Website form being spammed...

Simmy · 20 Nov 2005 at 16:02

How can I stop the email form on my site being spammed? I get 6 emails a day and it's really annoying :mad:

I don't want to have to get rid of the email form though.

Any suggestsions would be appreciated

Simmy · 20 Nov 2005 at 16:21

Yes, it's a PHP form with the email address embedded in there. And i'm receiving email from my own email address

I was thinking maybe one of those "Confirm the text displayed in the image above" things. Not sure what they're called

But it stops any bots using the system. Are these easy to implement?

Simmy · 20 Nov 2005 at 16:22

<?php
$my_email = "Query'at'smg-computers.com";

if ($_SERVER['REQUEST_METHOD'] != "POST"){exit;}

$message = "";

while(list($key,$value) = each($_POST)){if(!(empty($value))){$set=1;}$message = $message . "$key: $value\n\n";} if($set!==1){header("location: $_SERVER[HTTP_REFERER]");exit;}

$message = $message;
$message = stripslashes($message);

$subject = "SMG Query - " . stripslashes($_POST['Subject']);
$headers = "From: " . $_POST['Email'] . "\n" . "Return-Path: " . $_POST['Email'] . "\n" . "Reply-To: " . $_POST['Email'] . "\n";

mail($my_email,$subject,$message,$headers);

?>

I've changed the email address in the code and removed the @

Simmy · 21 Nov 2005 at 16:51

Al Vallario said:
Snip

That's actually a really simple and effective way of doing it mate! Why didn't I think of that?!

Simmy · 22 Nov 2005 at 12:49

if (isset($_POST['Confirm']))
{
mail($my_email,$subject,$message,$headers);
}
else
{
echo "Please check the tick box confirming your details."?><a href="javascript:history.go(-1)" onMouseOver="self.status=document.referrer;return true"> Back </a><?php ;
exit;
}

Great idea mate. Will let you know if it works

Simmy · 23 Nov 2005 at 10:39

yeeeeeah

check out my spam free inbox this morning

Simmy · 24 Nov 2005 at 00:02

oh no

I was premature with my celebration...

Just received 4 spam emails all of which used the email form

Hooooooow?!

Simmy · 24 Nov 2005 at 09:35

Sorry Mr_L, didn't see your suggestion. Will give that a go now

Simmy · 24 Nov 2005 at 10:55

code now looks like this

<?php
$my_email = "Query'at'smg-computers.com";
$email = $_POST['Email'];
$subjectcmp = $_POST['Subject'];
$comments = $_POST['Comments'];

// This line prevents values being entered in a URL

if ($_SERVER['REQUEST_METHOD'] != "POST"){exit;}

$message = "";

// This line prevents a blank form being sent

while(list($key,$value) = each($_POST)){if(!(empty($value))){$set=1;}$message = $message . "$key: $value\n\n";} if($set!==1){header("location: $_SERVER[HTTP_REFERER]");exit;}

$message = $message;
$message = stripslashes($message);

$subject = "SMG Query - " . stripslashes($_POST['Subject']);
$headers = "From: " . (stripslashes(htmlentities($_POST['Email']))) . "\n" . "Return-Path: " . (stripslashes(htmlentities($_POST['Email']))) . "\n" . "Reply-To: " . (stripslashes(htmlentities($_POST['Email']))) . "\n";

if ($email && $subjectcmp && $message && $comments != NULL )
{
if (strstr($email, "'at'smg-computers.com"))
{
echo "Invalid Email Address" ?> <a href="javascript:history.go(-1)" onMouseOver="self.status=document.referrer;return true"> Back </a> <?php ;
exit;
}
else
{
mail($my_email,$subject,$message,$headers);
}
}
else
{
echo "Make sure all fields are filled in." ?> <a href="javascript:history.go(-1)" onMouseOver= "self.status=document.referrer;return true"> Back </a> <?php ;
exit;
}

?>

It now compares the email address isn't my own and check the fields aren't blank. I've removed the checkbox check as I'm hoping I don't need to include it anymore.

reset: as2677'at'smg-computers.com

Name: as2677'at'smg-computers.com

Confirm: as2677'at'smg-computers.com

Comments: as2677'at'smg-computers.com

Email: as2677'at'smg-computers.com

Subject: and
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Subject: could not afford for the
bcc: [email protected]

8b13864ee0469736d57002df9366cb42

That's what the spam looks like aswell.

All of the emails are BCC'd to the same email address aswell.

Simmy · 24 Nov 2005 at 11:22

it's always to the domain 'at'smg-computers.com, but the first parts are different. Usually a random word followed by random numbers. Hopefully blocking my domain will work as only I use my domain, and i'm not gonna email myself

Cheers for the help Sic. I'm wondering if there's any kind of script to mess with the persons computer, or maybe obtain more information about the person spamming me? Ie, if the person tries to send an email using 'at'smg-computers, it's no doubt the spammer, so could I use php or javascript to load some kind of webpage (

) or run some kind of process on their machine?

Simmy · 24 Nov 2005 at 11:59

I'm sure there's a site (probably loads of them), that repeatedly opens internet browsers. Maybe it would take his computer down? Maybe those websites display nasty images and rude sounds aswell

Simmy · 24 Nov 2005 at 12:22

Well if it took his PC down, it would stop him spamming other people (again, assuming its a he

). It would teach him a lesson for spamming me in the first place (maybe)! I hate spammers :mad:

And spamming a spammer doesn't make me a spammer

Simmy · 24 Nov 2005 at 23:06

Ok, well I've added an email validation method and a check to make sure it's not using my email address. We'll see if this has worked tomorrow :\ *fingers crossed*

Thanks for all the suggestions so far. If this doesn't work, I'll try your other ideas

Simmy · 26 Nov 2005 at 13:10

Well, for the past 2 days I've been spam free, so the changes made must have had some effect. Lets hope it stays that way!

for D4VE and others who want to use it. These are the changes I made.

function check_email_address($email) {
// First, we check that there's one @ symbol, and that the lengths are right
if (!ereg("[^@]{1,64}@[^@]{1,255}", $email)) {
// Email invalid because wrong number of characters in one section, or wrong number of @ symbols.
return false;
}
// Split it into sections to make life easier
$email_array = explode("@", $email);
$local_array = explode(".", $email_array[0]);
for ($i = 0; $i < sizeof($local_array); $i++) {
if (!ereg("^(([A-Za-z0-9!#$%&'*+/=?^_`{|}~-][A-Za-z0-9!#$%&'*+/=?^_`{|}~\.-]{0,63})|(\"[^(\\|\")]{0,62}\"))$", $local_array[$i])) {
return false;
}
}
if (!ereg("^\[?[0-9\.]+\]?$", $email_array[1])) { // Check if domain is IP. If not, it should be valid domain name
$domain_array = explode(".", $email_array[1]);
if (sizeof($domain_array) < 2) {
return false; // Not enough parts to domain
}
for ($i = 0; $i < sizeof($domain_array); $i++) {
if (!ereg("^(([A-Za-z0-9][A-Za-z0-9-]{0,61}[A-Za-z0-9])|([A-Za-z0-9]+))$", $domain_array[$i])) {
return false;
}
}
}
return true;
}

When this function is called, it checks the email address is valid, so the spammer can't just put random junk as the email; it has to be a properly formatted email address. Now the code where I actually perform all the checks

if ($email && $message && $comments != NULL )
{
if (strstr($email, "@smg-computers.com"))
{
echo "Invalid Email Address" ?> <a href="javascript:history.go(-1)" onMouseOver="self.status=document.referrer;return true"> Back </a> <?php ;
exit;
}
else if (check_email_address($email))
{
mail($my_email,$subject,$message,$headers);
}
else
{
echo $email . ' is not a valid email address.'; ?> <a href="javascript:history.go(-1)" onMouseOver= "self.status=document.referrer;return true"> Back </a> <?php ;
exit;
}
}
else
{
echo "Make sure all fields are filled in." ?> <a href="javascript:history.go(-1)" onMouseOver= "self.status=document.referrer;return true"> Back </a> <?php ;
exit;
}

The first If statement checks that all fields in the form are filled in. If they're filled in, check the email address doesn't end with my domain name. If it doesn't, it then calls the check_email_address function to check the email address is valid. If it returns true (the email addy is valid), the email is sent.

Hope that helps some of you

I know it could probably be written much better than that, but it does the job.

Simmy · 26 Nov 2005 at 14:44

Absomalutely said:
You say these are all coming 'from your domain name'. Why didnt you just set up a rule in outlook express / email of your choice to delete everything from your domain instead of your email address? Would have been a lot quicker and easier surely

That's the easy way of solving it

I wanted to stop it at the source and stop getting them altogether, rather that just setup a rule in an email client.

Some of the emails were from my domain. But when I blocked emails being sent from my domain, the spammer just put random text into the email form (eg - "his34534"), which then sent emails from addresses like "[email protected]" - which I assume is the address of the SMTP server or something? Anyway, this address changed everytime, so it would have been difficult to stop. The only way to do it was make sure people enter valid email addresses and that they're not coming from my domain. Hope that makes sense

I've not got a lot else to do atm anyway, so coding is a good way to spend my time