homepage Welcome to WebmasterWorld Guest from
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member
Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
Forum Library, Charter, Moderators: coopster & jatar k

PHP Server Side Scripting Forum

Pondering feasibility of form mail security idea
form mail security idea

Msg#: 4626896 posted 3:32 pm on Nov 30, 2013 (gmt 0)

I'm about 1/2 a step above knowing nothing.
So this idea may be totally stupid, I apologize if so.

I am interested in implimenting a PHP based for mail.
Thus, I've been reading various post on here.
Most are well dated but seem to have MOSTLY good advice and examples.

In reading them, they gave me a idea. One that I haven't seen mentioned.
That in turn made me wonder if it's even feasible.

So I decided to ask, and maybe even spark interest that leads to increased spam/exploits security...

How about implimenting a dual/tri purpose timer?
set it with a minimum time, crashes if bots submit it to early
maximum time, does a preliminary time out if
TAKING (not taken) to long, so perhaps does a contact form refresh, or throws a security question, MUST BE ANSWERED, NOT CLOSED, then if answered correctly, restarts a additional time alottment to finish the msg.
IF ANSWERED WRONG, commits a die command to the mail script

PERHAPS EVEN, pull redirect to badbot trap

I imagine it is all possible.
BUT, feasible?




WebmasterWorld Senior Member 5+ Year Member

Msg#: 4626896 posted 6:37 pm on Nov 30, 2013 (gmt 0)

Very feasible if you use sessions to keep track of page request times.

I would suggest that a bot would typically take significantly less time than a human to use a mail form.


Bots these days are getting so sophisticated that it would not surprise me if delaying as long as a human would can and has been coded into some of them. I mean, people have got them rendering javascript and reading the post execution rendering, so a little sleep command seems well within reasonable bounds.


WebmasterWorld Senior Member penders us a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

Msg#: 4626896 posted 11:38 pm on Dec 2, 2013 (gmt 0)

Very feasible if you use sessions to keep track of page request times.

A bot might not even set a session (cookie, etc.) - so there you have another trap.

I would be wary about trapping "too long" requests, as you might annoy a slow user!

I have implemented a similar technique on several forms before... if the form is submitted too quickly (ie. within a few seconds). However, it has never caught anything! Maybe I got the timing wrong?! Or, more probable I suspect, my other spam traps have caught it first.


WebmasterWorld Senior Member swa66 us a WebmasterWorld Top Contributor of All Time 10+ Year Member

Msg#: 4626896 posted 10:20 am on Dec 3, 2013 (gmt 0)

It's an arms race with the spammers, they'll figure it out soon enough. You're not going to (help to) exhaust their resources so while it might put you a bit in front it's for sure nothing they cannot beat if they care to.

Moreover not all spammers are automated, quite a few run on sweatshops in 3rd world countries - most likely exploiting kids used as slaves.

It's better to make your script smarter and silent about it's refusal: don't give feedback on success/failure to the spammer. That way they'll never know they were too fast for you and you just discarded their message completely. Either based on content, keywords you don;t want to see, excessive amounts of URLs, email address they gave you, fields that are hidden with CSS that they did fill in anyway, browser strings that are off, source IP address of a (cheap) hosting provider, ... But if you give hem feedback that it was refused, they'll figure out why and figure out a way around your defences.

Global Options:
 top home search open messages active posts  

Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved