Add anti form spam procedures

I was receiving spam messages, which is quite an issue for my site as the email addresses from the forms get saved into the database and newsletters are sent to subscribers, so all the spam will filling up the database and mailing list with rubbish.

I tried adding first tier antispam measures like the Google Captcha directly through Wappler which is super simple to setup, but was still having at least 5 spam messages getting through per day.

Next i tried the honeypot method as well as the Google captcha both working together, and that certainly helped, however I am still getting 1 to 2 spam messages per day, which is not bad, but I wanted no spam messages, or maybe 1 a week.

Akismet is a service I have used many times and although most think this is only for WordPress it is not, and they have prebuilt libraries on their site for various languages including PHP and js and nodejs. For me I wanted to make this work the Wappler way, with no coding, and it did, so here is a write up on how to add the akismet service to your website.

  1. Go to akismet.com, click "SIGN UP FOR AKISMET NOW"
  2. Enter an Email, Username, Password
  3. Add Subscription, Click "Get Personal" under Name Your Price
  4. Credit Card details come up, drag the price slider to $0 / YEAR
    a. The credit card details area switches to a NON-COMMERCIAL LICENCE asking for a First Name, Last Name, and most importantly a Personal Site URL.
    b. Click the checkboxes, and continue.
    Obviously if you are running a shop or something like that, they sell even a 1 dollar package, so to avoid possible issues maybe do that if you like. The service in my opinion is worth it.

Once the form processes, it should say Awesome! in green and display an API key, you can close this as on the dashboard your API Key always shows.

Now off to Wappler
I have a few forms on my site, so i am only going to show you an example of the easiest one, as the rest is just more of the same stuff. This form asks for one thing, and email address, thats it, if the user enters their email and hits submit, they are subscribed to our newsletter.
There is a second hidden field as well for the honeypot.

<form is="dmx-serverconnect-form" id="newsletter_signup_form" method="post" action="dmxConnect/api/newsletter_signup.php">
	<div class="form-group">
		<div class="input-group">
			<input type="text" name="inp_honey" id="inp_honey" value="" autocomplete="off" class="d-none" />

			<label for="emailNews" class="col-form-label">SIGN UP</label>
			<input type="email" class="form-control" id="emailNews" name="emailNews" is="dmx-input" value="" required="" data-rule-email="">
			<div class="input-group-append">
				<button class="btn bg-dark input-group-text" type="submit">&#9002;</button>
			</div>
		</div>
	</div>
</form>

So this is a 2 section API call, first we have to verify our account on each form submission, and if they send back a response of "valid" for the user account, then run the second API call and send through some of the form fields so they can check it against their spam database and send back a response of either false to demote NOT SPAM which they call HAM, or true which means it is SPAM.

You are meant to setup a third area like a control panel as such so your users can also check the dashboard and register false positive matches etc. however for my purposes I may do that later on one day, for now, if the email is NOT SPAM I allow it to email all the relevant people and add the entry into my database, if it IS SPAM, i send a single email to myself so I can check it.

Lets continue, in Wappler

New Server Action

Globals > $_SERVER (add the following as normal Variables - Text)

HTTP_USER_AGENT
HTTP_REFERER
REMOTE_ADDR
REQUEST_URI

Globals > $_POST (add the form input names i needed, obviously add your own)

inp_honey
emailNews

Now we need to setup our Execute Steps

Condition {{$_POST.inp_honey}}

THEN
Response Step: Name: Failed, Status: 500, Text: You ate the honey.

ELSE
API Action Step: ID: apiAkismet, Output: ON, Pass Errors: ON, Url: https://rest.akismet.com/1.1/verify-key, Method: POST, Data Type: Form, Authorization: None

Input Data
Name: key, Value: Your-API-Key

Name: blog, Value: {{'https://www.yourwebsitename.com/'+$_SERVER.REQUEST_URI.urlencode()}}

Click Define API Schema, click Fetch Schema, it should fetch and give a source output of invalid

SAVE
Add another condition Still inside the ELSE after the API Action Step
Condition {{apiAkismet.data == "valid"}}

THEN
API Action Step: ID: apiAkismetValid, Output: ON, Pass Errors: ON, Url: https://YOUR-API-KEY.rest.akismet.com/1.1/comment-check, Methos: POST, Data Type: Form, Authorization: None

Input Data
Name: blog, Value: {{$_SERVER.HTTP_REFERER.urlencode()}}

Name: user_ip, Value: {{$_SERVER.REMOTE_ADDR.urlencode()}}

Name: user_agent, Value: {{$_SERVER.HTTP_USER_AGENT.urlencode()}}

Name: referrer (intentional incorrect spelling), Value: {{$_SERVER.HTTP_REFERER.urlencode()}}

Name: permalink, Value: {{$_SERVER.HTTP_REFERER.urlencode()}}

Name: comment_type, Value: 'signup'

Name: comment_author_email, Value: {{$_POST.emailNews}}

Click Define API Schema, click Fetch Schema, it should fetch and give a source output of Missing required field: blog.

SAVE
 
 
ELSE
Response Step: Name: AkismetInValidUser, Status: 500, Text: You are not a valid Akismet User
Add another condition into the above THEN step AFTER the API Action Step
Condition {{apiAkismetValid.data == false}}
THEN (Add your normal form stuff like Mailer Setup and Send Mail and Database Connections and Inserts)
ELSE (Just sends a copy of the form to me incase of a false positive)

I know this may look difficult on the surface, however it is only because of the way I have had to write it, would have been easier to send screenshots but half the data is cut off on those so you would not see what to enter.

Any issues with the first validation step check here Getting started – Akismet
Issues with the form submission and to see what additional fields they support you really need to check this Getting started – Akismet

I someone else feels like writing the dashboard that confirms SPAM vs HAM false positives etc. that would be cool, please share it afterwards.

10 Likes

Nice post Paul, I am having spam issues with a site also, may just give it a try.

I think its very very worth while, i got maybe 1 false positive in the last 2 years, so really works well

I see on the docs at Akismet there are many libraries for Larvel etc. might be a good opportunity for Wappler to be in the list of apps that support it.

1 Like

One simple way I have tried is the honey trap, but I named the honey trap input ‘surname’ and hid it with css.
Since I have done this 4 weeks ago, I have not had one single spam email through. I was getting around 10-15 per day !

2 Likes

Can you explain a bit more Peter?

@UKRiggers
That's already explained in the following topic, where you also commented and i explained everythig ...

Hi Gunnery, I did not really name the input inp_honey that was really more just to show what input the honeypot was for everyone here, in reality when i first made it I actually called it name, and made sure the autofill was not on, after I still got a few junk mails I decided to change it to inp_honey.
Just for anyone else’s info though, the honeypot was sufficient and seemed to work on my larger form, where i needed more than just an email address, it only seems to be this one where I virtually need nothing that I had the issue, however since the added akismet I am happy to say I have had no more spam still.

Well at least nothing that stood out as spammy, it is only an email address, so any email could be spam, but I havent got any subscribes from getinstantabs@gmail.com or ineedtogiveyouabilliondollars@hotmail.com so i am more assuming i have had no spam.

as @Teodors link, follow that.
I initially did that but still got spammy emails through on contact forms etc, Then I tried again with only difference I made was naming the input ‘surname’
My figuring was these Bots must have some logic behind them to get through Captcha’s etc which is why I used what would be a logical field for them to fill in and touch wood, I’ve not had 1 spammy email through since.
I use this now on ALL forms that I do for websites.
Certainly not knocking @psweb’s method, as that obviously works very well also. Its just an alternative

2 Likes

@gunnery
As long as remember, your issue was that you used a hidden input instead of hiding a text input using CSS :slight_smile:

1 Like

I used the bootstrap built in class d-none on my form input, the reduction in spam from that was huge though and on most sites i think it would be more than sufficient to be honest.

2 Likes

Partly correct @Teodor, when I named it ‘ht’ I still got a few spam emails through (2 or 3 a day), since changing the name I’ve had non through. May be coincidence, maybe not.

Now we have this, also look at using CSRF tokens

1 Like