Posts Tagged ‘captcha’

Never add a "Contact Us" form without a captcha

August 16, 2009 Leave a comment

I have created a couple of websites during the last years and one thing that I have learned is that there are more bots out there than you can handle.

In the beginning I was thinking that adding a mechanism in my web projects for moderating user input would be enough and that I could manually check and approve any submitted comment. Moreover, I made the mistake of adding a “Contact Us” form in a couple of the web sites that I published on the web.

What did I do wrong?
1. I only checked for valid emails and I allowed any user input without using a captcha.
2. My systems would email me any comment the moment it was submitted.

So, what happened? All those bots out there started autosubmitting random text strings. And I am talking about bots entering the most silly random generated comments.
For example, in a low traffic alumni site that I have created 4-5 years ago for the School of Electrical and Computer Engineering of National Technical University of Athens, the ratio of user submitted comments to automatically generated comments (that passed my checks) was 1 to 50.

But the most interesting fact, and the reason I am writing this post, was the submissions from the bots. As a software engineer I would assume that in any publicly available form, the bots would try to find vulnerabilities, inject code or scripts, post links to malicious websites, try to attack my database, etc. And that’s why I have built a mechanism to prevent those attacks, assuming that I would never see any spam. But I was amazed when I realized the kind of submissions that were not regular attacks or random strings. Some examples follow:

  • “Billiards, pool Croatia Service”
  • “Tired of a competitor’s site? Hinder the enemy? Fed pioneers or copywriters? … Kill Their Sites! …” (full list of prices followed and methods to contact them)
  • “Very nice site!” (and 100s of other similar generic messages)
  • “Hi, cool site, good writing ;)”  (and 100s of other blog oriented generic messages)
  • “to: Admin – If You want to delete your site from my spam list, please visit this site …”
  • … etc ….

I can not understand how those people make money from those automatically generated messages, but I know one thing: They don’t stop submitting again and again… Every day…

So, the next time you are going to add a form in any project you create, either request for the user to be logged in (and having being checked through some form of captcha during the registration phase) or use a captcha…