contact form being spammed

[ozmart2004]

My contact form is being spammed heavily. I have javascript to validate it but the spammer software can fill in all the fields and I'm getting email after email...whats the best way to circumvent this with php?

Help!

[ozmart2004]

found this..very nice from http://www.alt-php-faq.org/index.html

PHP Code:

<?php
// First, make sure the form was posted from a browser.
// For basic web-forms, we don't care about anything
// other than requests from a browser:    
if(!isset($_SERVER['HTTP_USER_AGENT'])){
   die("Forbidden - You are not authorized to view this page");
   exit;
}

// Make sure the form was indeed POST'ed:
//  (requires your html form to use: action="post") 
if(!$_SERVER['REQUEST_METHOD'] == "POST"){
   die("Forbidden - You are not authorized to view this page");
   exit;    
}

// Host names from where the form is authorized
// to be posted from: 
$authHosts = array("domain.com", "domain2.com", "domain3.com");

// Where have we been posted from?
$fromArray = parse_url(strtolower($_SERVER['HTTP_REFERER']));

// Test to see if the $fromArray used www to get here.
$wwwUsed = strpos($fromArray['host'], "www.");

// Make sure the form was posted from an approved host name.
if(!in_array(($wwwUsed === false ? $fromArray['host'] : substr(stristr($fromArray['host'], '.'), 1)), $authHosts)){    
   logBadRequest();
   header("HTTP/1.0 403 Forbidden");
       exit;    
}

// Attempt to defend against header injections:
$badStrings = array("Content-Type:",
                     "MIME-Version:",
                     "Content-Transfer-Encoding:",
                     "bcc:",
                     "cc:");

// Loop through each POST'ed value and test if it contains
// one of the $badStrings:
foreach($_POST as $k => $v){
   foreach($badStrings as $v2){
       if(strpos($v, $v2) !== false){
           logBadRequest();
           header("HTTP/1.0 403 Forbidden");
               exit;
       }
   }
}    

// Made it past spammer test, free up some memory
// and continue rest of script:    
unset($k, $v, $v2, $badStrings, $authHosts, $fromArray, $wwwUsed);
?>

[Rizal]

I'm having the same problem myself - spam messages or empty email form. Thanks for this solution, if it works.

[mixmastermidori]

Has anyone tried this solution? Does it work?

Thanks!

[clamcrusher]

the solution is to validate the data using php, before you send the email.
if things dont validate, dont send the email.

javascript validation should ONLY be used as a convenience to the user. because javascript is clientside, all they have to do is turn javascript off to bypass your validation.


that is why you must validate using php, because they cannot bypass that.

[spikeZ]

Haven't tried it but it looks on the face of it pretty secure and covers most if not all of the methods I know about.

Run it and see!

Spike

[Rizal]

I can confirm that Ozmart2004's tip works perfectly.

[_matrix_]

so u run that code before the form displays?

[mixmastermidori]

I got some spam from the site that I forgot to add the new code to, but I didn't get any from the site I applied the code to. Looks like it works great! (crossing fingers...)

Thanks!

[ikeo]

If you use javascript to validate, then all a hacker needs to do is turn it off on their browser and they can sodomize your script.
Get some PHP validation going.

My contact form is being spammed heavily. I have javascript to validate it but the spammer software can fill in all the fields and I'm getting email after email...whats the best way to circumvent this with php?

Help!

[Will Kelly]

so u run that code before the form displays?

no when the form is submitted.

[djdykes]

i have a similar problem over at PHP for Beginners i store user comments in a DB so its kinda not the same but, i found that adding an extra field to your comments table say is_valid_comment and setting it to true or false works... you then only have to modify your sql query to select where it is a valid comment...

there is a good tutorial for noisey form images on site point here's the url

http://www.sitepoint.com/article/tou...security-image

[mixmastermidori]

I used this code for several sites, and I haven't seen any more spam from all but one of them. I have a script running where it writes to a text file on the server. That text file used to get spammed, but there isn't any spam since I added this fix. However, they're getting spam email to bogus addresses by bogus addresses.

I don't really understand why the fix is working for the text file but not for email. I don't have any other form on this site, so I don't know why they're getting email. Grr...

Thanks for any insight,
Midori

[mixmastermidori]

Does anyone have any other fixes? I used the fix recommended in this thread, but it worked on all but one of my sites. One of my clients keeps getting spam in her box with gibberish. Someone's spoofing email addresses from her domain, and she's bugging me to fix it. Yikes!

Thanks for any help...
-Midori

[Dan Grossman]

You could add one of those "security images"/"verification images" to prevent bots from targeting your forms automatically.

SitePoint has a tutorial on this:
http://www.sitepoint.com/article/tou...security-image

Be sure to read the comments at the end of the article, as I noted two fixes that need to be made to the provided code to make it bot-proof.