No SPAM options

[omartan]

Hi,

So I wonder, what options do we have to integrate something like reCAPTCHA? and how?

[mckennapsean]

Personally, I have no knowledge of captcha based systems, but I am sure it could be integrated as part of the form process.

My own opinion is that captcha systems provide a lesser user experience, so I would never want one for myself.

However, someone could still take your form and Google Script link from the page (unless it is obfuscated somehow...) and create spam. This would be more difficult. Personally, I have no experience receiving any spam using this approach, so I have never had an issue, but it is possible. Adding a captcha wouldn't completely remove that possibility with the current approaches. Anyone on the internet can use that link to access your script and post to your spreadsheet / send you an email. The Google Script would have to change to fully stop spam from being possible.

[omartan]

I've just checked and the easiest method so far to prevent SPAM, it's not full proof but it seems to work for a lot of site is what is called Honeypot technique. Which is essentially creating a hidden field and using JS to check if that hidden field is written and if it does, it'll consider it as a robot.

http://jennamolby.com/how-to-prevent-form-spam-by-using-the-honeypot-technique/

[FDMatthias]

How can we check in the script if a value is not empty (or in an other way, if it is empty)?

I've asked this question on stackoverflow: http://stackoverflow.com/questions/42713241/google-script-editor-check-if-field-input-is-empty

[omartan]

Hmm, doesn't this checks the script value?

function validateMyForm() {
        // The field is empty, submit the form.
        if(!document.getElementById("honeypot").value) { 
            return true;
        } 
         // the field has a value it's a spam bot
        else {
            return false;
        }
    }

You can use console.log to leave a msg in dev tools that it's empty or not but not necessary.

[FDMatthias]

yes that's a correct answer, but I meant how to check the value in the google script.. But yeah, I guess I'll do it in the front end code.

[mckennapsean]

For technical help, I would recommend using services such as StackOverflow because GitHub issues are meant for reporting bugs and feature requests. Posting on another issue about a particularly unrelated question is also bad form.

It may be that your question pertains to this spam-checking, by seeing if the form is empty when submitted and toss it out? But that wasn't made clear. I would advise working with the StackOverflow community to give them an example and they can help, or else I would suggest looking up some basics of Javascript to better understand the language.

The Google Script code is based off of Javascript, so you can likely use similar code but you would have to do this based on the data you read in. It may require knowing some knowledge about which form fields are empty. When a form field is empty, you can check the value in the form data by seeing what it writes into the spreadsheet, and I believe that this is always a string so just check for that. You can log and keep track of logs using Google Scripts as well, I believe.

Please keep remaining discussion on this thread to the original issue, otherwise post another issue, if there is one, with the repository. Thank you.

[mckennapsean]

Thanks for sharing the honey-pot technique @wheelhot !

I think this spam/protection functionality could make for an interesting enhancement in the future. We just want to make sure it doesn't inhibit anyone's ability to submit the form. This would be a great first pull request for anyone looking for the experience!

[omartan]

Thanks for the suggestion, I'll give it a shot!

[karan-ta]

what if the spammer uses the same hidden field ?

[omartan]

If the hidden field is filled up, then it'll treat it as a spam cause no human is supposed to be able to see it.

[karan-ta]

suppose someone copies my page source. and runs it from his browser. and does this in a loop. then my spreadsheet will be filled with junk data .

right ?

if there was a way to check the request url in google script something like

dopost(e){
e.postData.url

} then this coule be solved.

[mckennapsean]

If you have someone clever trying to spam you, it can be done unless you only allow certain trusted Gmail accounts to submit to your form (which I don't think can utilize this technique any longer).

You could store the URL in a hidden field, but that can be altered. You could look at the HTTP POST request header, but unfortunately even the referer can be spoofed: http://stackoverflow.com/questions/3104647/how-to-spoof-http-referer

To allow anyone to submit (anonymously) client-side, this opens a door for spam. You can disable emails if that is an issue, or you can update the form URL and only give that out to people you trust. If it is a completely public-facing website, then you may have to pursue alternative solutions or require a sort of CAPTCHA before giving them the form.

[karan-ta]

yes . Right now i cannot even access the post header url from my google app script.

function doPost(e)
{
How to get the url of the post request here ???
}

[mckennapsean]

That I do not know. May be possible with Javascript or from the Google Script API.

[coldes]

Has anyone implemented the honey-pot technique and if so how do/where is the JS code placed? [code as per jena molby page]

[omartan]

I managed to get it working previously but I realised I've made a few mistakes with my pull request, working on it now.

[omartan]

Okay, I managed to get it working, already submitted a pull request, @mckennapsean

https://github.com/dwyl/html-form-send-email-via-google-script-without-server/pull/106/files

[coldes]

nice one, thank you

[mckennapsean]

@hoangbienit mentioned using a recaptcha like in a google form, is this what you meant? https://developers.google.com/recaptcha/

Would definitely be nice to perhaps use a third-party validation over some simplistic Javascript. While cool, it may not be as robust and require more maintenance. Thoughts?

[mckennapsean]

Apologies on the delay, got this pulled in to the README & code. Thanks @wheelhot !