Lately I’ve been getting a crap-ton (metric, not imperial) of spam via my Contact form. Apparently, some spambot figured out my form parameters and ran with it. I have no idea what Ugg Boots are, but I assure you I will never buy a pair. Then again, these idiots never actually sent anything across other than “Nice Posts!” and the title UGG BOOTS, so even if I suddenly found the urge to be cool, I couldn’t buy them anyway.
Anywho, I noticed what was happening was that the scripts were reading the form’s action, the fields, filling them in, then submitting. So, being that I maintain Ansible all on my own, I did a cheesy fix (and this will only work until someone wastes their time trying to get around Ansible, which runs an entirety of one blog, so the ROI isn’t quite there).
Now, if the scripts running against the blog were simply doing the POST directly, this won’t work, but looking at logs, it appeared that each spam I got was preceded by a call to the Contact page itself, so I assume the script simply looked for that particular data and ran with it.
That data is no longer there.
It’s cheap & easy, but so far, I’ve gotten 0 spam today. Then again, I’ve gotten 0 contacts but that was a rarely used form as it is.
I hate spammers, not only because of the millions of dick pill emails they send out, but because it forces crap like CAPTCHA on us. Any time you make your system harder for a spambot to use, you end up making it harder for real people to use too.
So far, comment spam has been pretty much eliminated thanks to Akismet. Hopefully this new fix will stop the Contact spam.
If you try to get a hold of me via Contact and it doesn’t work, let me know. Although how you can let me know without contacting me via the contact form is an exercise I will leave up to you.