LinkBack URL
About LinkBacksWe received the complain about spamming using contact us php script. How can we prevent it ? we disabled it and client go mad. Can we optimize or can we prevent?
thanks
shann
contact us script and spame help
We received the complain about spamming using contact us php script. How can we prevent it ? we disabled it and client go mad. Can we optimize or can we prevent?
thanks
shann
The only way to prevent it is to secure the script (ie: rewrite it so that spammers can not connect to it and send spam though it).
Or change it for a more secure script.
█ HostOrca - hostorca.co.uk
█ UK and US Reliable Shared Hosting Solutions
█ Where Customer Service Counts!
Spammers inject headers into some of the fields which allows it to send out spam.
I've been able to stop it by putting all of the fields filled out by a visitor in the body. For example:
$name
$subject
$comment
Might be filled out by a visitor and passed on to be processed. I'll then do something like:
$to = "myEmail@address.com";
$subject2= "Contact Request";
$body = "
Contact Information
Name: $name
E-mail: $email
Subject: $subject
Comments:
$comment";
mail("$to", $subject2, $body, "FROM: $to");
This way anything they try to inject into the headers can't be done as it's in the body of the email.
Chris
use sessions
you can also use a session to create sometype of unique hash value with some key types.
Then add that value to a session variable.
pass the session id thru the form.
Grab the session id and retrieve the variable
Then reverse the hash process to ensure its a valid hash that is associated to the session id, then once the email is sent successfully, unset and destroy the session.
This also keeps users from clicking the refresh key to send more spam.
your golden.
This also makes users visit the form page to send email, and not just post directly to your mail function.... get it?
I just put
at the top of any questionable script.PHP Code:include 'antispam.php';
The antispam.php script is a script that checks for bogus POST variable attempts and dies if it finds any. That way you don't have to go through and fix all the broken contact scripts on your server.
This is actually a really nice solution.Originally Posted by t9clkclnr
You don't need to make the hash unique though, it's enough to use a session on the server. To get something like this to work, change the extension of the form html file from .htm to .php, and add the following line in it somewhere:
then in your submit script add the following lines:PHP Code:<?php start_session(); $_SESSION['unsent'] = 1; ?>
I'm not sure if I got this right and it's entirely untested, but it's close.PHP Code:if (empty($_SESSION['unsent']) { die "no session or already sent"; }
$_SESSION['unsent'] = 0;
For the accuracy of checking whether the session variable is set, it is better to use boolean values and the 'identical' operator.
e.g.
PHP Code:<?php
session_start();
$_SESSION['unsent'] = true;
// .....
if ($_SESSION['unsent'] === true) {
// ....
}
?>
I think it's true that I should have used "true" instead of "1", just to make the code a little more self-documenting. I can't see any value at all in using the identical operator here, but perhaps I'm missing something. Perhaps if the code was more complex there might be some value, but not here.
The empty() function I used is a PHP builtin that returns true if a variable is unset or has null or "" or 0 (ie zero) in it.
Last edited by brianoz; 08-16-2006 at 09:44 AM.
Reply With Quote