⚠️ Urgent! Active Attacks on MODX Revolution Sites Below Revolution 2.6.5
Subscribe: RSS
  • I’ve made the attempt at spam protection by adding a field that must be left empty. I took it from BobRay’s spform.
    the field:
    <input type="text" name="Last__Name" id="LastName" size=30 autocomplete="off" eform="LastName::0" />

    the CSS:
    #LastName{
        position:absolute;
        text-decoration:underline;
        background-color:#CC0000;
        left:0px;
        top:-500px;
        width:1px;
        height:1px;
        overflow:hidden;
    }
    

    The snippet checkField:
    <?php
    function checkField(&$fields,&$vMsg,&$rMsg) {
        if(!empty($fields['Last__Name'])) {
            return false;
        } else {
        return true;
        }
    }
    ?>

    And the eForm parameter:
    &eformOnValidate=`checkField`

    I suppose only time will tell if it actually works; if I don’t hide the field and fill it in, the eForm just aborts with no errors or messages, which is all that a ’bot deserves. If the field is empty, the form works as expected.
      Studying MODX in the desert - http://sottwell.com
      Tips and Tricks from the MODX Forums and Slack Channels - http://modxcookbook.com
      Join the Slack Community - http://modx.org
    • I’m trying this out on a form that’s been getting hit by a dirty rotten spammer lately. I expect it’ll do the trick. Thanks for posting it!

      I actually added a separate check to the function to block messages with certain words in them. I did this mostly because I thought that perhaps this spambot had already determined which field data it needed to send to this form and wouldn’t necessarily recheck it and fill in the hidden field. I wanted to be sure that I stopped the current wave of spam, and this seemed like a simple way to do it.

      <?php
      function antiSpam(&$fields,&$vMsg,&$rMsg) {
      
           $hasBadWords='no';
           $badWords=array('xanax','viagra','phentermine','cialis','tramadol','propecia','[url=');
           foreach($badWords as $badWord){
                 if(strpos(strtolower($fields['Name']),$badWord) !== false) $hasBadWords='yes';
                 if(strpos(strtolower($fields['emailSubject']),$badWord) !== false) $hasBadWords='yes';
                 if(strpos(strtolower($fields['message']),$badWord) !== false) $hasBadWords='yes';
            }
      
          if(!empty($fields['Last__Name'])||$hasBadWords=='yes') {
              return false;
          } else {
          return true;
          }
      }
      ?>


      I don’t think that any legitimate email would ever have any of these words in it, so it seems like a safe extra measure to throw into the mix.
        "Things are not what they appear to be; nor are they otherwise." - Buddha

        "Well, gee, Buddha - that wasn&#39;t very helpful..." - ZAP

        Useful MODx links: documentation | wiki | forum guidelines | bugs & requests | info you should include with your post | commercial support options
      • I’m to using hidden form field for spamfighting. But, my variant is very simple:
        <input type="text" name="title" eform="spammer:string:0:go to hell:#REGEX /^$/i" />
        and hide this field with css rule:
        display: none;
        • Quote from: sottwell at Nov 24, 2007, 09:40 PM

          I suppose only time will tell if it actually works; if I don’t hide the field and fill it in, the eForm just aborts with no errors or messages, which is all that a ’bot deserves. If the field is empty, the form works as expected.

          Actually I had to implement a solution like that to a page built on another CMS than MODx, which was flooded with spam. I used a hidden field together with a simple question that needs to be answered. The result: since 6 weeks, no single spam could send the form anymore.

          But if that approach is used more, I guess it’s only a matter of time until spam bots get smart enough to check for css rules that hide form fields, leaving them empty. Maybe answering simple questions is the way to go, as they are more accessible than visual captcha with distorted letters, for people with disabilities.
            René
          • Quote from: [e
            Bu$ter link=topic=20155.msg125197#msg125197 date=1196119190]
            I’m to using hidden form field for spamfighting. But, my variant is very simple:
            <input type="text" name="title" eform="spammer:string:0:go to hell:#REGEX /^$/i" />
            and hide this field with css rule:
            display: none;


            The only downside to this approach is that Google may penalize you for having hidden content. If you use the method Sottwell describes above in your CSS instead, the field will be invisible to users but Google’s bots (and spambots programmed to ignore "display:none" content)will still "see" it.

            Bob
              Get my Book: MODX:The Official Guide
              MODX info for everyone: http://bobsguides.com/MODx.html
              My MODX Extras
              Bob's Guides is now hosted at A2 MODX Hosting
            • Spam bot’s parsing css files to? Mm... may be. But, I am sure, google is not penalize for this, because display is standart property which is used everywhere (for dumanic content usually default value is none smiley ).
              • My understanding is that many sites use (or used) display:none to hide a long list of keywords in the hope of moving up in Google Page Rank. It’s widely believed that Google responded by penalizing sites that hide content in this way when media=screen. Google, of course, is mum on the issue.

                Since the method Sottwell describes works just as well for hiding content without using "display:none", I would use it instead, just in case.

                Obviously, if you don’t care about Google Page Rank, this is a non issue.

                Bob
                  Get my Book: MODX:The Official Guide
                  MODX info for everyone: http://bobsguides.com/MODx.html
                  My MODX Extras
                  Bob's Guides is now hosted at A2 MODX Hosting
                • Hi everybody,

                  got it working, just wanted to check if the intendet behaviour is right

                  if the hidden field is filled out, and the form submitted, nothing will be displayed at all ( the actual form will basically disappear from the page), right?

                  thanks, j
                  • Yes - that’s right. Susan doesn’t like to talk to spambots. I don’t blame her.
                      "Things are not what they appear to be; nor are they otherwise." - Buddha

                      "Well, gee, Buddha - that wasn&#39;t very helpful..." - ZAP

                      Useful MODx links: documentation | wiki | forum guidelines | bugs & requests | info you should include with your post | commercial support options
                    • Yes - that’s right. Susan doesn’t like to talk to spambots. I don’t blame her.
                      haha, great thanks smiley