Spammers ruin everything: how do I stop them from abusing mailing list signups?
June 3, 2008 9:45 AM Subscribe
On our website, we've got a little one-field form where people can fill in their e-mail address and sign up for our mailing list. The form seems to now be the target of spammer-hacker bastards, and random people are complaining about being signed up for a list they've never heard of. What should we do, besides take down the form altogether? The only thing that comes to mind is a captcha (but that adds another step to what should be a one-step process).
The list is administered by mailman, and it sends out confirmation e-mails before it signs anyone up. There's no way to add text to the automated mails so it shouldn't be the target of spammers. Nevertheless, it seems someone's using the form as a way to pester random people with (potentially lots of) confirmation e-mails. One of the goals with the very simple form was to make it easy for people to sign up; we'd rather not have to tell people to send arcane e-mail messages to a mailman address to sign up—and in any case, would that really solve the problem? Isn't that just as open to abuse? Captchas are at least a workable permanent solution, but I'd prefer something more accessible and easier to use. Nothing comes to mind.
Spammers ruin everything.
The list is administered by mailman, and it sends out confirmation e-mails before it signs anyone up. There's no way to add text to the automated mails so it shouldn't be the target of spammers. Nevertheless, it seems someone's using the form as a way to pester random people with (potentially lots of) confirmation e-mails. One of the goals with the very simple form was to make it easy for people to sign up; we'd rather not have to tell people to send arcane e-mail messages to a mailman address to sign up—and in any case, would that really solve the problem? Isn't that just as open to abuse? Captchas are at least a workable permanent solution, but I'd prefer something more accessible and easier to use. Nothing comes to mind.
Spammers ruin everything.
CAPTCHAs are lousy solutions as far as accessibility. I'd recommend something simpler. You could, for example, simply ask the user to type something that an automated process couldn't provide. For example, you could ask the user to type the sum of five plus three, or type in the name of the animal in this sentence, etc.
For more formal solutions for this sort of problem, there's a library for ColdFusion programmers called CFFORMPROTECT. It uses a series of tests to calculate whether an entry is spam or not. While your site might not be using ColdFusion, you could certainly implement some or all of the functionality contained within the library for your own environment.
posted by me & my monkey at 10:01 AM on June 3, 2008
For more formal solutions for this sort of problem, there's a library for ColdFusion programmers called CFFORMPROTECT. It uses a series of tests to calculate whether an entry is spam or not. While your site might not be using ColdFusion, you could certainly implement some or all of the functionality contained within the library for your own environment.
posted by me & my monkey at 10:01 AM on June 3, 2008
Yeah, asking something simple like "what color is the sky" really helps with that. It's a two-step process, but it's a pretty darn effective one.
Also: blocking everything from Russia. :-p
posted by disillusioned at 10:03 AM on June 3, 2008
Also: blocking everything from Russia. :-p
posted by disillusioned at 10:03 AM on June 3, 2008
Best answer: I use a number of different methods for blocking spammers.
1. Use a hidden form (I hide it with html comments) that doesn't actually send an email/do the required action - I was suprised at the number of bots filled it in.
2. Use a hidden field with a value to be verified
3. Either set the value of a hidden field with javascript or use javascript to write the submit button - this does affect some users - the approx 6% of users that don't have it or have it turned off vs nearly 100% of bots.
These 3 things keep me 100% spam free.
posted by missmagenta at 10:18 AM on June 3, 2008 [1 favorite]
1. Use a hidden form (I hide it with html comments) that doesn't actually send an email/do the required action - I was suprised at the number of bots filled it in.
2. Use a hidden field with a value to be verified
3. Either set the value of a hidden field with javascript or use javascript to write the submit button - this does affect some users - the approx 6% of users that don't have it or have it turned off vs nearly 100% of bots.
These 3 things keep me 100% spam free.
posted by missmagenta at 10:18 AM on June 3, 2008 [1 favorite]
Best answer: There are a few passive tricks that are used to differentiate humans from bots. Littleme mentioned one above.
Another is to insert a bit of javascript that, say, adds two numbers on load and posts the sum in the form as a hidden field. Most bots do not have javascript interpreters, so they'll fail this test. Not many people aren't using javascript these days, although you will get some number of false-positives. Ideally you'd want the terms generated on the fly, so a bot couldn't re-use one lucky hit.
Another is to check the time elapsed between when the page was loaded and when the form was posted. If it's less than, say, 5 seconds, it's a bot.
posted by adamrice at 10:21 AM on June 3, 2008
Another is to insert a bit of javascript that, say, adds two numbers on load and posts the sum in the form as a hidden field. Most bots do not have javascript interpreters, so they'll fail this test. Not many people aren't using javascript these days, although you will get some number of false-positives. Ideally you'd want the terms generated on the fly, so a bot couldn't re-use one lucky hit.
Another is to check the time elapsed between when the page was loaded and when the form was posted. If it's less than, say, 5 seconds, it's a bot.
posted by adamrice at 10:21 AM on June 3, 2008
you could just use something like this. yeah captcha is a drag, but so is tons of spam.
posted by sero_venientibus_ossa at 11:04 AM on June 3, 2008
posted by sero_venientibus_ossa at 11:04 AM on June 3, 2008
Response by poster: So I had the form redirect all e-mails to me, instead of our mailman instance, and strangely there's been practically no traffic—just one legitimate signup, and nothing else. So perhaps it was a false alarm. Nevertheless, I'm going to try some of the less obtrusive measures and keep the ones requiring user input in mind if the problem resurfaces or grows.
posted by chrominance at 12:58 AM on June 5, 2008
posted by chrominance at 12:58 AM on June 5, 2008
This thread is closed to new comments.
posted by littleme at 9:58 AM on June 3, 2008 [1 favorite]