Protecting FP 2003 "Form" data from spamming?

[Fred]

Good Evening!
I have created a form with validation for the fields and an appropriate
confirmation page. Additionally, the resulting data set in the form is then
sent to an email address as provided for within FP in the form options. All
this works properly. However, I have noticed that I do get emails on
occasion that contain "bogus" data containing http addresses and so on. The
data is in the form of This bogus data has been
"applied" in one of the form fields that represents one of the Option Button
types of form fields. I can see how data of this type could be applied to a
comment field, but how is this being done in a "click" the Option Button
field?
The other problem is that the email address, as it relates to its use in
the form, itself can't be hidden in the markup by something like the
"hiveware-enkoder" utility. (the email address is in one of the "webbot"
lines)
Has anyone run into something like this?

Thanks,
Fred

 

[Ronx]

The only solution to this is to use server-side scripting (asp, asp.net,
php, Perl/CGI) to process the form data.
In your case it is possible that the spambot is using its own form
(based on yours) and your server extensions.

 

[.._..]

Yup.

Near as I can tell it's some third world sweatshop that pays poor saps to
configure the spam bot network. (They visit, set the form up and the
network submits the spam repeatedly based on a configuration file. It's NOT
live detection of the form.)

Blocking the IP won't work because it comes from all over the world from
infected machines.

If you remove or change the name of form fields it stops for that field.

If you rename the form file, the bot network can't find it for a while until
the poor third world sap comes back and re-finds your form.

Also, they seem to focus on forms that have a field called "comments" in it,
so name it something else.

All of this is an attempt to get links to bolster their sites in search
engines like Google. (Those "get high search rankings" guys are a bunch of
twats.)

The bots don't use javascript, so don't bother with validation (it uses
javascript).

You can hide the email address by stacking the forms. Make two copies, one
submits to the file in _private (which you ignore). The "thank you" page is
the second form, which has your actual email address in it. Through a bug
in the extensions, a user submitting the form will only see the first form,
and the final thank you page. BUT, the second form get's submitted by the
extensions. It's a pain in the arse to set up but once you get the hang of
it, it can be quite effective. (Just don't go and put a link to the second
form...)