We launched new forums in March 2019—join us there. In a hurry for help with your website? Get Help Now!
MODX Community Forums Archive

What's the Latest on Formit Spam Protection?

    • 18367
    • 834 Posts
    MarkG Reply #1, 11 years, 1 month ago
    I've just installed Formit and am getting the inevitable spam, so I've been trawling the forums to see what the latest is on preventing Form spam.

    Quite like this idea http://www.stevedawson.com/scripts/contact-form.php

    just have to figure out how to incorporate it in Formit.

    This looks interesting as well http://www.netcrafted.com/how-to-stop-email-injection-in-your-php-form/

    Although, not being a programmer I don't know if they are useful.

    Might also look at using hidden fields.

    Anyone else got any suggestions?

    PS Please don't say captchas, if the BBC has emphatically said we shouldn't use them, then that's good enough for me.

    Thanks



      Content Creator and Copywriter
      • 18367
      • 834 Posts
      MarkG Reply #2, 11 years ago
      I'm wondering if I could use this parameter from http://rtfm.modx.com/display/ADDON/FormIt.Validators somehow

      name function parameter example
      blank Is field blank? nospam:blank

      although not quite sure how to implement it.

      Any suggestions?

      Thanks
        Content Creator and Copywriter
        • 6629
        • 60 Posts
        DasItsch Reply #3, 11 years ago
        You just add a hidden field to your form and check if it's empty: 

        [[!FormIt? &validate=`myHiddenField:blank`]]

<form>
  <input type="hidden" name="myHiddenField" value="" />
</form>

        To take this further, give your hidden field a name which is likely to be filled by a simple bot (e.g. username, email or something like this).

        Although it is sort of a captcha, i've made good experiences with the math-hook.
        Using the math-hook with totally random parameter-names stopped all spam on sites i've used this.
        [[!Formit
&hooks=`math`
&mathOp1Field=`nwerlenrpq`
&mathOperatorField=`qowuecnqpw`
&mathOp2Field=`qwtebcqeiu`
&mathField=`lewkrucneur`
&validate=`lewkrucneur:required`
]]

<form>
  <label>[[!+fi.nwerlenrpq]] [[!+fi.qowuecnqpw]] [[!+fi.qwtebcqeiu]]?</label>
  <input type="text" name="lewkrucneur" value="[[!+fi.lewkrucneur]]" />
  <input type="hidden" name="nwerlenrpq" value="[[!+fi.nwerlenrpq]]" />
  <input type="hidden" name="qwtebcqeiu" value="[[!+fi.qwtebcqeiu]]" />
  <input type="hidden" name="qowuecnqpw" value="[[!+fi.qowuecnqpw]]" />
</form>
          • 18367
          • 834 Posts
          MarkG Reply #4, 11 years ago
          DasItsch

          sorry to be slow on this, but I tried it and the form didn't work. Probably 'cos I haven't done something right. I'm mot that familiar with forms and Formit.

          Anyway, here's what I tried. confirmemail is the hidden part.

            &validate=`name:required:minLength=`2`,
	     email:email:required,
	      message:required,
             confirmemail:blank`


          <input type="hidden" name="confirmemail" value="" />


          The page just reloads on submit, which I guess means it's working on one level, but how do legitimate users avoid the hidden field trap?

            Content Creator and Copywriter
            • 6629
            • 60 Posts
            DasItsch Reply #5, 11 years ago
            There's an error in your parameter syntax. When using the minLength-validator, you have to use a caret ( ^ ) instead of the grave accent ( ` ) to specify the value:
            &validate=`name:required:minLength=^2^,
           email:email:required,
           message:required,
           confirmemail:blank`
              • 18367
              • 834 Posts
              MarkG Reply #6, 11 years ago
              Really?

              it's been working fine up till now, (without the last and new line)

              but I'll give it a try and see if it makes any difference.



              OK, seems to work for legit users.

              How would I test it for spammers?
                Content Creator and Copywriter
                • 6629
                • 60 Posts
                DasItsch Reply #7, 11 years ago
                How would I test it for spammers?
                Just enter something in the value-attribute of your hidden field.
                  • 18367
                  • 834 Posts
                  MarkG Reply #8, 11 years ago
                  Quote from: DasItsch at Apr 18, 2013, 08:21 AM
                  Just enter something in the value-attribute of your hidden field.

                  But how do I do that? I'm not a spammer so if the field is hidden I have no idea how to enter something into it.
                    Content Creator and Copywriter
                    • 6629
                    • 60 Posts
                    DasItsch Reply #9, 11 years ago
                    Quote from: markg at Apr 18, 2013, 08:26 AM
                    But how do I do that? I'm not a spammer so if the field is hidden I have no idea how to enter something into it.

                    To test the validation, modify the field in your template:
                    <input type="hidden" name="confirmemail" value="iAmSpam" />


                    Or make the field temporarily visible and fill in something:
                    <input type="text" name="confirmemail" value="" />


                    If you're using the WebDeveloper Toolbar (available for Chrome/Firefox), you can click on "Miscellaneous -> Display hidden elements" to make the field visible.
                      • 18367
                      • 834 Posts
                      MarkG Reply #10, 11 years ago
                      If you're using the WebDeveloper Toolbar

                      Ah, the always reliable toolbar, yes that worked. (Or not worked to be technically accurate.)

                      Anyway, I have another question. The hidden input field can be seen in the page source, so wouldn't a spammer write their bot to look out for "hidden" inputs and avoid them?



                        Content Creator and Copywriter