Form Validation Help..., Trying to stop spammers

Hello, this is my first post to this board. Thank you all for being here. Here is my question:

Within my html form, I would like to include a question that must be answered correctly in order for the form to be submitted. The purpose of the form is for musicians and artists to submit details of upcoming performances (venue name, date, time, etc.). Now since I’ve been getting a lot of spam through this, I’ve included the question of “Venue City?” Since my service only lists events in the city of Alexandria, VA, I want the field to only contain “Alexandria” to be successful. Other fields are also required, but not a specific entry. I’ve spent quite a few hours today searching Google for a solution with no luck. Keep in mind I’m not a professional programmer/coder. Is there a solution? Thanks in advance. ~John

Here is the link to that form:

Within the website:

There is no “solution” so to speak, its kinda like stopping graffiti. You can just make it harder and not worth the effort.

For example, if you keep track of when you show the form and when it is submitted, you can rule out form submissions that have too short or to long of an elapsed time.

Change the URL and form parameters frequently. I still get spam hits for a form whose URL doesn’t exist anymore.

Spam bots do not request images, CSS and JavaScript files.

:cool: -//- One-time [color=#6600CC]$50.00 discount[/color] on [color=#0000CC]DreamHost[/color] plans: Use ATROPOS7

John, if I understand you, you have two choices. Have the client validate the Venue prior to submitting the form and allow it to be submitted only if the Venue is correct. Or you could have the server validate the Venue when the form is submitted and reject it if the Venue is incorrect. The client side would involve javascript. That won’t work if the submitting agent is not a browser (eg a spamming robot) or the end-user has javascript turned off. Implementing the validation on the server would require something written in a scripting language (PHP or Perl, typically). Are you running a program on your server to process the form?


It looks to me like you’ve got a couple things to consider: security and form setup.

Setup: If the form should only include venues for Alexandria, make it a pulldown and include only “Alexandria” as an option. Either that, or don’t even offer the venue city and venue state. What’s the point if it must always be in Alexandria anyway? Narrow the form options to only those that are appropriate to your venue.

Security: Database their answers and include a contact email address and phone. Add a second step where they receive an email that includes a confirmation link. Once the confirmation link is clicked by them, add a third step that emails or IM’s you with a link to accept or reject the new venue. This way, you get only valuable information on your site, and you have control in three steps as to who can actually post a new venue or not.

Include an administrative back end for yourself so you can delete, edit or preview each venue.

For any that seem on the fence, call the phone number to verify and ask for more information. If the number is bogus, delete the venue before it even shows on your site. If the person sounds like they know what they’re talking about, accept the venue and it will be published.

Good luck!

I feel johndc1’s pain. I’m getting hammered by link spam from my own feedback form and thought validation might be a help. I use Dreamhost’s formmail because it’s supposedly relatively secure from being hijacked (I don’t want to be evicted for being a source of spam) and I’m afraid to use some random script I find that may offer validation or some other means to slow down the onslaught of ‘fake’ feedback, but leave me responsible for the security of the script, when I am largely clueless.

OK, back to googling this dilemma.

Formmail isn’t very secure anymore. It’s pretty old.
If you don’t understand any scripting languages, it’s going to be difficult to produce a form that will do what you need.

If you are clueless, it may be better to simply to leave off forms or pay someone to do it for you.

Good luck.

OK, I’ve got a different sort of idea:

Are the spam submissions “valid” submissions? Do they have all the fields filled out, etc? Do the fields have valid values in them?

If not, you could add simple validation to the form submission script. This is appealing because it is actually a helpful part of your user interface, yet will reduce the amount of spam that you get.

Free unique IP and $67 off with code [color=#CC0000]LMIP67[/color] or use [color=#CC0000]LM97[/color] for $97 off. Click for other Dreamhost coupons / promo codes

Nobody answered your question yet, but that’s no wonder because we can only see the page as it shows up in a browser, not the server-side code (Ruby or PHP or whatever you’re using). What you’re trying to do is a basic form of CAPTCHA. You just need to compare the field value to “Alexandria” on the page the form directs to, and if it doesn’t match, redirect to the form and show an error message. If you say what server-side language you’re using, I’m sure someone can help you. You must do it on the server, not in javascript as spammers can circumvent this.

I’m sure there are prefabricated solutions for text captchas, as in copy-and-paste code. Anyone have an URL handy?

As to the general question of form spam, I’ve found Akismet quite useful. It involves sending messages to that company’s server so I only use it for stuff that is public anyway, not for email or internal data. When Akismet says something is spam I redirect to a CAPTCHA. I don’t use CAPTCHAs as a first step because they’re annoying and keep people from posting. (I don’t require name or email either - if people want to be anonymous it’s fine, and if you force them to enter email addresses all you get is a lot of fakes.)