# contact form to log ip address



## GARETH86B (May 4, 2003)

hi everyone

i have created a form for my website which submits and stores the data into an access database. When the user clicks submit todays date, name, email, and comments are stored into the database. A friend of mine suggested that i should log the users ip to reduce spam. all i nead to know is how i could get the computers ip into a text box if this is possible..

thanks for your help

Gaz


----------



## Rockn (Jul 29, 2001)

It's possible, but not everyones IP address stays the same and I am not sure how this would reduce SPAM.


----------



## namenotfound (Apr 30, 2005)

Rockn said:


> I am not sure how this would reduce SPAM.


If he gets a lot of SPAM from the same IP address each time, he could block that IP from his site, and do a DNS lookup to get the Internet Service Provider and telephone or email them with a complaint, if the complaint is serious enough sometimes the ISP will drop the user leaving him without Internet.... but that's usually only in very extreme cases.


----------



## namenotfound (Apr 30, 2005)

GARETH86B said:


> all i nead to know is how i could get the computers ip into a text box if this is possible..




```
<?php $ip = $_SERVER['REMOTE_ADDR']; ?>
```


```

```
Then when he fills out and submits the form, that hidden input field is also sent, so you'll be sent his IP along with his message in the email.


----------



## brendandonhu (Jul 8, 2002)

That method could easily be forged, I would capture their IP in the script directly and save it to the database rather than putting it in the form field.


----------



## thecoalman (Mar 6, 2006)

namenotfound said:


> If he gets a lot of SPAM from the same IP address each time, he could block that IP from his site.


Trouble with that is most spam is coming from multiple IP adresses usually from open proxies and they are using bots. Getting the IP will only help for someone that is harassing you that doesn't know any better. To prevent spam add a human question to your form Ex: What color is an apple? Only a very sophisticated bot would be able to get by that such as one using AIML, http://www.40lbhead.com/head2head/headbot/

To prevent one that could decipher the question throw an image into the mix such as one with 10 different colored lines, How many red lines? How many blue? etc.

Edit:LOL... my bot is stupid...



> You: what color is an apple
> HeadBot: Orange
> You: a apple is red
> HeadBot: Aren't all apple red ?


----------



## Rockn (Jul 29, 2001)

And not to mention the administrative nightmare it would take to stay on top of it.....no thanks.


----------



## namenotfound (Apr 30, 2005)

thecoalman said:


> Trouble with that is most spam is coming from multiple IP adresses usually from open proxies and they are using bots.


True



thecoalman said:


> http://www.40lbhead.com/head2head/headbot/


LOL



> You: what color is george washingtons WHITE horse?
> HeadBot: Black
> You: are you sure?
> HeadBot: I am as sure as I can be.


----------



## thecoalman (Mar 6, 2006)

It's only as smart as the word pool and what it has associated with it. Complex questions or sentences it has trouble with but if you try and converse with it like you would chatting with someone it works pretty well.

Here's an example:


```
<category>
<pattern>I AM A LIBRARIAN</pattern>
<template><random>
<li>What kind of institution do you work for?</li>
<li>What got you interested in librarianship?</li>
<li>How is your library using the new technology?</li>
<li>Have funding cuts affected your service?</li>
<li>Has the internet affected you?</li>
<li>Do you get involved in the selection process?</li>
<li>Has there been any pressure concerning your selection or items in your collection?</li>
<li>Do you have a library cat?</li>
</random>
<think><set name="job">LIBRARIAN</set></think>
</template></category>
<category>
```
It can for example pick out the word lbrarian as well if there is a listing for librarian. It only appears as smart as the amount of data it has. Currently I think the set I have occupies about 19MB of the database. You can make up customized sets, it's also supposed to be able to learn but I don't think I have it set up properly. This particualr one is set up in the forum on that site so it can identify you as well if your a member and use your nick. 

There's more here if your interested:http://www.alicebot.org/


----------



## brendandonhu (Jul 8, 2002)

Bots could just keep refreshing the page until they've captured all your questions. That's why most people use an image CAPTCHA with random letters/numbers.


----------



## thecoalman (Mar 6, 2006)

Those have been defeated too, the phpbb version for example can be defeated 98% of the time. The basic problem is if a human can read it so can a computer, there's more here: http://sam.zoy.org/pwntcha/

That's why I like the idea of combining a question with an image. You could for example put a bunch of objects in the image and ask what is third object from the right. The bot would first have to determine what it is you are asking then determine what the object is.... which for all intents and purposes is impossible.


----------



## brendandonhu (Jul 8, 2002)

Its only defeated if you use a weak Catpcha like phpBB. You use random fonts, random colors, and random rotation and there's no way PWNtcha is going to be able to solve it.

The problem with using pictures of objects is that you have to add every object and its name by hand. With numbers and letters you can generate an infinite amount of different Captchas. You could also end up with 1 user that enters "Bicycle" for your captcha, and another users that enters "bike" or "cycle".


----------



## thecoalman (Mar 6, 2006)

brendandonhu said:


> Its only defeated if you use a weak Catpcha like phpBB.


phpbb is easily defeated because as you stae it is weak but harder ones have been defeated as well... 33% succes rate and these are very hard to read for a human: http://www.cs.sfu.ca/~mori/research/gimpy/hard/



> The problem with using pictures of objects is that you have to add every object and its name by hand. With numbers and letters you can generate an infinite amount of different Captchas. You could also end up with 1 user that enters "Bicycle" for your captcha, and another users that enters "bike" or "cycle".


True that it can be a pain but since it's so hard to defeat you only need a few. Spammers aren't going to spend the time to manually input the correct answer into the bots brain for every single site, it would be an enormous task. As far as the last problem this true to some extent but you could add the different answers where applicable.

I just implemented this on a phpbb board and have had 0 spammers since. Works very well.


----------



## brendandonhu (Jul 8, 2002)

I think that's a good Captcha- spammers aren't going to spend their time on your form if they can only pass it 33% of the time. Plus you would generally block users after getting a captcha wrong a certain number of times.


----------



## namenotfound (Apr 30, 2005)

brendandonhu said:


> Its only defeated if you use a weak Catpcha like phpBB. You use random fonts, random colors, and random rotation and there's no way PWNtcha is going to be able to solve it.


And then your left with users that have poor eyesight unable to use the site. You have to think about accessability for the disabled.


----------



## brendandonhu (Jul 8, 2002)

Yep, a lot of sites offer audio CAPTCHAs for those users.


----------



## thecoalman (Mar 6, 2006)

brendandonhu said:


> I think that's a good Captcha- spammers aren't going to spend their time on your form if they can only pass it 33% of the time.


I don't see why they wouldn't they only need to load it 3 times. We are after referring to bots here, 1 time or 3 times makes no difference to them.



> Plus you would generally block users after getting a captcha wrong a certain number of times.


True but the examples in those links are pretty hard to read. Under the assumption that the bot is going to get it right on the third try you'd have to limit the human to 2 tries.

What none of this addresses though (even my example), is the visually impaired..... damn spammers. 

Edit: NVM...just saw you audio post, that's a good idea as well.


----------



## brendandonhu (Jul 8, 2002)

> I don't see why they wouldn't they only need to load it 3 times. We are after referring to bots here, 1 time or 3 times makes no difference to them.


Here's the thing- if they're trying to spam your form, they're going to make repeated requests one after another. Limit each user to getting the Captcha wrong 5 times per day and the bot won't be able to hit your form more than a couple times (of course there's some small chance that a user will fail the captcha 5 times and get locked out.) You could even get fancy with it and make the user wait 5 seconds between each attempt at the captcha.


----------



## namenotfound (Apr 30, 2005)

brendandonhu said:


> Yep, a lot of sites offer audio CAPTCHAs for those users.


what about those that have poor eyesight and are hearing impaired?

Can't correctly hear the audio, maybe their hearing aid has a bad battery or they don't have it in, or they can't afford one.

Or even more sad, they are 100% def and can't hear anything.


----------



## brendandonhu (Jul 8, 2002)

Then its up to you whether blocking spam or being accessible is more important...some bigger sites offer manual verification (telephone or email) for those cases. W3C has an interesting whitepaper on accessible CAPTCHAs.


----------



## namenotfound (Apr 30, 2005)

I still think the best way to go is text-based. Having an infinant amount of questions and answers, a bot won't be able to get them all.

I've seen a couple of very successful sites use text-based varification.


----------



## brendandonhu (Jul 8, 2002)

Sure, but how do you get an infinite number of questions of answers? All captchas have their weaknesses although W3C seems to like the word puzzles types you're talking about. They note that those also have accessibility problems for "users with cognitive disabilities", so no captcha is going to work 100% for everyone.


----------



## namenotfound (Apr 30, 2005)

Math

What is 5 plus 2?

[_]7
[_]5
[_]10
[_]3

Have the script randomly put two numbers together, calculate an answer, then toss it in with three random false answers


----------



## brendandonhu (Jul 8, 2002)

The problem is that its easy to crack just like the simple image captchas.
A script can get the correct answer for "What is 5 plus 2?" easily. You can add some randomness to it ("What is 5 and 2?" then "What is 5 more than 2") which makes it take longer to crack, but its still not too difficult.

EDIT: Good example- copy and paste the captcha you posted into Google and see what it gives you.


----------



## namenotfound (Apr 30, 2005)

That was just a quick example, you can do other things like.

Which one of these is not living?

[_]fish
[_]cat
[_]rock
[_]turtle

And have the script mix up the questions between math and questions like the above. Keeping that infinate amount of questions/answers aspect.


----------



## thecoalman (Mar 6, 2006)

AIML if programmed correctly I would imagine be able to defeat many of those questions purely in text form. As I said you can teach it too. There's a backend for questions that it didn't understand, I'd also imagine that the spammers could program it to list answers that were incorrect. The "intellect" of the bot is only limited by it's database. The one on my site is pretty simple and based on a very old program that's over a decade old and doesn't have a huge database so it's quite stupid.


----------



## brendandonhu (Jul 8, 2002)

namenotfound said:


> That was just a quick example, you can do other things like.
> 
> Which one of these is not living?


That sounds about right, you'd just have to come up with a good range of questions to discourage bots from grabbing the answers to all of them. I would also make it more than 4 multiple choice options so that its not worth it for the bot to guess randomly (not that this stuff has anything to do with the thread anymore, but it would be an interesting discussion if we split it.)


----------

