We launched new forums in March 2019—join us there. In a hurry for help with your website? Get Help Now!
MODX Community Forums Archive

Spam getting past hidden field

    • 36551
    • 416 Posts
    Terry Reply #1, 9 years, 9 months ago
    I have a form on a site where spam is getting past the hidden field. I'm not sure what I'm doing wrong. The client (and I) don't want to use captcha, but the spam is still getting through.

    I put a placeholder [[+workemail]] in the sendto email to see if the validation is working, but it is empty in the email that is sent, while all the other fields are spam filled.

    Anybody see anything wrong here?

    [[!FormIt? 
&hooks=`spam,email,redirect,FormItAutoResponder` 
&emailTpl=`emailsendto` 
&fiarTpl=`emailcc` 
&fiarToField=`email`
&fiarFrom=`xxxxxx`
&fiarFromName=`[[++site_name]]`
&fiarReplyTo=`xxxxxxx`
&emailReplyTo=`xxxxxxxx`
&fiar=`[[++site_name]]` 
&fiarSubject=`Subject - Contact Form` 
&emailTo=`xxxxxx` 
&emailUseFieldForSubject=`1` 
&redirectTo=`16` 

&validate=`workemail:blank, firstname:required, lastname:required, email:email:required, text:required:stripTags` 
&submitVar=`contactformsubmit`
]]

<div id="form_container">
  <p>[[!+fi.error_message:notempty=`[[!+fi.error_message]]`]]</p>

  <form class="form" action="[[~[[*id]]]]" method="post">
  
  <input type="hidden" name="workemail" value="" />

  <label for="firstname"> First Name: <span class="error">[[!+fi.error.firstname]]</span> </label> 
  <input id="firstname" type="text" name="firstname" value="[[!+fi.firstname]]" /> <br /> 

  <label for="lastname"> Last Name: <span class="error">[[!+fi.error.lastname]]</span> </label> 
  <input id="lastname" type="text" name="lastname" value="[[!+fi.lastname]]" /> <br /> 

  <label for="email"> Email: <span class="error">[[!+fi.error.email]]</span> </label> 
  <input id="email" type="text" name="email" value="[[!+fi.email]]" /> <br /> 

  <label for="phone"> Phone: <span class="error">[[!+fi.error.phone]]</span> </label> 
  <input id="phone" type="text" name="phone" value="[[!+fi.phone]]" /> <br /> 

  <label for="subject"> Subject: <span class="error">[[!+fi.error.subject]]</span> </label> 
  <input id="subject" type="text" name="subject" value="[[!+fi.subject]]" /> <br /> 

  <label for="text"> Message: <span class="error">[[!+fi.error.text]]</span> </label> 
  <textarea id="text" name="text" rows="7" cols="77">[[!+fi.text]]</textarea>  



  <div class="form-buttons">
    <input name="contactformsubmit" type="submit" value="Submit" />
  </div>
</form>

</div><!--form_container-->
      • 34926
      • 87 Posts
      Gibbs Reply #2, 9 years, 9 months ago
      The hidden field tactic is very easy to circumvent so this isn't a technical issue.

      There is no single solution to stop spam but CAPTCHA's are popular these days as well as filtering services like Akismet.

      Edit: Just to clarify there is nothing wrong with your code. The approach just isn't working.
        • 36551
        • 416 Posts
        Terry Reply #3, 9 years, 9 months ago
        Thanks for taking a look.

        I'd understood that the hidden field was quite effective.

        • sottwell Reply #4, 9 years, 9 months ago
          FormIt comes with a 'math' hook that provides a math-based question http://rtfm.modx.com/extras/revo/formit/formit.hooks/formit.hooks.math

          To be honest, I've been using "empty" fields for years, and have yet to receive a single spam submission from any of my forms. Maybe none of my sites have been important enough for spammers to go to the bother of even the most simple circumvention.
            Studying MODX in the desert - http://sottwell.com
            Tips and Tricks from the MODX Forums and Slack Channels - http://modxcookbook.com
            Join the Slack Community - http://modx.org
            • 36551
            • 416 Posts
            Terry Reply #5, 9 years, 9 months ago
            Yeah Susan, me too.

            Just for kicks, I just changed the hidden field to a text field so I could enter a value into the field and submit the form.

            When I submitted it, the page refreshed showing the form again. The workemail:blank field no longer has the text I entered. When I submitted again, the form sent.

            The workemail placeholder in the sendto email has the value that I had entered.

            Doesn't this suggest that the :blank validation isn't working?
            • sottwell Reply #6, 9 years, 9 months ago
              That does sound fishy. I preferred to use my own field with CSS to move it out of view. Less likely for the bot to spot the 'hidden' field that way. Maybe the value should be [[!+fi.fieldname]] like all of the other fields? That way the value would propagate across error conditions.
                Studying MODX in the desert - http://sottwell.com
                Tips and Tricks from the MODX Forums and Slack Channels - http://modxcookbook.com
                Join the Slack Community - http://modx.org
                • 34926
                • 87 Posts
                Gibbs Reply #7, 9 years, 9 months ago
                Quote from: sottwell at Jul 14, 2014, 03:21 PM
                FormIt comes with a 'math' hook that provides a math-based question http://rtfm.modx.com/extras/revo/formit/formit.hooks/formit.hooks.math

                To be honest, I've been using "empty" fields for years, and have yet to receive a single spam submission from any of my forms. Maybe none of my sites have been important enough for spammers to go to the bother of even the most simple circumvention.

                I think its luck. The majority of sites I have are fine but three of them get spammed to hell - one being very low traffic. By default I always use this method because it might work and there's no harm in doing it.
                  • 36551
                  • 416 Posts
                  Terry Reply #8, 9 years, 9 months ago
                  Susan Thanks.

                  I changed the spam field from:

                  <input type="hidden" name="workemail" value="" />

                  to:
                  <input id="workemail" type="text" name="workemail" value="[[!+fi.workemail]]" />

                  and added this to my css:
                  #workemail {position: absolute; left: -10000px;}


                  Now if there is a value there it simply returns the form with the value displayed and will not submit. So I think that is progress. I'm going to ask my client to monitor this for a while and see what happens.

                  My only question now is this. I followed this tutorial. It is incorrect? Out of date?

                  http://rtfm.modx.com/extras/revo/formit/formit.tutorials-and-examples/formit.using-a-blank-nospam-field
                  • sottwell Reply #9, 9 years, 9 months ago
                    Spam-prevention is not an exact science. Some bots are smarter than others, some spam is done by people in very poverty-stricken areas being paid pennies per hour to manually fill out the forms.
                      Studying MODX in the desert - http://sottwell.com
                      Tips and Tricks from the MODX Forums and Slack Channels - http://modxcookbook.com
                      Join the Slack Community - http://modx.org
                      • 40358
                      • 40 Posts
                      OptimusCrime Reply #10, 9 years, 9 months ago
                      Spam bots don't care about CSS-styling. They just download the raw HTML-file and traverse the elements that way. That CSS-trick will most likely do nothing.