Phillip Smith

Ending Web form abuse and spam

Lately, "form spam" has been the bane of my existence. Anyone who runs more than one or two Web sites has probably had the experience of dealing with what can amount to hundreds of junk messages a day coming through different types of Web-based contact forms. "Report a bug," "Contact the Web team," "Write a letter to the Editor," etc. -- they're all targets for malicious spam bots and their ilk.

Recently I decided to double my previous efforts to find some solutions to Web-based form abuse.

Many of the organizations that I'm working with rely on a number of different systems to deliver content to the Web, which makes it more challenging to find a one-size-fits-all solution. That said, they all use a LAMP stack and several of them are using the Drupal content-management system in some capacity, e.g., to provide some front-end interactivity, user management, etc. So, the real opportunity was to find something that either played nice with Drupal, or was built in PHP/Perl/Python so that it could be integrated with Drupal where necessary.

The biggest challenge was that I'd been using a Web-form processing script that I was pretty happy with until now; it made it possible to set up a number of rather complicated forms with relative ease and lots of processing flexibility (automated e-mail responses, etc.). The shortcomings were no form protection and the data wasn't stored in a database. So, the first options that I looked at were ways to simply improve the existing forms with a "captcha" or something similar. The short-list of options were:

And, last but not least, the rather socially-responsible reCaptcha -- a service that helps the folks at Archive.org to digitize books.

Looking at reCaptcha got me thinking about Drupal again. Since the release of Drupal 5, I hadn't done a good review of what "Web form" capabilities and options were available -- so I thought it might be a good idea to have a quick look there too. A scan of the Projects page revealed a number of potential options including:

Both of these only deal with Drupal's basic site-wide contact form ... so they weren't quite right for my needs. Next stop was the Feeback module (which is maintained by Khalid Baheyeldin of DrupalCampToronto fame), which was quite close to what I was after, but didn't have enough form customization flexibility and appeared to have an issue with captcha integration.

Last stop was Web form (my new favourite module!). It offers complete form flexibility, validation and post-processing rules, and a great form data management interface. I guess this module's been around for a while, but this was the first time I'd taken the time to install it and play around.

After a quick tip from Adam Ma'anit that lead me to the Form store module, I was able to create some test contact forms and attach math-based "captcha points" to them.

And, finally, to make it possible for these Drupal-powered contact forms to play nice with non-Drupal pages, Webform allowed me to drop in a hidden field with a "%server[HTTP_REFERER]" variable, which pretty much reproduced the behaviour of the old forms by grabbing the URL of the referring (non-Drupal) page.

Score one for the good guys. Next up: making Forward module's "Send this page to a friend" functionality play nice with non-Drupal pages.

About

Hi, I'm Phillip Smith, a veteran digital publishing consultant, online advocacy specialist, and strategic convener. If you enjoyed reading this, find me on Twitter and I'll keep you updated.

Related

Raise a glass with the Uncharted Journalism Fund on Jan 17

At a time when much of the news about news is doom and gloom, the Uncharted Journalism Fund is braving stormy waters to help bring you in...… Continue reading