Revisiting Form Spam

After having the code outlined in my previous post deployed for a while, I thought I’d share some points which have come up.

The form is still working (for me at least!) – the only odd behaviour I got at first was this – which I got from the error handling in my applicaton:

14-11-07 : 19:55 – “{ts” is an invalid date or time string.

What was happening here? I started logging ALL the form submissions, to see if there were any common traits – I was particularly interested in the “hidden” timestamp field; After all, if the form was submitted properly, it shouldn’t really have been an issue.

What I found was that the spam bots were unintelligently replacing ALL the form fields, hidden or not, with junk.

So my nice hidden form field which should have read:

<input id=”timeloaded” name=”timeloaded” type=”hidden” value=”{ts ‘2007-11-16 09:50:39’}” />

Was being replaced with:

<input id=”timeloaded” name=”timeloaded” readonly=”readonly” type=”hidden” value=”{ts &lt;br&gt;;br&gt;” />

As I’m not checking to see whether the TimeStamp was a valid one, it was triggering the global error handling. The question is now whether to change this – but I don’t think I will. The spam bots seem quite happy tripping up on it, and it’s only because it’s throwing an error that I even noticed it – but I’m just surprised that THAT is what is stopping the spam, rather than all the other bits!

Go figure… :)