Note: This project has been archived. I haven't used it in ages and have no intention to continue maintaining it at this time. Feel free to fork it the repo to pick up where I left off.
CFFormProtect is a fully accessible, invisible to users form protection system to stop spam bots, and even human spammers. CFFormProtect works like some email spam protection systems, in that it uses a series of tests to find out if a form submission is from a spammer or not. Each test is given an amount of points, and each test that is failed accumulates points. Once a form submission passes the threshold of 'spamminess', the message is flagged as spam and is not posted. The points assigned to each test and the failure limit are easily configurable by you.
-
Mouse movement: Did the user move their mouse? If not, it might be a spammer. This test is not very strong because lots of people, including the blind, don't use a mouse when filling out forms. Thus I give this test a low point level by default.
-
Keyboard used: Did the user type on their keyboard? This is a fairly strong test, because almost everybody will need to use their keyboard when filling out a form (unless they have one of those form filler browser plugins)
-
Timed form submission: How long did it take to fill out the form? A spam bot will usually fail this test because it's automated. Also, sometimes spam bot software will have cached form contents, so the form will look like it took days to fill out. This test checks for an upper and lower time limit, and these values can be easily changed to suit your needs.
-
Hidden form field: Most spam bots just fill out all form fields and submit them. This test uses a form field that is hidden by CSS, and tests to make sure that field is empty. If a blind person's screen reader sees this hidden field, there is a field label telling them not to fill it out.
-
Too many URLs: This function was added by Dave Shuck. Many spammers like to submit a ton of URLs in their posts, so you can configure CFFormProtect to count how many URLs are in the form contents, and raise a flag if the number is above a configured limit.
-
Spam keyword list: This function was added by Mary Jo Sminkey. This test allows you to configure a list of spammy words and phrases that will be used to weed out spam. For example, if you use the phrase 'free music', a message containing that phrase might get tagged as spam while just the word 'music' will pass the test. There is a default list of words/phrases included in the
config.jsonfile. -
Akismet: Most of the above tests can be easily bypassed if a spammer hires cheap labor to manually fill out forms. However, Akismet attempts to stop that as well. Akismet is a service provided by the folks that run WordPress (http://akismet.com/). The free service (for personal use) takes form contents as input, and returns a yes/no value to tell you if the submission is spam. This test is disabled by default because you have to obtain an API key. This is easy to do, and CFFormProtect is easy to configure if you want to use Akismet.
-
LinkSleeve: LinkSleeve is similar to Akismet, but it is free for everybody including commercial use. No API key is required. I don't think LinkSleeve is as popular as Akisment (yet), but in my testing it worked pretty well. Unlike Akismet, I turned this test on by default because it is free and you don't have to do anything special to configure it for your site.
-
Project Honey Pot: Like Akismet, Proj. Honey Pot can stop manual spammers as well. Project Honey Pot is a free web service that identifies spammers by their IP address. They maintain a huge database of known spammer IP addresses. If you chose to use this service, CFFP will verify the IP address of your site's visitors before it will allow them to submit data through your forms.
The beauty of CFFormProtect is that any of the above tests can fail, and the spam bot can still be stopped. And all of this is possible without making your users type in hard to read text, and your forms are accessible. And you don't have to maintain a black list or use an approval queue.
- Copy the cfformprotect folder into your web root.
- On your form page, add this line of code:
<cfset cffp = createObject("component", "cfformprotect.CFFPVerify").init()>. - Put
<cfinclude template="/cfformprotect/cffp.cfm">somewhere between your form tags. You could also include this instead:<cfoutput>#cffp.renderCFFP()#</cfoutput> - In your processing page include the following code:
cffp = createObject("component", "cfformprotect.CFFPVerify").init(); // Now we can test the form submission. if (cffp.testSubmission(form)) { // The submission has passed the form test. Place processing here. } else { // The test failed. Take appropriate failure action here. } - Setup your email settings and Akismet in
config.json, if you want to use those features (if you leave the email settings blank, you won't receive an email when spammer tries to attack your forms).
- You can change the values in
config.jsonif you want to tweak how CFFormProtect operates. Descriptions of the values are below. - If you want to use Project Honey Pot, sign up for an API key at http://www.projecthoneypot.org/, and then configure the Project Honey Pot directives according to the directions below.
- You can specify a different config file than the default (
config.json) in your init code. Check out the init function inCFFPVerify.cfcto see how to do this.
|
Config Name |
Default |
Type |
Accepted Values |
Description |
|
mouseMovement |
1 |
boolean |
1, 0 |
Enable/disable the mouse test. This test makes sure the user moved their mouse. |
|
usedKeyboard |
1 |
boolean |
1, 0 |
Enable/disable the keyboard test. This test makes sure the user used their keyboard. |
|
timedFormSubmission |
1 |
boolean |
1, 0 |
Enable/disable the timed form test. This test check how long the form entry and submission took. |
|
hiddenFormField |
1 |
boolean |
1, 0 |
Enable/disable hidden form field test. This test makes sure a CSS hidden form field is empty. |
|
akismet |
0 |
boolean |
1, 0 |
Enable/disable the akismet test. Uses the public Akismet service to test if form contents are spam. This is off by default, because you have to provide the details in the second section for Akistmet to work. Akistmet is not a free service and require the application to exchange data with the outside world. |
|
LinkSleeve |
1 |
boolean |
1, 0 |
Enable/disable the LinkSleeve test. Uses the public LinkSleeve service to test if form contents are spam. |
|
tooManyUrls |
1 |
boolean |
1, 0 |
Enable/disable the tooManyUrls test. This test will add up the number of URLs that are found in all of the submitted form fields, and mark the submission as spam if the total exceeds the limit configured by the tooManyUrlsMaxUrls variable in the ini file. |
|
teststrings |
1 |
boolean |
1, 0 |
Enable/disable the teststrings test This test will compare the words in the form submission to a list of configurable "spammy" words, and mark the submission as spam if one of these words is found. The list can be edited by editing the spamstrings variable in the ini file. |
|
projectHoneyPot |
0 |
boolean |
1, 0 |
Enable/disable the Project Honey Pot test. Project Honey Pot is a free web service that will check the IP address of your site's visitor. they maintain a huge database of known Spammer IP addresses, and when a user submits your form, this test will check their IP address. This is off by default, because you have to provide the API key in the second section. |
|
Individual Test Config |
|
|
|
|
|
timedFormMinSeconds |
5 |
numeric |
whole number only |
The minimum seconds allowed for a user to fill out the form. |
|
timedFormMaxSeconds |
3600 |
numeric |
whole number only |
The maximum seconds allowed for a user to fill out the form. |
|
encryptionKey |
JacobMunsOn |
string |
longest is better |
Used in the timedForm test, to encrypt the time so it can be stored in a hidden form field (to help fool the spammers). |
|
akismetAPIKey |
[null] |
string |
valid Akismet key |
This is the api key that you received from Akismet. |
|
akismetBlogURL |
[null] |
string |
valid URL |
The URL for your site here, it's a required value for the Akismet service. |
|
akismetFormNameField |
[null] |
string |
valid field name |
The name of your "Name" form field. |
|
akismetFormEmailField |
[null] |
string |
valid field name |
The name of your "Email address" form field (optional). |
|
akismetFormURLField |
[null] |
string |
valid field name |
The name of your "URL" form field (optional). |
|
akismetFormBodyField |
[null] |
string |
valid field name |
The name of your "Comment" form field. |
|
tooManyUrlsMaxUrls |
6 |
numeric |
whole number only |
The maximum amount of URLs that can be passed in the form contents. |
|
spamstrings |
free music, download music, music downloads, viagra, phentermine, viagra, tramadol, ultram, prescription soma, cheap soma, cialis, levitra, weight loss, buy cheap |
string |
coma separated list |
A list of strings that form contents will be compared to. |
|
projectHoneyPotAPIKey |
[null] |
string |
valid Project Honey Pot key |
This is the api key that you received from Project Honey Pot at http://www.projecthoneypot.org/. |
|
Failure Limit |
|
|
|
|
|
mouseMovementPoints |
1 |
numeric |
whole number only |
Points given for the mouse movement test. |
|
usedKeyboardPoints |
1 |
numeric |
whole number only |
Points given for the used keyboard test. |
|
timedFormPoints |
2 |
numeric |
whole number only |
Points given for the timed form test. |
|
hiddenFieldPoints |
3 |
numeric |
whole number only |
Points given for the hidden field test. |
|
akismetPoints |
3 |
numeric |
whole number only |
Points given for the Akismet test (if used). |
|
linkSleevePoints |
3 |
numeric |
whole number only |
Points given for the LinkSleeve test. |
|
tooManyUrlsPoints |
3 |
numeric |
whole number only |
Points given for the URL count test. |
|
spamStringPoints |
2 |
numeric |
whole number only |
Points given for the spam string test. |
|
projectHoneyPotPoints |
3 |
numeric |
whole number only |
Points given for the Project Honey Pot test (if used). |
|
failureLimit |
3 |
numeric |
whole number only |
The total amount of points you will allow before flagging a message as spam. Each test that fails will assign "failure points" to the form submission. If the total point exceeds the failureLimit, the message will not be sent. |
|
Email Settings |
|
|
|
|
|
emailFailedTests |
0 |
boolean |
1, 0 |
Enable/disable emailFailedTests to receive email reports in case of spam detection. |
|
emailServer |
[null] |
string |
valid address |
Email sever address. |
|
emailUserName |
[null] |
string |
valid username |
Email account user name. |
|
emailPassword |
[null] |
string |
valid password |
Email account password. |
|
emailFromAddress |
[null] |
string |
valid email address |
Email address used for the "from" field. |
|
emailToAddress |
[null] |
string |
valid email address |
Email address used for the "to" field. |
|
emailSubject |
[null] |
string |
valid email subject |
Email subject. |
|
Logging |
|
|
|
|
|
logFailedTests |
1 |
boolean |
1, 0 |
Enable/disable logging of spam submissions. |
|
logFile |
[null] |
string |
Valid file name |
To specify a different log file name. |
There's no true direction with this conversion except to bring some of the code up to speed in script a bit and possibly make some of the functionality simpler.
There are some minor changes that will be documented as time allows. For the most part, general code based on the original version of CFFormProtect is more or less compatible. In this variation though, cffp.ini.cfm is now config.json.
CFFormProtect was created by Jake Munson with the CFC implementation by Dave Shuck. Other contributors include Mary Jo Sminkey, Ben Elliott & Bas van der Graaf. All credit for this project goes to these individuals and anyone else I may not have been aware of.
For more info & details on the original project, see: http://cfformprotect.riaforge.org/. A PHP port of CFFormProtect was created by Dan McCarthy which can be found here: https://github.com/mccarthy/phpFormProtect.
Conversion to CFScript and various other modifications found in this repo by Tony Junkes (@tonyjunkes).