Blog

Revisiting Form Spam

Posted At : November 16, 2007 11:42 AM | Posted By : Admin
Related Categories: Coldfusion

After having the code outlined in my previous post deployed for a while, I thought I'd share some points which have come up.

The form is still working (for me at least!) - the only odd behaviour I got at first was this - which I got from the error handling in my applicaton:

14-11-07 : 19:55 - "{ts" is an invalid date or time string.

What was happening here? I started logging ALL the form submissions, to see if there were any common traits - I was particularly interested in the "hidden" timestamp field; After all, if the form was submitted properly, it shouldn't really have been an issue.

What I found was that the spam bots were unintelligently replacing ALL the form fields, hidden or not, with junk.

So my nice hidden form field which should have read:

Was being replaced with:

<input name="timeloaded" id="timeloaded" type="hidden" value="{ts <br>spamMe@domain.com<br>" readonly="yes" />

As I'm not checking to see whether the TimeStamp was a valid one, it was triggering the global error handling. The question is now whether to change this - but I don't think I will. The spam bots seem quite happy tripping up on it, and it's only because it's throwing an error that I even noticed it - but I'm just surprised that THAT is what is stopping the spam, rather than all the other bits!

Go figure... :)