Verifying the HTTP_REFERER is probably a good idea, but (a) maybe 5% or 10% of the time a regular browser will leave that field blank, and (b) some robots do populate the HTTP_REFERER with valid data.

Hopefully someone will correct me if I'm wrong, but I think a submitted form will also pass along the value of its Submit button (provided an <input type="submit"> element is used, rather than submitting the form with Javascript). You could check for the value of your submit button before sending the email, which should tell you if the request came from your page.

In Perl forms I check the following:

PC's IP: $ENV{'REMOTE_ADDR'}
Real address: $ENV{'HTTP_X_FORWARDED_FOR'}
Proxy: $ENV{'HTTP_VIA'}
Browser: $ENV{'HTTP_USER_AGENT'}
Applications: $ENV{'HTTP_ACCEPT'}
Host: $ENV{'HTTP_HOST'}
Language: $ENV{'HTTP_ACCEPT_LANGUAGE'}

because sometimes you don't get one of the IP addresses.

One thing to consider when using "HTTP_REFERER" to prevent hijacking of your forms...

Visitors running Internet privacy software (such as Norton Internet Security) could have their privacy settings set much too high, and if so, the HTTP_REFERER info will NOT be available. If your form checks for a valid referer address before allowing it to be submitted, it will fail since it thinks the form was "hijacked".

My ISP routinely checks the HTTP_REFERER info as part of their form-to-email scripts to prevent similar hijackings (spam). If no valid referer address is reported, the form is prevented from being sent. Consequently, approx 10% of our users can't use our online forms since they surf the Internet with very high settings in NIS (or similar software). And they REALLY complain when they've filled out a long form only to find out at the end that it will not submit (due to missing or invalid referer info). Since the ISP controls the form-to-email script, I can't remove or alter this "spam" check.

My solution was to check for a valid HTTP_REFERER address when the visitor loads the form into their browser. If the referer info is missing, I redirect them to a page that tells them their privacy settings are set too high and they can not use the form as it won't submit. I also include some instructions on that page on how to change their privacy settings so they can successfully use the form. Not the best solution, but at least it keeps them from filling out the form only to discover they can't send it.

I would suggest that if you use the HTTP_REFERER check, be sure to redirect them to a page (if invalid referer info) that tells them their privacy settings may be too high. That will help stop your hijackings (since the form wasn't sent) but also deals with those visitors with high privacy settings.

Thanks, all, for the great comments and suggestions. Currently, I've implemented a http_referer==local_addr check. I plan to enhance this with a http_referer=="" check as suggested by wickydoodah.

jomaxx: You're right: headers in general can be doctored.. kind of a bummer.

anallawalla: Could you elaborate? Once you *collect* that info, how does it help you to block automated form hijacking?

garann: Just a point of info: Any value can be concocted and submited programatically to simulate a form POST/GET. But you have a good point: maybe I could prepare a "key" of sorts based on user IP/session that can not be guessed... interesting!

Happy New Year all!
-bronius

Since I'm scared of using the referrer, I really like garann's idea. It's not unbeatable, but I don't think it will turn away any legitimate submissions and every little bit helps. I'm trying it in my php email form and was wondering if this seemed like a logical implementation:

...
$sub=$_POST['submit'];
//error redirecting
if (!isset ($_POST['email']) ¦¦ ($sub!== "Send")) {
header("Location: <http://mydomain.com/contact.htm");
}
else if ...

(< is just to prevent the forum link)
Thanks,
Adam