Comments on: Spammers ruin everything: how do I stop them from abusing mailing list signups?

Question: Spammers ruin everything: how do I stop them from abusing mailing list signups?

chrominance — Tue, 03 Jun 2008 09:45:12 -0800

On our website, we've got a little one-field form where people can fill in their e-mail address and sign up for our mailing list. The form seems to now be the target of spammer-hacker bastards, and random people are complaining about being signed up for a list they've never heard of. What should we do, besides take down the form altogether? The only thing that comes to mind is a captcha (but that adds another step to what should be a one-step process).

The list is administered by mailman, and it sends out confirmation e-mails before it signs anyone up. There's no way to add text to the automated mails so it shouldn't be the target of spammers. Nevertheless, it seems someone's using the form as a way to pester random people with (potentially lots of) confirmation e-mails. One of the goals with the very simple form was to make it easy for people to sign up; we'd rather not have to tell people to send arcane e-mail messages to a mailman address to sign up—and in any case, would that really solve the problem? Isn't that just as open to abuse? Captchas are at least a workable permanent solution, but I'd prefer something more accessible and easier to use. Nothing comes to mind.

Spammers ruin everything.

By: littleme

littleme — Tue, 03 Jun 2008 09:58:43 -0800

One trick that seems to work reasonably well is to include an extra, hidden form field. (Use CSS to hide it.) Automatic software just fills in all the form fields it finds then submits the form, so your back-end software can check: if the hidden field is filled in, it's a spambot; if it's not, it's likely to be a real person.

By: me & my monkey

me & my monkey — Tue, 03 Jun 2008 10:01:18 -0800

CAPTCHAs are lousy solutions as far as accessibility. I'd recommend something simpler. You could, for example, simply ask the user to type something that an automated process couldn't provide. For example, you could ask the user to type the sum of five plus three, or type in the name of the animal in this sentence, etc.

For more formal solutions for this sort of problem, there's a library for ColdFusion programmers called CFFORMPROTECT. It uses a series of tests to calculate whether an entry is spam or not. While your site might not be using ColdFusion, you could certainly implement some or all of the functionality contained within the library for your own environment.

By: disillusioned

disillusioned — Tue, 03 Jun 2008 10:03:09 -0800

Yeah, asking something simple like "what color is the sky" really helps with that. It's a two-step process, but it's a pretty darn effective one.

Also: blocking everything from Russia. :-p

By: missmagenta

missmagenta — Tue, 03 Jun 2008 10:18:38 -0800

I use a number of different methods for blocking spammers.

1. Use a hidden form (I hide it with html comments) that doesn't actually send an email/do the required action - I was suprised at the number of bots filled it in.
2. Use a hidden field with a value to be verified
3. Either set the value of a hidden field with javascript or use javascript to write the submit button - this does affect some users - the approx 6% of users that don't have it or have it turned off vs nearly 100% of bots.

These 3 things keep me 100% spam free.

By: adamrice

adamrice — Tue, 03 Jun 2008 10:21:37 -0800

There are a few passive tricks that are used to differentiate humans from bots. Littleme mentioned one above.

Another is to insert a bit of javascript that, say, adds two numbers on load and posts the sum in the form as a hidden field. Most bots do not have javascript interpreters, so they'll fail this test. Not many people aren't using javascript these days, although you will get some number of false-positives. Ideally you'd want the terms generated on the fly, so a bot couldn't re-use one lucky hit.

Another is to check the time elapsed between when the page was loaded and when the form was posted. If it's less than, say, 5 seconds, it's a bot.

By: sero_venientibus_ossa

sero_venientibus_ossa — Tue, 03 Jun 2008 11:04:16 -0800

you could just use something like this. yeah captcha is a drag, but so is tons of spam.

By: chrominance

chrominance — Thu, 05 Jun 2008 00:58:20 -0800

So I had the form redirect all e-mails to me, instead of our mailman instance, and strangely there's been practically no traffic—just one legitimate signup, and nothing else. So perhaps it was a false alarm. Nevertheless, I'm going to try some of the less obtrusive measures and keep the ones requiring user input in mind if the problem resurfaces or grows.