PHP Form Spam.. HELP

Posted By: dpeddle ()
Posted On: 2005-Sep-12 21:17

One of my clients is getting hit with 100 fake emails filling out his webform everyday using emails lke ghsahas @ hisdomain.com

I have 2 ideas but need some help oimpementing them:

1) PHP function to chenck $Email to see if the domain is his domain.... if it is... reject the email. This is because all of the fakes use his domain name.

2) How to install a captcha (?) ... the image security script that many forms now use... i would like one that does not require a database.




Posted By: lizardz ()
Posted On: 2005-Sep-12 23:01

Yes, I just had that problem, it's actually not that hard to fix.

I just added this code right before the main error detection component:

$error = '';

........ get all the email form data

$ems = '';

// stop email server hacks
$ems .= $message;
$ems .= $subject;
$ems .= $address;

if ( stristr( $ems, 'content-type:' ) ¦¦ stristr( $ems, 'multipart/mixed' ) ¦¦ stristr( $ems, 'boundary="' ) ¦¦ stristr( $ems, 'cc:' ) ¦¦ stristr( $ems, 'multi-part message in mime format' ) ¦¦ stristr( $ems, 'to:' ) ¦¦ eregi( "(%[a-f0-9])", $ems ) ¦¦ stristr( $ems, '0x' ))
// the last two are in case they try using hex or other non standard characters
{
$error .= "<p>Don't bother</p>";
}

if ( $error )
{
echo $error;
}
else
{
...... finish email sending

Those guys are using what's called email injection, where they simply inject into your form fields using an automated bot extra header information so your script can be used to send out spam.

There are other ways to deal with it, this one seems to be working fine.

Replace the ¦¦ with standard pipe characters, not broken.


[ Message was edited by: lizardz 09/12/2005 04:46 pm ]

Posted By: redgtsviper ()
Posted On: 2006-Feb-28 03:26

How can this be added to my code. I am new to PHP, It is still greek to me.

Here is my code

<?php
$msg = "My Website Online Contact Submissionn";
$msg .= "Name: $namen";
$msg .= "Comments: $emailAddressnn";
$msg .= "Comments: $phonenn";
$msg .= "Comments: $messagenn";

// Edit if it is nessecery
$to = "$toaddress";
$subject = "CONTACT PAGE FROM WEBSITE";
$mailheaders = "From: Website Submission Form <$emailAddress>n";
$mailheaders .= "Reply-To:$Email_Address <$emailAddress>nn";
// Mail to address
mail ( $to, $subject, $msg, $mailheaders );

?>