Skip over navigation

These documentation pages may contain screenshots and instructions for an older version of Roxen CMS; however, most of the information should still be relevant. The Roxen CMS servers will be shut down September 2019.

Spam and Spambots

If you create a form on the public web, sooner or later someone will attempt to exploit your form — either for nefarious purposes or for LOLs. These attacks are usually automated, involving thousands of form submission attempts.

The forms in Roxen CMS are not immune to these attacks. If you set up an unprotected form in Roxen, and you specify a form recipient; that recipient could wake up one morning with a thousand unwanted emails in his or her inbox.

There are a few options for protecting forms in Roxen. None of them are ideal, and a few of the options have serious compatibility issues with Firefox.

  1. Add a CAPTCHA to your form. This adds a image of five scrambled characters that a form submitter must identify and transcribe to a form field. This option is not ADA compliant, so as a fallback, you should provide an email address on that page to allow the form submitter to directly contact you if he or she cannot complete the form. 

    If your form is requires an HTTPS connection, your users will not be able to submit the form in Firefox. They must either use an HTTP connection, another browser, or use the non-load-balanced URL (example: deptbfe01 or deptafe01 instead of www).
  2. Add a protection point to your form. This will not work for forms that must be submitted by users outside the Princeton University community. However, if only those with a Princeton NetID need to access your form, set Everyone to "None" and give the group PU-Users "Read" access to the form page. 

    You can alternatively give "Read" access to members of the "Campus net users" group. This is a special access control group that invokes a Roxen module that restricts page access by IP address. That means that only visitors who access the page from the campus network can get in.
  3. If your form includes an Email field that allows a user to enter their own value, and that email is used to send a confirmation or response email, you should limit the allowed characters for that field. You can add an RXML validation check to your form. The example code limits the field length to 64 characters.
  4. You can make your form a multi-page form, and you can add a required field to the first page. This method suffers the same compatibility issues with Firefox as the CAPTCHA method. The workarounds are the same.