Add anti form spam procedures

I was receiving spam messages, which is quite an issue for my site as the email addresses from the forms get saved into the database and newsletters are sent to subscribers, so all the spam will filling up the database and mailing list with rubbish.

I tried adding first tier antispam measures like the Google Captcha directly through Wappler which is super simple to setup, but was still having at least 5 spam messages getting through per day.

Next i tried the honeypot method as well as the Google captcha both working together, and that certainly helped, however I am still getting 1 to 2 spam messages per day, which is not bad, but I wanted no spam messages, or maybe 1 a week.

Akismet is a service I have used many times and although most think this is only for WordPress it is not, and they have prebuilt libraries on their site for various languages including PHP and js and nodejs. For me I wanted to make this work the Wappler way, with no coding, and it did, so here is a write up on how to add the akismet service to your website.

  1. Go to akismet.com, click “SIGN UP FOR AKISMET NOW”
  2. Enter an Email, Username, Password
  3. Add Subscription, Click “Get Personal” under Name Your Price
  4. Credit Card details come up, drag the price slider to $0 / YEAR
    a. The credit card details area switches to a NON-COMMERCIAL LICENCE asking for a First Name, Last Name, and most importantly a Personal Site URL.
    b. Click the checkboxes, and continue.
    Obviously if you are running a shop or something like that, they sell even a 1 dollar package, so to avoid possible issues maybe do that if you like. The service in my opinion is worth it.

Once the form processes, it should say Awesome! in green and display an API key, you can close this as on the dashboard your API Key always shows.

Now off to Wappler
I have a few forms on my site, so i am only going to show you an example of the easiest one, as the rest is just more of the same stuff. This form asks for one thing, and email address, thats it, if the user enters their email and hits submit, they are subscribed to our newsletter.
There is a second hidden field as well for the honeypot.

<form is="dmx-serverconnect-form" id="newsletter_signup_form" method="post" action="dmxConnect/api/newsletter_signup.php">
	<div class="form-group">
		<div class="input-group">
			<input type="text" name="inp_honey" id="inp_honey" value="" autocomplete="off" class="d-none" />

			<label for="emailNews" class="col-form-label">SIGN UP</label>
			<input type="email" class="form-control" id="emailNews" name="emailNews" is="dmx-input" value="" required="" data-rule-email="">
			<div class="input-group-append">
				<button class="btn bg-dark input-group-text" type="submit">&#9002;</button>
			</div>
		</div>
	</div>
</form>

So this is a 2 section API call, first we have to verify our account on each form submission, and if they send back a response of “valid” for the user account, then run the second API call and send through some of the form fields so they can check it against their spam database and send back a response of either false to demote NOT SPAM which they call HAM, or true which means it is SPAM.

You are meant to setup a third area like a control panel as such so your users can also check the dashboard and register false positive matches etc. however for my purposes I may do that later on one day, for now, if the email is NOT SPAM I allow it to email all the relevant people and add the entry into my database, if it IS SPAM, i send a single email to myself so I can check it.

Lets continue, in Wappler

New Server Action

Globals > $_SERVER (add the following as normal Variables - Text)

HTTP_USER_AGENT
HTTP_REFERER
REMOTE_ADDR
REQUEST_URI

Globals > $_POST (add the form input names i needed, obviously add your own)

inp_honey
emailNews

Now we need to setup our Execute Steps

Condition {{$_POST.inp_honey}}

THEN
Response Step: Name: Failed, Status: 500, Text: You ate the honey.

ELSE
API Action Step: ID: apiAkismet, Output: ON, Pass Errors: ON, Url: https://rest.akismet.com/1.1/verify-key, Method: POST, Data Type: Form, Authorization: None

Input Data
Name: key, Value: Your-API-Key

Name: blog, Value: {{'https://www.yourwebsitename.com/'+$_SERVER.REQUEST_URI.urlencode()}}

Click Define API Schema, click Fetch Schema, it should fetch and give a source output of invalid

SAVE

Add another condition Still inside the ELSE after the API Action Step
Condition {{apiAkismet.data == "valid"}}

THEN
API Action Step: ID: apiAkismetValid, Output: ON, Pass Errors: ON, Url: https://YOUR-API-KEY.rest.akismet.com/1.1/comment-check, Methos: POST, Data Type: Form, Authorization: None

Input Data
Name: blog, Value: {{$_SERVER.HTTP_REFERER.urlencode()}}

Name: user_ip, Value: {{$_SERVER.REMOTE_ADDR.urlencode()}}

Name: user_agent, Value: {{$_SERVER.HTTP_USER_AGENT.urlencode()}}

Name: referrer (intentional incorrect spelling), Value: {{$_SERVER.HTTP_REFERER.urlencode()}}

Name: permalink, Value: {{$_SERVER.HTTP_REFERER.urlencode()}}

Name: comment_type, Value: 'signup'

Name: comment_author_email, Value: {{$_POST.emailNews}}

Click Define API Schema, click Fetch Schema, it should fetch and give a source output of Missing required field: blog.

SAVE
 
 
ELSE
Response Step: Name: AkismetInValidUser, Status: 500, Text: You are not a valid Akismet User

Add another condition into the above THEN step AFTER the API Action Step
Condition {{apiAkismetValid.data == false}}
THEN (Add your normal form stuff like Mailer Setup and Send Mail and Database Connections and Inserts)
ELSE (Just sends a copy of the form to me incase of a false positive)

I know this may look difficult on the surface, however it is only because of the way I have had to write it, would have been easier to send screenshots but half the data is cut off on those so you would not see what to enter.

Any issues with the first validation step check here https://akismet.com/development/api/#verify-key
Issues with the form submission and to see what additional fields they support you really need to check this https://akismet.com/development/api/#comment-check

I someone else feels like writing the dashboard that confirms SPAM vs HAM false positives etc. that would be cool, please share it afterwards.

Community Page
Last updated: