How to prevent spam on a form [duplicate]

2019-09-14 21:48发布

问题:

This question already has an answer here:

  • How to Prevent SPAM without CAPTCHAs or a Centrally managed system (e.g. akismet) 10 answers

I have a simple form that users use to register their email address for a newsletter.

I want to prevent spammers submitting 000's of fake emails. What's the best way to do this?

I thought about limiting the number of inputs from each IP address to, say, 60 per hour, but then thought anyone determined will simply spoof their IP as part of the attack.

Any ideas?

*EDIT: I am looking for a server-side solution. In this situation, UX is important so I don't want to use a captcha, or ask the user to validate with a token

回答1:

You could do something like this,

function validEmail($email){
    if (filter_var($email, FILTER_VALIDATE_EMAIL)){
        list($user,$domain) = explode('@',$email);
        return checkdnsrr($domain, 'MX');
    } 
    return false;
}

it may not pick up every fake email, but I always validate their email by sending them a validation email with a link.

EDIT:

As for spam on a form use CSRF, that should prevent most spam (at least in my experience)



回答2:

You could use negative captcha. Idea is to have a field in the form that is not visible to humans but bots would enter values in it. On server side you can ignore requests that have a value in the negative captcha field.

Adavatage is that normal users do not see any extra steps like enter captcha words or validate the email. Cons is that the method works as long as people would not customize bots specifically for your site.

Example of a negative captcha. Include this in your form.

<div style="position: absolute; left:-2000px;"><input type="text" name="email_name" value="" /></div>

On server side do somethig like

if (params[:email_name] != "") //bot
else //not a bot


回答3:

I found a great technique somewhere on the interwebs. I enhanced it, and it is now available (open source) at www.formspammertrap.com .

It uses some javascript to replace the form action, and requires actual 'clickage' of a live user.

No captchas, hidden fields, etc.; those might work temporarily, but usually doesn't work long-term.

It is free, and it works great on any site I put it on. PHP-based, but will also work in WordPress (not a plugin).



回答4:

When a user types their email address into the bar, run a script that sends them an email to the address specified that contains a link, when they click the link it will activate that email address for newsletters.



回答5:

You could use capthcha - which is broken and annoying to users.

What I use is a simple question (how many logs does a dog have) and then use the input of <input type='text' name='email2' value=''>. I then do the necessary checks on the server-side of things. But one thing I do not do is to notify the person that something was wrong i.e. invalid number entered in the email2 textbox.

Anyway, just a thought.



回答6:

A common approach is, to add another textfield to the form-section. In your stylesheet (not the style-tag!), you set its css-property to display:none, since most spambots fillout every available input-element, but doesn’t load external .css-files. When your script gets the request, you check this hidden textfield – if it’s blank, you have good chances that this wasn’t spam.