote:

Originally Posted by Christina

True,

One of my friend has created a script where the spam is identified straight away and deletes them. But at times it ends up deleting the genuine ones..LOL..:D

That's one of the things I am trying to avoid, along with trying not to have the user do anything (identify captcha images, etc.) that would inconvenience them.

Rich

aliya · #7 (**permalink**) 02-26-08, 04:09

Can we use spamassassin on the server to decrease the rate of spamming ?

RichardM · #8 (**permalink**) 02-26-08, 06:15

Of course. This idea is for a very specific application that would send a text message to the client's cell phone in an emergency.

Since I posted this script I've re-thought it, and I've decided that it contains too many vulnerabilities to use on a production site. The logic is okay, but I was thinking too much in terms of what a robot could do versus what a malicious human use might do with the script.

So what I am doing now is taking the idea and developing it into a database-driven, modularized version. I'm a little busy with other things this week, but I have written the database and the GUI. I just need to integrate the spam-sniffing logic into it, hopefully some time within a couple of days, and then I'll post the code.

Best,

Richard

RichardM · #9 (**permalink**) 02-26-08, 19:40

Okay, here is the new version. Some of the code may be a bit ugly and in need of cleaning, but it does work.

http://www.rjmwebdesign.com/sandbox/...p/spamstop.php

And the code:

The main form page:

PHP Code:


			
<?php

include ("initialize.php");

include ("header.php");

include ("body.php");

?>

The initializer script, initialize.php, that sets the initial vars, gets the time, and hashes the unique user id:

PHP Code:


			
<?php

$start_time = time();

$ip1=$_SERVER['REMOTE_ADDR'];

$captcha = rand(10000, 99999);

$unique_user = md5($start_time . "_" . $captcha);

include ("open_db.php");

mysql_query("INSERT INTO requests (start_time, captcha, ip1, unique_user) VALUES ('$start_time', '$captcha' , '$ip1' , '$unique_user')")

or die("recorder Could not insert data");

?>

The header, header.php:

HTML Code:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>Untitled Document</title>
<link href="style.css" rel="stylesheet" type="text/css" />
<script language="javascript" type="text/javascript">
function limitText(limitField, limitCount, limitNum) {
    if (limitField.value.length > limitNum) {
        limitField.value = limitField.value.substring(0, limitNum);
    } else {
        limitCount.value = limitNum - limitField.value.length;
    }
}
</script>
</head>

The body, body.php:

HTML Code:

<body>
<noscript>
NOTE: You appear to have JavaScript disabled (or an ad-blocker is interfering with it). This form may not work properly with JavaScript disabled.
</noscript>
<p>In an emergency, you can use this form to send a text message. Due to the size  limits on a  text message, the message body must not exceed 100 characters.</p>
<p>&nbsp; </p>

<form action="collector.php" method="post" enctype="multipart/form-data" name="form">
  <p>
    <input name="name" type="text" size="30" maxlength="30" />
    Name * </p>
  <p> (
    <input type="text" name="areacode" size="3" maxlength="3" />
    )
    <input type="text" name="phone" size="8" maxlength="8" />
    &nbsp;Ext.
    <input type="text" name="ext" size="6" maxlength="6" />
    Phone Number *</p>
  <p>
    <input type="text" name="site" size="30" maxlength="30" />
    Site or domain, if applicable. </p>
  <div id="stronza"> <?php echo $captcha, '<br />'; ?>
    <input name="verifier" type="text" size="30" maxlength="60" />
  </div>
    <input type=hidden name="unique_user" value="<?php echo($unique_user)?>">
  <p>
    <textarea name="message" cols="30" rows="4" onKeyDown="limitText(this.form.message,this.form.countdown,100);"
onKeyUp="limitText(this.form.message,this.form.countdown,100);">
</textarea>
    Message<br>
    <font size="1">(Maximum characters: 100)<br>
    You have
    <input readonly type="text" name="countdown" size="3" value="100">
    characters left.</font><br>
  </p>
  <p>&nbsp;</p>
  <p>
    <input type="submit" name="Submit" value="Text Me!" />
  </p>
  <p>&nbsp;</p>
</form>
</body>
</html>

And the guts of the script, collector.php:

PHP Code:


			
<?php

// get submission time and IP address

$timeSubmit = time();

$ip2=$_SERVER['REMOTE_ADDR'];

// collect variables

$name = $_POST['name'];

$areacode = $_POST['areacode'];

$phone = $_POST['phone'];

$ext = $_POST['ext'];

$site = Trim(stripslashes($_POST['site']));

$message = Trim(stripslashes($_POST['message']));

$user = $_POST[unique_user];

$submitter = $user;

// get bogus captcha response

$verifier = $_POST['verifier'];

// check to see if form fields filled in

$complete=true;

if (empty ($name)) $complete=false;

if (empty ($areacode)) $complete=false;

if (empty ($phone)) $complete=false;

if (empty ($message)) $complete=false;

if (!$complete)

{

/*print "<meta http-equiv=\"refresh\" content=\"0;URL=error.html\">"; */

echo "A required field was left blank.";

}

else

{

// we populate the row so as to have a record of the attempt and do later tests

include ("open_db.php");

mysql_query ("UPDATE requests SET submitter='$submitter', name='$name', submit_time='$timeSubmit', ip2='$ip2', areacode='$areacode', phone='$phone', ext='$ext', site='$site', verifier='$verifier', message='$message' WHERE unique_user='$user'")

or die("Collector could not update data");

mysql_close();

}

?>



<?php

// Now we retrieve the data

include ("open_db.php");

$query="SELECT * FROM requests WHERE unique_user = '$user'";

$result=mysql_query($query);



// die if no match is found for the user before we waste any more time

if (empty($result))

{ echo "No match found for user";

die;

}

// now that we know the user exists, we assign the variables we'll need to do the bot checks

while($row = mysql_fetch_assoc($result))

{

$start_time=($row["start_time"]);

$captcha=($row["captcha"]);

$ip1=($row["ip1"]);

$unique_user=($row["unique_user"]);

$submitter=($row["submitter"]);

$name=($row["name"]);

$submit_time=($row["submit_time"]);

$ip2=($row["ip2"]);

$areacode=($row["areacode"]);

$phone=($row["phone"]);

$ext=($row["ext"]);

$site=($row["site"]);

$verifier=($row["verifier"]);

$message=($row["message"]);

mysql_close;

}

// now do the robot tests

if (($submit_time - $start_time < 8) || ($submit_time - $start_time > 300))

{

echo "Test failed. Less than eight seconds or more than 300 seconds elapsed between when you loaded the form and when you submitted it.";

die;

// die if IP addresses don't match

} elseif ($ip1 !== $ip2)

{

echo "The IP addresses do not match. Test failed.";

die;

// die if hashes don't match

} elseif ($unique_user !== $submitter)

{

echo "The hashes don't match for the form and the submission. Test failed.";

die;

// die if captcha trap is filled in

} elseif (!empty($verifier))

{

echo "The invisible captcha form was filled in. Test failed.";

die;

// die if form field that shouldn't contains http

}

if ((preg_match("/http/i", $name)) || (preg_match("/http/i", $message)))

{

echo "Test failed. A field that should not have contained 'http' contained 'http'. The form was most likely filled out by a robot.";

die;

}

else;

//this stuff is just here for testing. The actual form would have sent the message to the cell phone

echo "<strong>All tests passed!</strong><br /><br />";

echo "<strong>Test 1: Time</strong><br />";

echo "The epoch time when the form was loaded was ", $start_time, "<br />";

echo "The epoch time when the form was submitted was ", $submit_time, "<br />";

echo "It took ", ($submit_time - $start_time), " seconds to submit the form.";

echo "<br /><br />";

echo "<strong>Test 2: Captcha Trap</strong><br />";

echo "'", $captcha, "'", " was the random number generated for the captcha trap.<br />";

echo "' ", $verifier, "'", " was entered in the captcha trap field.<br />";

echo "It doesn't appear that a robot automatically filled this field.";

echo "<br /><br />";

echo "<strong>Test 3: Forbidden Characters</strong><br />";

echo "The string 'http' was not entered in the name or message fields.<br /><br />";

echo "<strong>Test 4: IP Test</strong><br />";

echo "The form was submitted by IP Address ", $ip1, "<br />";

echo "The processing script was called by IP Address ", $ip2, "<br />";

echo "The IP addresses and hashes match.";

echo "<br /><br />";

echo "Ohh... by the way... here is the message you entered:  ", $message;

exit;

?>

There's also open_db.php, which is just the SQL login.

The only machine-generated vars passed openly are the bogus captcha value (which we want a robot to try to copy), and the unique_user hash (which will cause the script to die if tampered with, if it doesn't match when compared later in collector.php, or if used more than 300 seconds after it was generated).

Note that the error message echos are purely for testing and illustration. In a real form, the mailer would send the mail if all the tests were passed.

Comments?

Best,

Richard

aliya · #10 (**permalink**) 02-27-08, 03:14

Thanks Richard,

For the suggestion and also for the code provided by you.I will contact my web designer and ask him to use these codes in my script too.

RichardM · #11 (**permalink**) 02-27-08, 06:44

You're welcome. I suppose I'll package and GPL it once I'm satisfied with it.

One possible addition that comes to mind is some code that saves the exact test that any given submission fails, for statistical purposes. It adds to the dB size, but it would make future tweaks easier.

Richard

RichardM · #12 (**permalink**) 03-01-08, 08:19

By the way, if anyone is actually still interested in this, the reason for ending and restarting in collector.php is because I have something else in mind to do at that point in the script when I have a chance. Basically, I want to test against and update a shared database of banned IP addresses. But because I'm busy with other projects right now, I haven't gotten around to it.

Rich

aliya · #13 (**permalink**) 03-19-08, 04:06

Please let us know when you will make the changes in the script.

sam · #14 (**permalink**) 03-20-08, 04:07

Hello Richard,

We are waiting for your reply.

RichardM · #15 (**permalink**) 03-20-08, 07:43

Hi everyone,

To be honest, I really haven't made any major changes to the code because it's worked perfectly so far in Alpha. I've cleaned it up a little, and I'll be creating another version of it that uses sessions instead of databases when the site I'm working on goes into production use; but the basic bot tests are all the same.

That's really why I haven't said anything else about it. Nothing has changed very much because the script works. No bots have gotten through, and there have been no false positives. So for now, I'm not going to check against a database of banned IP addresses because it's unnecessary and would just add overhead.

Also, I decided I can't really package and GPL the script because there's really nothing new there. Releasing it under the GPL would imply that I invented something new, which I didn't. All of the filters I used have been used by others already. I just strung them together using simple PHP code and ran all the texts back-to-back.

That's not something that is novel enough to copyright (or patent); and my basic test when deciding whether to GPL something is that if it's not original enough to be copyrighted or patented, then it's not original enough to be released under the GPL, either. Either one would imply that I created something unique, which I haven't in this case. The tests have all been used before. I'm just running them sequentially.

One change I do have in mind is to separate all the tests into separate scripts and modularize them by using includes in a controller script, this way new tests can be added (and troublesome ones deactivated) more easily.

The other significant change will be when I do away with the databases during the bot testing phases. On free accounts, all of those databases will be eliminated except for the one that holds the user data, and the bot testing scripts will use sessions and cookies to prevent the databases from getting

e and to improve performance and reliability.

On paid accounts, the databases will remain, because one of the features of paid accounts will be the ability to log in over the Web and view messages. And during Beta, all accounts will use databases to make testing and evaluation easier.

But once again, the basic script hasn't changed as of yet, which is why I haven't posted any updates. There's nothing to post. The script has worked perfectly so far in Alpha.

When I get the first site that uses this method ready for Beta (it's pretty close), I'll post a link, and people can sign up for free accounts and play. For the time being, though, I'm limiting Alpha testing to a very few people. The bot filtering works, but I'm still implementing more general security code, and I want to get that done before I open the site to public testing or post links to it.

Best,

Richard

sam · #16 (**permalink**) 03-21-08, 04:04

Thanks Richard for this quick reply,I will try the above script given by you.

RichardM · #17 (**permalink**) 03-24-08, 22:18

Okay, in the interest of illustrating the application, this site uses a modified version of the script I posted earlier:

www.spamfreetext.com

I made some changes to the script to eliminate the database during the bot-testing phase by using session variables. I also used cookies, which allowed me to skip the IP-matching and unique-user tests, which were causing some problems in a few users' browsers (the hashes were getting truncated somehow, which caused authentication to fail). The cookie authentication is cleaner.

Rather than re-hash the whole script, basically what I did was start a session and assign session variables rather than insert and then select the data using a mySQL database. For example:

PHP Code:


			
<?php

session_start();

unset ($start_time, $ip1, $captcha, $unique_user);

$user_name = $_SESSION['user_name'];

$start_time = $_SESSION['start_time'] = time();

$ip1 = $_SESSION['ip1'] = $_SERVER['REMOTE_ADDR'];

$captcha = $_SESSION['captcha'] = rand(10000, 99999);

$unique_user = $_SESSION['unique_user'] = md5($start_time . "_" . $captcha);

and so forth.

I still use a database to store the user data and as a temporary record for troubleshooting problems during the Beta stage, but it's not involved in the bot testing anymore.

Best,

Richard

sam · #18 (**permalink**) 03-26-08, 05:02

Thanx Richard once again.