~hxii/AntiSpam

Fairly basic honeypot anti-spam measure
44061898 — Paul (hxii) Glushak 3 years ago
Fixed empty UA string error
e2b88d9c — Paul (hxii) Glushak 3 years ago
Added payload to log and filtering; Log and rule files are easier to change
0a951a07 — Paul (hxii) Glushak 3 years ago
Init commit

refs

master
browse  log 

clone

read-only
https://git.sr.ht/~hxii/AntiSpam
read/write
git@git.sr.ht:~hxii/AntiSpam

You can also use your local clone with git send-email.

#Simple Anti-Spam by hxii

#Preface

On my website I use FormSubmit.io in order to allow readers to get in touch with me without disclosing my email address. Lately I've noticed that despite FormSubmit having some sort of anti-spam measures, I am still getting trash to my email inbox. I figured these must be bots, so I decided to make a somewhat simple honeypot solution to try and address this issue.

Note: Use this code at your own risk. I am currently still testing whether this actually works (it did work in testing) and whether it's effective. If you've got any ideas how it could be improved, let me know!

#Operation

form.html is a fairly simple contact form that uses redirector.php as the action: <form id="contactform" action="/redirector.php" method="POST"> It contains two honeypot fields (in my use-case) of two different types:

  • A type=hidden field: <input name="email" id="email" type="hidden" value="">
  • A regular type=text field that is hidden with CSS: <input name="name" id="name" type="text" autocomplete="off" style="opacity:0;position:absolute;z-index:-1;top:0;left:0;height:0;width:0" tabindex="-1">

redirector.php checks if the current visitor is already banned from sending forms, bans them if honeypot fields are triggerred, forwards the request to FormSubmit and shows an error message.

formspam.php contains all the logic.

#Notes

  • You will probably want to restrict access to both log.txt and rules.txt any way you choose, e.g. placing the files outside of htdocs.
  • Each infraction is logged, and returns the visitor a reference ID which you can find in the log along with the visitor details and the rule that lead to the ban.
  • This code is most likely incomplete, and can be improved in many ways. If you think of something - let me know!