Spam Problem with Contact Form (php)

[Tjdunklee]

I recently built a contact form for my employers corporate site and it was fine until a week or so ago.  Suddenly I started getting tons of SEO spam from various different bots it seems.  I immediately installed a reCaptcha and also a blank dummy field to try and catch spammers.  Neither of these items seemed to work so I made a list ditch effort to try and make a "no-javascript" catch since most bots can't use javascript.  This didn't work either!  Any ideas what I could do from this point, I'm kind of limited by GoDaddy's hosting which doesn't allow my to use the standard mail() function.  I have to use some of their code to make the php mail work...  Here is the current code I am using.  Could somebody please give me a suggestion about what I am doing wrong?  I'm fairly new to PHP.  Thank you in advance! 

 

Both of these files are missing the reCaptcha keys for my security.  I promise I usually have them in there.

 

Contact.php - I left out the Javascript in the header which removes the "spambot" input field if Javascript is enabled.

<div class="pageDetail">
				<?php
					if (isset($_GET['success'])) 
					{
						$success = $_GET['success'];
							if($success=="yes")
							{
								echo '<p class="yay">Thank you for submitting your message! We will get back to your as soon as possible.</p>';
							}
							if($success=="spam")
							{
								echo '<p class="oops">Sorry, your message did not send.</p>';
							}
					}
				?>
				<form action="contactAction.php" method="post" id="contact" name="contact">
					<fieldset>
						<legend><h2>Contact DigitalTown</h2></legend>
						<input type="hidden" name="subject" value="Form Submission" />
						<input type="hidden" name="redirect" value="contact.php?success=yes" />
						<label for="name">Name</label>
						<input type="text" id="name" name="name" class="required" minlength="2"/>

						<label for="email">E–mail</label>
						<input type="text" id="email" name="email" class="required email"/>

						<label for="message">Message</label>
						<textarea id="message" name="message" cols="50" rows="10" class="required"></textarea>

						<label>Special</label>
						<div class="security">
							<?php
							require_once('recaptchalib.php');
							$publickey = " My Public Key is in here"; // you got this from the signup page
							echo recaptcha_get_html($publickey);
							?>
						</div>
						<input type="text" name="question" class="question" value="">
						<input class="spam" name="spambot" type="hidden" value="contact.php?success=spam" />
						<button type="submit">Send</button>

					</fieldset>
				</form>
			</div>

 

contactAction.php

<?php
if (isset($_POST['spambot'])) {
    // redirect user to location specified in spambot
    header("Location: http://" . $_SERVER["HTTP_HOST"] . "/" . $_POST['spambot']);
    die();
}

if(!empty($_POST['question']))
{ 
die('Something went wrong, please try again.'); 
}
else
{
/* start recaptcha code */
require_once('recaptchalib.php');
$privatekey = "My Private key is here";
$resp = recaptcha_check_answer ($privatekey,
								$_SERVER["REMOTE_ADDR"],
								$_POST["recaptcha_challenge_field"],
								$_POST["recaptcha_response_field"]);

	if (!$resp->is_valid) 
	{
		die ("The reCAPTCHA wasn't entered correctly. Go back and try it again." .
		"(reCAPTCHA said: " . $resp->error . ")");
	}
	else
	{
		$request_method = $_SERVER["REQUEST_METHOD"];
		if($request_method == "GET")
		{
			$query_vars = $_GET;
		} 
		elseif ($request_method == "POST")
		{
			$query_vars = $_POST;
		}

		reset($query_vars);
		$t = date("U");
		$file = $_SERVER['DOCUMENT_ROOT'] . "\ssfm\gdform_" . $t;
		$fp = fopen($file,"w");

		while (list ($key, $val) = each ($query_vars)) 
		{
			fputs($fp,"<GDFORM_VARIABLE NAME=$key START>\r\n"); 
			fputs($fp,"$val\r\n");
			fputs($fp,"<GDFORM_VARIABLE NAME=$key END>\r\n");
			if ($key == "redirect") 
			{ 
				$landing_page = $val;
			}
		}

		fclose($fp);

		if ($landing_page != "")
		{
			header("Location: http://".$_SERVER["HTTP_HOST"]."/$landing_page");
		} 
		else 
		{
			header("Location: http://".$_SERVER["HTTP_HOST"]."/");
		}
	}
/* end recaptcha code */
} 
?>

[Daniel0]

It's probably humans filling out your form. Humans tend to pass a "Completely Automated Public Turing test to tell Computers and Humans Apart" (aka CAPTCHA).

[Tjdunklee]

It's probably humans filling out your form. Humans tend to pass a "Completely Automated Public Turing test to tell Computers and Humans Apart" (aka CAPTCHA).

 

Oh man, that is not good news.  I was wondering that myself since nothing seems to be working to keep them out.  I'm getting 20-30 spam emails a day about this....  Is there a way I could at least filter them if they mention "SEO" or "White-hat techniques?"

[Daniel0]

You could try services like Akismet, which use various heuristics for detecting spam instead of trying to prevent it.

[Tjdunklee]

Thanks, I have used that for some WordPress sites I run but I've never applied it to a hand-coded site.  I'll check it out, didn't even think of that.

[Tjdunklee]

I haven't gotten too far in implementing Askimet yet, but I have quick question.  These must be still bots that are spamming my site because I'm getting 40 emails per day about the exact same thing.  How are they getting through all of these security measures?  Is it because I am not stripping tags from the PHP variables?  How could I do that?  Thanks for helping a newbie again.

 

Here is an examples of the Spam I'm getting..  They are all SEO related.

 

email: anthonyburgess23@gmail.com

message: SEO,,Do you wish you could increase your online leads?,,Getting a GUARANTEED 1ST PAGE GOOGLE RANKING is easier and more cost-effective than you might think.,We have helped a lot of businesses thrive in this market and we can help you!?Simply hit reply and I?ll share with you the cost and the benefits See you at the top!

name: Anthony Burgess

[Tjdunklee]

I finally got off my butt and installed Akismet.  It solved all my spam problems I was having.  Thanks for the idea!  RESOLVED.