SitePoint Sponsor

User Tag List

Results 1 to 15 of 15
  1. #1
    SitePoint Addict ozmart2004's Avatar
    Join Date
    Feb 2004
    Location
    Albury, NSW, Australia
    Posts
    215
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    contact form being spammed

    My contact form is being spammed heavily. I have javascript to validate it but the spammer software can fill in all the fields and I'm getting email after email...whats the best way to circumvent this with php?

    Help!

  2. #2
    SitePoint Addict ozmart2004's Avatar
    Join Date
    Feb 2004
    Location
    Albury, NSW, Australia
    Posts
    215
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    found this..very nice from http://www.alt-php-faq.org/index.html

    PHP Code:
    <?php
    // First, make sure the form was posted from a browser.
    // For basic web-forms, we don't care about anything
    // other than requests from a browser:    
    if(!isset($_SERVER['HTTP_USER_AGENT'])){
       die(
    "Forbidden - You are not authorized to view this page");
       exit;
    }

    // Make sure the form was indeed POST'ed:
    //  (requires your html form to use: action="post") 
    if(!$_SERVER['REQUEST_METHOD'] == "POST"){
       die(
    "Forbidden - You are not authorized to view this page");
       exit;    
    }

    // Host names from where the form is authorized
    // to be posted from: 
    $authHosts = array("domain.com""domain2.com""domain3.com");

    // Where have we been posted from?
    $fromArray parse_url(strtolower($_SERVER['HTTP_REFERER']));

    // Test to see if the $fromArray used www to get here.
    $wwwUsed strpos($fromArray['host'], "www.");

    // Make sure the form was posted from an approved host name.
    if(!in_array(($wwwUsed === false $fromArray['host'] : substr(stristr($fromArray['host'], '.'), 1)), $authHosts)){    
       
    logBadRequest();
       
    header("HTTP/1.0 403 Forbidden");
           exit;    
    }

    // Attempt to defend against header injections:
    $badStrings = array("Content-Type:",
                         
    "MIME-Version:",
                         
    "Content-Transfer-Encoding:",
                         
    "bcc:",
                         
    "cc:");

    // Loop through each POST'ed value and test if it contains
    // one of the $badStrings:
    foreach($_POST as $k => $v){
       foreach(
    $badStrings as $v2){
           if(
    strpos($v$v2) !== false){
               
    logBadRequest();
               
    header("HTTP/1.0 403 Forbidden");
                   exit;
           }
       }
    }    

    // Made it past spammer test, free up some memory
    // and continue rest of script:    
    unset($k$v$v2$badStrings$authHosts$fromArray$wwwUsed);
    ?>
    Last edited by ozmart2004; Feb 19, 2006 at 02:26.

  3. #3
    SitePoint Enthusiast
    Join Date
    Aug 1999
    Location
    Kuala Lumpur, Malaysia
    Posts
    67
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I'm having the same problem myself - spam messages or empty email form. Thanks for this solution, if it works.
    DarkStation - No-nonsense Console Gaming Coverage.

  4. #4
    SitePoint Addict mixmastermidori's Avatar
    Join Date
    Sep 2001
    Posts
    337
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Has anyone tried this?

    Has anyone tried this solution? Does it work?

    Thanks!

  5. #5
    SitePoint Wizard silver trophy
    Join Date
    Mar 2006
    Posts
    6,132
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    the solution is to validate the data using php, before you send the email.
    if things dont validate, dont send the email.

    javascript validation should ONLY be used as a convenience to the user. because javascript is clientside, all they have to do is turn javascript off to bypass your validation.


    that is why you must validate using php, because they cannot bypass that.

  6. #6
    dooby dooby doo silver trophybronze trophy
    spikeZ's Avatar
    Join Date
    Aug 2004
    Location
    Manchester UK
    Posts
    13,806
    Mentioned
    158 Post(s)
    Tagged
    3 Thread(s)
    Haven't tried it but it looks on the face of it pretty secure and covers most if not all of the methods I know about.

    Run it and see!

    Spike
    Mike Swiffin - Community Team Advisor
    Only a woman can read between the lines of a one word answer.....

  7. #7
    SitePoint Enthusiast
    Join Date
    Aug 1999
    Location
    Kuala Lumpur, Malaysia
    Posts
    67
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I can confirm that Ozmart2004's tip works perfectly.
    DarkStation - No-nonsense Console Gaming Coverage.

  8. #8
    SitePoint Guru
    Join Date
    Aug 2004
    Location
    Earth
    Posts
    739
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    so u run that code before the form displays?

  9. #9
    SitePoint Addict mixmastermidori's Avatar
    Join Date
    Sep 2001
    Posts
    337
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I got some spam from the site that I forgot to add the new code to, but I didn't get any from the site I applied the code to. Looks like it works great! (crossing fingers...)

    Thanks!
    Nature's Sunshine herbs and supplements

  10. #10
    SitePoint Evangelist ikeo's Avatar
    Join Date
    Oct 2004
    Location
    Austin Texas
    Posts
    591
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    If you use javascript to validate, then all a hacker needs to do is turn it off on their browser and they can sodomize your script.
    Get some PHP validation going.

    Quote Originally Posted by ozmart2004
    My contact form is being spammed heavily. I have javascript to validate it but the spammer software can fill in all the fields and I'm getting email after email...whats the best way to circumvent this with php?

    Help!

  11. #11
    SitePoint Evangelist Will Kelly's Avatar
    Join Date
    May 2005
    Location
    London
    Posts
    475
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by _matrix_
    so u run that code before the form displays?
    no when the form is submitted.

  12. #12
    SitePoint Evangelist djdykes's Avatar
    Join Date
    Feb 2005
    Location
    Chester, Cheshire
    Posts
    565
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    i have a similar problem over at PHP for Beginners i store user comments in a DB so its kinda not the same but, i found that adding an extra field to your comments table say is_valid_comment and setting it to true or false works... you then only have to modify your sql query to select where it is a valid comment...

    there is a good tutorial for noisey form images on site point here's the url

    http://www.sitepoint.com/article/tou...security-image

  13. #13
    SitePoint Addict mixmastermidori's Avatar
    Join Date
    Sep 2001
    Posts
    337
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I used this code for several sites, and I haven't seen any more spam from all but one of them. I have a script running where it writes to a text file on the server. That text file used to get spammed, but there isn't any spam since I added this fix. However, they're getting spam email to bogus addresses by bogus addresses.

    I don't really understand why the fix is working for the text file but not for email. I don't have any other form on this site, so I don't know why they're getting email. Grr...

    Thanks for any insight,
    Midori
    Nature's Sunshine herbs and supplements

  14. #14
    SitePoint Addict mixmastermidori's Avatar
    Join Date
    Sep 2001
    Posts
    337
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Does anyone have any other fixes? I used the fix recommended in this thread, but it worked on all but one of my sites. One of my clients keeps getting spam in her box with gibberish. Someone's spoofing email addresses from her domain, and she's bugging me to fix it. Yikes!

    Thanks for any help...
    -Midori
    Nature's Sunshine herbs and supplements

  15. #15
    Follow Me On Twitter: @djg gold trophysilver trophybronze trophy Dan Grossman's Avatar
    Join Date
    Aug 2000
    Location
    Philadephia, PA
    Posts
    20,580
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    You could add one of those "security images"/"verification images" to prevent bots from targeting your forms automatically.

    SitePoint has a tutorial on this:
    http://www.sitepoint.com/article/tou...security-image

    Be sure to read the comments at the end of the article, as I noted two fixes that need to be made to the provided code to make it bot-proof.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •