11-09-2006, 11:58 AM
Quote:Quite a while ago (2 years?) we started using a contact form. Part of the reason for the contact form was to avoid having to post our e-mail address to the site. Because we all know that posting your e-mail address on any web site is a sure way to get spammed to death. However, over the last year, the amount of spam sent via our contact form has exploded, and it was time to figure out how to combat it.
For a brief time we used "captchas". The idea is simple. You add a hard to read image of a few random letters asking a submitter to identify themselves as "human" by entering the text. However, the problem is obvious: To make it hard to OCR the image, it has to be quite hard to read. I came across one perl script used by a bot, that can recognize simple captchas in a second. Good captchas need to use colors, distorted letters and such, making them hard to read for many humans even if they have good eye sight.Using such a form can be difficult if you have bad vision. Our somewhat ugly home made captcha solution caused submissions to drop by about 30%, which wasn't acceptable.
Next, we implemented a couple of simple key word filters. They worked ok, but its kind of hard for us. What about people who are trying to send us a report that they see a bot that sends "Viagra" ads?
Another approach we took (and still take to some extent) is to block spammers...
full article: http://isc.sans.org/diary.php?storyid=1836