SitePoint Sponsor

User Tag List

Results 1 to 10 of 10
  1. #1
    SitePoint Enthusiast
    Join Date
    Sep 2003
    Location
    la
    Posts
    27
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    My email scripts are getting spammed. Need help.

    Hi Guys,

    I have been using a vert basic php form that sends its contents via email. But recently I am getting hundreds of spam emails that are using my script.

    Basically, I use a HTML form that sends the value to a PHP script, which sends me an email with the contents.

    I was told I need to use a ramdom numbers/letters generator or block multiple script uses from the same IP. Could somebody please help me with that or giving me other solutions?

    I already get the IP information with:
    $message .= ( "IP = " . $REMOTE_ADDR . "\n");

    Is there a way I could leverage that to avoid the spamming?

    Thanks so much for helping.

  2. #2
    ✯✯✯ silver trophybronze trophy php_daemon's Avatar
    Join Date
    Mar 2006
    Posts
    5,284
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    I supose it is a contact form. If you let them enter their email and put it in the email headers, make sure you validate the email address.

    To stop flooding, you can use database. Make a table (id,ip,timestamp) and add a record upon form submission. This table will serve as a filter. Before sending an email, you check if the ip is not in the table. Now regularly update the table by deleting timed out records, you may do this upon every form submission too. For example:

    PHP Code:
      $timeout=300//5 minutes
      
      
    mysql_query("DELETE FROM filter WHERE timestamp>".time()-$timeout);
      
     
    $res=mysql_query("SELECT FROM filter WHERE ip='".mysql_real_escape_string($_SERVER['REMOTE_ADDR'])."'");
     
     if(
    mysql_num_rows($res)==0){
       
    //send email
     
    }
     
      
    mysql_query("INSERT INTO filter (ip,timestamp)VALUES('".mysql_real_escape_string($_SERVER['REMOTE_ADDR'])."',".time().")"); 
    Saul

  3. #3
    Resident Code Monkey Chris Corbyn's Avatar
    Join Date
    Nov 2005
    Location
    Melbourne, Australia
    Posts
    713
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Do you have spamassassin installed on the server? Even if you don't it's just perl code you can install free of charge.

    If you have that you can *try* this. Using Swift mailer you can load plugins and I wrote a highly experimental plugin to catch spam in email forms.

    PHP Code:
    <?php

    /**
     * Spam Checking plugin for Swift Mailer.
     *
     * @package     Swift
     * @version     >= 2.0.0
     * @author      Chris Corbyn
     * @date        30th July 2006
     * @license     http://www.gnu.org/licenses/lgpl.txt Lesser GNU Public License
     *
     * @copyright Copyright &copy; 2006 Chris Corbyn - All Rights Reserved.
     * @filesource
     *
     *   This library is free software; you can redistribute it and/or
     *   modify it under the terms of the GNU Lesser General Public
     *   License as published by the Free Software Foundation; either
     *   version 2.1 of the License, or any later version.
     *
     *   This library is distributed in the hope that it will be useful,
     *   but WITHOUT ANY WARRANTY; without even the implied warranty of
     *   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
     *   Lesser General Public License for more details.
     *
     *   You should have received a copy of the GNU Lesser General Public
     *   License along with this library; if not, write to
     *
     *   The Free Software Foundation, Inc.,
     *   51 Franklin Street,
     *   Fifth Floor,
     *   Boston,
     *   MA  02110-1301  USA
     *
     *    "Chris Corbyn" <chris@w3style.co.uk>
     *
     */

    /**
     * Scans the email for anything that looks like spam using SpamAssassin.
     * If the score obtained is higher than what is set here, sending stops and an error is logged.
     * @package Swift
     * @author Chris Corbyn
     */
    class Swift_Plugin_SpamCheck implements Swift_IPlugin
    {
            
    /**
             * Plugin ID
             * @var string name
             */
            
    public $pluginName 'SpamCheck';
            
    /**
             * A reference to the main Swift object
             */
            
    private $swiftInstance;
            
    /**
             * The score at which we cast the message away as spam
             * @var int score
             */
            
    private $limit;
            
    /**
             * The location of the spamassassin perl script
             * @var string path
             */
            
    private $pathToSpamassassin '/usr/bin/spamassassin';
           
            
    /**
             * Constructor
             * @param int limit (score)
             * @param string path to spamassassin, optional
             */
            
    public function __construct($limit=1.5$path=false)
            {
                    
    $this->limit = (float) $limit;
                    if (
    $path$this->pathToSpamassassin $path;
            }
            
    /**
             * Load a reference to swift
             */
            
    public function loadBaseObject(&$swift)
            {
                    
    $this->swiftInstance =& $swift;
            }
            
    /**
             * Get the score spamassassin gave the message
             * @param string altered message
             * @return float score
             */
            
    private function getScore($result)
            {
                    
    $spam_header preg_match('/^X-Spam-Status: (?:Yes|No), score=(\S+)\s/m'$result$matches);
                    
    $score $matches[1];
                    return (float) 
    $score;
            }
            
    /**
             * onBeforeSend event handler
             * Kills Swift and logs and error if the email is spam
             */
            
    public function onBeforeSend()
            {
                    
    $mail substr($this->swiftInstance->currentMail[3], 0strrpos($this->swiftInstance->currentMail[3], '.'));
                    
    $spamassassin $this->pathToSpamassassin;
                    
    $result = @shell_exec("echo ".escapeshellarg($mail)." | $spamassassin -Lt");
                    if (!empty(
    $result))
                    {
                            
    $score $this->getScore($result);
                           
                            if (
    $score >= $this->limit)
                            {
                                    
    $this->swiftInstance->logError('WARNING SpamCheck Plugin!!!  Message logged as SPAM with a score of '.$score.' where '.$this->limit.' required');
                                    
    $this->swiftInstance->close();
                                    
    $this->swiftInstance->fail();
                            }
                    }
            }
    }

    ?>
    Basically, you set a spamassassin score at which you class the email as spam and if it beats the score BOOM, it doesn't send. As I say, this is highly experimental and you'll want incredibly low spamassassin scores since the mail will not have passed via any hosts before hitting the spam checker.

  4. #4
    SitePoint Enthusiast
    Join Date
    Sep 2003
    Location
    la
    Posts
    27
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I do have spamassassin on my server, it doesn't work very well. Actually a lot of this recent spam gets score 0, specially because it's using my own form. Would this script makes things better?

    Thanks

  5. #5
    Resident Code Monkey Chris Corbyn's Avatar
    Join Date
    Nov 2005
    Location
    Melbourne, Australia
    Posts
    713
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by skuba
    I do have spamassassin on my server, it doesn't work very well. Actually a lot of this recent spam gets score 0, specially because it's using my own form. Would this script makes things better?

    Thanks
    Sadly no it won't help here then. If SpamAssasin is scoring it at zero then this script isn't going to be much use. Like say, it was an experiment more than anything else... it might turn out to be an unfeasible idea in the end.

  6. #6
    SitePoint Wizard silver trophy
    Join Date
    Mar 2006
    Posts
    6,132
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    php_daemon offered a good solution to limit the amount of spam per time period.

    another option is to try to identify the user as a human. this is commonly accomplished with whats called a "captcha" system. many people use an image, but the concept is that it would be difficult for a robot to automate the answer, but easy for a human. even plain text can be effective.

  7. #7
    Resident Code Monkey Chris Corbyn's Avatar
    Join Date
    Nov 2005
    Location
    Melbourne, Australia
    Posts
    713
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    ~Skuba, just offering some advice on SpamAssassin. It's a little expensive on time and resources but extremely worthwhile turning on RBL checks and the Bayesian filters.... the RBL checks are extremely useful and can by themselves detect much of the spam I receive. I never delete spam, or deny it. I pipe it into MySQL so I can analyze it

  8. #8
    SitePoint Enthusiast
    Join Date
    Sep 2003
    Location
    la
    Posts
    27
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I am not sure I can change the spamassassin settings, as it's part of the cpanel I get from my host.

  9. #9
    Resident Code Monkey Chris Corbyn's Avatar
    Join Date
    Nov 2005
    Location
    Melbourne, Australia
    Posts
    713
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by skuba
    I am not sure I can change the spamassassin settings, as it's part of the cpanel I get from my host.
    No, you probably can't change that then. CPanel uses exim, which supports user-level configuration but again, your host needs to enable that, and those spamassassin directives are set in the local.cf file which you can't touch anyway sadly.

  10. #10
    SitePoint Zealot DewChugr's Avatar
    Join Date
    Sep 2005
    Location
    Illinois
    Posts
    189
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    This should help with some abuse. Include this in the web page with your form and pass the token as a hidden value. This will insure that the form you processed was actually filled out on your website. With the time session you can limit the time between when the form loads and when it is processed. I think I found this on Shifletts site.

    $token = md5(uniqid(rand(), TRUE));
    $_SESSION['token'] = $token;
    $_SESSION['token_time'] = time();

    Then when you get to your validation page include this.

    if ($_POST['token']!= $_SESSION['token']) {
    echo "Invalid data!";
    exit;
    }
    $token_age = time() - $_SESSION['token_time'];
    if ($token_age >= LOGIN_TIME_LIMIT) {
    // time limit can be set here as number instead
    // of LOGIN_TIME_LIMIT define, such as 60*10
    exit;
    }


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •