webtoleadcapture.php spam?

[gordo]

Hi there...I can't seem to find any other references to this, so maybe I'm the only one...but we operate a lead capture form on our website that uses the sugar SOAP thing and forms to capture directly into our leads.

The problem I've got is that we're now getting spammed, so every morning there are about 20-30 new leads, almost none of which are legit...they're auto-spam that fills in a randomly generated name and email address, and then some stuff in the description field about everyone's favourite erectile dysfunction drugs. It's driving me nuts!

This is how we're set up:

Suigar 4.5.1E...generated the code for the lead capture form using the built in form generator in Sugar. Copied the code and created a static content "Contact Us" form in Joomla 1.13...the contact us form has been customized to include certain required fields and a poor man's javascript CAPTCHA check to see if we could stop the spam (it hasn't worked).

I have a theory that they're not even using our form, but somehow bypassing it and submitting data directly to the webtoleadcapture.php file...is that possible? Are there any security measures that can be implemented (i.e. like not allowing direct access to it?) to prevent this kind of thing?

Has anyone else run into this? Any solutions out there?

Thanks much,

Gord

[labanjohnson]

You can try Capcha, (where you type in the random field you see) but somehow some bots find their way around that!

Best solution I've ever found to stop form spam, across the board, is to ask a verification question that requires cognitive thought to answer, just before the submit button, such as

What is 1 + 1?
How many days are there in a week?
How much wood could a woodchuck chuck if a woodchuck could chuck wood?

(Ok maybe not that last one so much..)

Now using PHP to validate the answer you can stop the spam from being submitted into the database.

[kbrill]

ahhh, OK

Yes there is an easy way to make the webtoleadcapture.php verify that it is your form that is filled out.

Just put a hidden field on the form, then check for that hidden field in the php. that way if that field isnt filled in with the value that you want, reject it.

for example put

<input type=hidden name=wtltest value=aok>

then in the webtoleadcapture.php put this

if($_POST['wtltest']!='aok') {
exit;
}

that should do it. You could even get creative and make it use a version of the date so that it would change every day.

[kbrill]

You can try Capcha, (where you type in the random field you see) but somehow some bots find their way around that!

Best solution I've ever found to stop form spam, across the board, is to ask a verification question that requires cognitive thought to answer, just before the submit button, such as

What is 1 + 1?
How many days are there in a week?
How much wood could a woodchuck chuck if a woodchuck could chuck wood?

(Ok maybe not that last one so much..)

Now using PHP to validate the answer you can stop the spam from being submitted into the database.

uumm none of this will work if the offending bot is not using the form, like the original poster was asking. Thats why the captcha he talked about didnt work.

[labanjohnson]

Hidden fields are visible by bots so I'm not certain that alone would do it, but then again I dont toy with bots so I don't know how they operate.

The modification would have to take place in webtoleadcapture.php, so it would work that way.

[kbrill]

Hidden fields are visible by bots so I'm not certain that alone would do it, but then again I dont toy with bots so I don't know how they operate.

The modification would have to take place in webtoleadcapture.php, so it would work that way.

Again, from the origninal posters message the bot isn't using the form. So that field should never be seen by anyone. and if you base it on the date then you could make the key change everyday.

[gordo]

Again, from the origninal posters message the bot isn't using the form. So that field should never be seen by anyone. and if you base it on the date then you could make the key change everyday.

Thanks for the suggestions everyone. We've implemented a poor-man's captcha-type check (similar to the first reply)...but like I said, I think the bot is bypassing the form altogether (though I will probably implement Ken's first suggestion anyway, just in case).

Any good suggestions on how to fortify the webtoleadcapture.php form? Would some of the Joomla or Mambo tricks for preventing direct access to the file in question work? I guess for it to work the form would have to be on the same domain as the webtoleadcapture.php file...which in our case, it's not.

Thanks for your suggestions - hopefully we'll get this figured out.

*edit* - it's late...I re-read Ken's post...we'll give that a shot and I can see how that would work. Perhaps it's something Sugar would want to implement in the core code going forward...some way of preventing direct access to the file unless it's from a 'legitimate' form.

Thanks again Ken. I'll let you know how it works.

[kbrill]

Another suggestion that I have used in th epast is to rename webtoleadform.php to something else occasionally. Then the bot has to catch up. Also when you do that, if your technically savy enough, you can capture all the IP addresses that try to access webtolead.php (you can put a file in it's place that captures IPs) and then just black list them from your server because they have to be bots.

[Jacob]

ahhh, OK

Yes there is an easy way to make the webtoleadcapture.php verify that it is your form that is filled out.

Just put a hidden field on the form, then check for that hidden field in the php. that way if that field isnt filled in with the value that you want, reject it.

for example put

<input type=hidden name=wtltest value=aok>

then in the webtoleadcapture.php put this

if($_POST['wtltest']!='aok') {
exit;
}

that should do it. You could even get creative and make it use a version of the date so that it would change every day.

This is a good mechanism. Here are a couple of ideas (including repeats):

• Stronger Captcha - Annoys customers
• Logic Based Captcha as suggested above.
• Hosting the true lead form on your Sugar Installation. This allows for creating an actual PHP session where you can generate a random GUID on form rendering, put it in the session, and then require it to match perfectly on the next round trip. It is hard to fake that and it will work across multiple domains.

Jacob

[gordo]

This is a good mechanism. Here are a couple of ideas (including repeats):

• Stronger Captcha - Annoys customers
• Logic Based Captcha as suggested above.
• Hosting the true lead form on your Sugar Installation. This allows for creating an actual PHP session where you can generate a random GUID on form rendering, put it in the session, and then require it to match perfectly on the next round trip. It is hard to fake that and it will work across multiple domains.

Jacob

Thanks for the tips Jacob and Ken. Have a good weekend.

Gord