Guestbook spam protection

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
Hello everyone,

I have created a simple guestbook for my bandsite (http://www.thefirm - As you might expect, some spambots have jumped on it as
soon as it went online. At the moment, I've put the following measures
in place:
- Protection against XSS attacks, SQL injections, etc...
- Check the IP address - if the origin is abroad, the post is inactive
and needs approval by a moderator (me).

Currently I have to delete 25 spam posts /day which is getting a
little ridiculous. I'm looking for a much better solution.

Already found solutions (which I won't use)
- CAPTCHA - I don't want to punish every visitor for having those
spambots. it's not that safe either. I prefer not using this kind of
- Make a dynamic image (php-file outputting the image) store a
variable in the session. Problem is that images are cached by the
browser, making it usable only the first time the user visits the
- Have a javascript function alter some hidden value in the form.
Haven't tried this yet...
- Found several "commercial" solutions where the form is being
encrypted. Haven't tried this yes either...

Thanks for your help

Re: Guestbook spam protection

Mathieu Maes contained the following:

Quoted text here. Click to load it

I don't allow links or URLs.  I have a banned word list and so far I
haven't has to add more than three words 'http://' ' www.' and '<'.  Any
one who legitimately needs to post a link can always write
www[dot]example[dot]com, but that's no advantage to spammers who simply
want to get links published.

I've also been experimenting with an enquiry form that used to get
spammed.  I've added a secret field, hidden by CSS.

<label for='secret_field' style='display:none'>Please leave blank <input

Bots will usually either leave it out or fill it with garbage and so I
check for this like so:-

//at the moment I'm prepending the resultant email's subject
// with [SPAM]  but eventually may just silently drop it.


Geoff Berrow

Re: Guestbook spam protection

On Thu, 03 Jul 2008 10:19:43 +0100

Quoted text here. Click to load it

In our organization, we have a number of different "contact us" forms.
Our ASP.NET developer tends to use the hidden field method you
described with success.  On my PHP pages, I sometimes use the same
method, but in some cases I've added a little arithmetic captcha
something like the following.  Get two random integers less than 10,
and ask the user to sum them.

// Create the session variables for the math problem
$_SESSION['n1'] = rand(1,9);
$_SESSION['n2'] = rand(1,9);
<label for='math'>
    What is  <?php echo $_SESSION['n1'] . " + " .$_SESSION['n2']; ?>
</label> <input id='math' type='text' name='math' />

I know CAPTCHAs were to be avoided in the original post, but this one
is so trivial. (Though it might keep out first graders).  I've never
had spam on one of these forms except for the occasional manually
entered list of links once or twice a year.

Re: Guestbook spam protection

Quoted text here. Click to load it

Thanks for all replies so far! I like the banned words list and hidden
input fields, I'll give that a try for sure!

The main goal for me personally is to avoid spam, but I don't want to
annoy the "normal" visitors with security features. I know my visitors
are very simple people, to say the least. If I show the guestbook to
my mom, she will just mock me because she needs to answer a simple sum
to sign a guestbook :-)

On that topic, I've seen more creative captcha's using images. I could
show 9 pictures from our band and ask the user to click 3 pictures
from the drummer for example. (Idea came from KittenAuth - )

Requiring users to confirm their post by email would scare some people
because they don't want to give their email.

Re: Guestbook spam protection

Quoted text here. Click to load it

IME the captcha scares people off too, especially neophytes or those in
a hurry if they have to squint etc. to figure out the
distorted/over-lined/hidden in colors etc. characters, especially the
visually challenged and color blind.  For things like guest books you
want to make it as easy as you can bit still keep some security too.
   IMO a simple expansion on your original idea might be a better
solution, only use a random-length, random number and allow the digits
to go negative (e.g. mt_rand(-99, 00)).  Print them in the clear and use
those plus a related question; maybe the number of digits in the code or
something, to add a further layer to it.  Or just ask for the middle 3
numbers, etc. of the code instead of the whole thing; lots of things one
could do.

HTH, just my thoughts for the moment.

Site Timeline