Can anyone suggest the best ways to counter SPAM on forms - we've got a captcha in place but spam still seems to be getting in.

Is it possible to do the following... On a form check if the POST request has come from the form submitted from that site (and not a form using the same action). If the request has come from the site accept otherwise don't & simply ignore the request.

Also - is it possible to do something server-side to stop DDOS style attacks - as the spammer to our site seems to be sending thousands of requests in a very short space of time.

Can anyone suggest any other good anti-spam methods for Codeigniter (v2) that doesn't hinder the user too much. Thanks in advance.

Can anyone suggest the best ways to counter SPAM on forms - we've got a captcha in place but spam still seems to be getting in.

I like the "honey pot" technique. Basically put a hidden field on your form, with an empty value. Validate the field as part of the form submission. If the field != empty - then it was a bot, so fail the submission. Bots tend to just fill in all the fields on a form automatically.

Is it possible to do the following... On a form check if the POST request has come from the form submitted from that site (and not a form using the same action). If the request has come from the site accept otherwise don't & simply ignore the request.

Yes - its called CSRF - Codeigniter has it built in. Turn it on in your config file, and use form_open() on your forms. Thats it

Also - is it possible to do something server-side to stop DDOS style attacks - as the spammer to our site seems to be sending thousands of requests in a very short space of time.

Yes - put a "last submit" field in your session for each user. Or IP. Or however you want to track the spammer. On each form submission, check the last submit time, if it is less than X seconds (where X is whatever number you feel comfortable with - says 5 seconds) - then fail the form due to it being submitted too often.

The other option is to record when the form was "served" to the user, and also fail if it is X seconds after request (i.e. takes a normal person 30seconds to fill in your form - so 2 seconds means a bot).

p.s. using the above means you'll be able to remove the Captcha :)

Well, I have actually had a lot of success with a pretty simple solution.

Create a CSS class:

.magic /* Call it whatever you want
{
  display: none;
}

Insert something like this in your form:

<form method="post" action="">
<p>
  <label>Name</label>
  <input type="text" name="name">
<p>
<!-- and the magic -->
<p class="magic">
  <input type="text" name="email"> <!-- spam bots LOVES 'email' fields ;) -->
</p>
<!-- /end magic -->

<p>
  <label>Real E-mail input field</label>
  <input type="text" name="some_email">
</p>
</form>

In your controller, you can do something like this:

...
public function create_post()
{
   $this->form_validation... // If you use form validation
   [...]
   // If all regular validations are true, do the last bit

  if( $this->input->post('email') == "" ) //If something is in the 'email' field, it has propbably been filled by a bot, because regular users can't see the field.
  {
    $this->your_model->insert_the_post($data);
  }
  // otherwise, pretend like nothing.

}

Your users will never see this - and this has kept me free of spam for several years now. Simple - but effective.

most possibly, you would have placed dictionary or some product words in your captcha. I had same problem of spam with codeigniter. Then i put some strong words, like alpha-numeric and all. And it seems to be working for me. Give it a try.