Forum Moderators: coopster
I suspect this is done in an automated manner instead of someone entering the info by hand. Is there any way I can stop this with PHP without affecting the valid submissions?
Try changing those to something non-standard; like instead of using 'name="email"' use 'name="spanking"', or something like that.
1. Specify The Recipient Address In A Variable
This means doing something like this:
$recipient = "youremail@domain.com";
mail($recipient, $subject, $message, $headers);
Always hold the recipient address in code, never as a form variable and absolutely never let the user enter the recipient address.
2. Verify The Sender's Domain/IP
This means having a list with your site's domain name and/or IP address in it, as follows:
$referers = array ('somedomain.com','www.somedomain.com','121.0.0.111');
Replacing somedomain.com and 121.0.0.111 with your domain and IP address details (the server's IP, that is). Having the plain domain, the 'www' prefixed domain and the IP address means that it covers all possible access paths to your site.
We then need a function that checks this against the browser to make sure that the browser actually at your site. The following is an example of such a function:
function check_referer($referers)
{
// If there are any referrers in the list ...
if (count($referers))
{
$found = false;// Use the browsers referrer header.
$temp = explode("/",getenv("HTTP_REFERER"));
$referer = $temp[2];
if ($referer=="")
{
$referer = $_SERVER['HTTP_REFERER'];
list($remove,$stuff)=split('//',$referer,2);
list($home,$stuff)=split('/',$stuff,2);
$referer = $home;
}
// Check agains list.
for ($x=0; $x < count($referers); $x++)
{
if (eregi ($referers[$x], $referer))
{
$found = true;
}
}
// Refererer is blank.
if ($referer =="")
$found = false;
if (!$found)
{
// You might alter this to print some sort of error of your own.
print_error("You are coming from an <b>unauthorized domain.</b>");
error_log("[FormMail.php] Illegal Referer. (".getenv("HTTP_REFERER").")", 0);
}
return $found;
}
else
{
return true;
}
}
So, then we check it in the code and bail out if it's an invalid referer, thus.
if (!check_referer($referers))
{
/// Bang, wallop and exit.
}
What you need is "The CAPTHA Project".
[captcha.net...]
You might have seen it in action at various places on the internet, inc. Yahoo, Hotmail etc.
Saurabh.
I've seen bots in my logs looking for 'mailform.pl'.
This actually constitutes 50% of my 404 requests from one site lately. Always without a referer.
flood6: I don't think their program care about how you name your entry fields. It will only look for the <form> and <input name=___> tags and try to fill them out with their spam. At least that's how I would do it.
mincklerstraat: that's a good idea.
disoft: I was thinking about using referrer as a solution, but I realized that some users behind firewall may have their referrer as blank. I certainly don't want to lose a potential customer like this.
lazydog: that's a good idea. But with the small volume of the emails I get, the solution is overkill for me right now.
Any other ideas? I got 2 emails from this web spamer over the weekend.
Now have the form processing script return an error message or discard any posts that leave the subject at it's default value or send a subject that is not on the list of options.
Alternatively, for a simple form spam robot, you could use text turing numbers instead of images (captcha is just another form of turing numbers).
Most of these bots are pretty generic, they can't react to anything unexpected... you just have to make it a little bit harder for them and they'll stop.
If there were the only option would be graphical turing numbers. While there is software that can read these (contrary to what captcha says) it's not publicly available and people who can write it aren't wasting their time on spam bots.
Prior:
- Popup form so only javascript included browsers could actually message
- Any from email address accepted
- Quick send straight through to email.
So spammers started manually! filling in hundreds of forms with the same gumph - and clicking the send button - thus spamming the users of the site.
Now:
- Everything goes into a database
- Email confimation required for non-users of the site.
- Users can mark a mail as spam - if enough prior emails - contact details or content match - the mail is not sent.
It's been running 2 weeks and spam has dropped to 0. But those extra steps have ruined the quick efficient mailing process I had before - *sigh* - spammers are ruining the internet.
