Re: Question About Blocking Email Addresses in Forms

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Jan 18, 2008 9:50 AM, Javier Huerta <jhuerta@xxxxxxxxxxxxxxxx> wrote:
> I am wondering if there is a way to block out email addresses in specific
> format from a form?  We ahve a form that people have to enter an email
> address, and the form has been getting used by bots to send spam to a
> listserv.  The email address they enter is in this type of format
> gfjhjfg@xxxxxxxxxxxx, and of course it is always just a bit different every
> time.  Any help is greatly appreciated.
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>

Hi Javier!

At my work we had tons of issues with spam bots randomly hitting our
contact forms.  They would inject all sorts of random garbage along
with the standard email header injection attempts to try and send mass
mails through the forms.

We've worked on a standardized form processing script that has some
basic ideas implemented that has cut down on 99% of the spam in our
forms yet also does _not_ use any horrible CAPTCHA crap.  If you use
one of those you're basically saying you hate your users and want to
make them miserable.

Here are a few of the ideas we use:

- Require a user enter an email address and then validate this address
using PEAR::Validate::email() with the true parameter to resolve host
names.  That would always require at least a valid domain name.

- Filter all the fields against a set of invalid keywords.  Also make
this set of keywords extendable on a per site basis because some sites
get hit with different keywords.  Here is a set you can start with
array('to:','from:','cc:','bcc:','href=','url=')

- Trick the bots.  I noticed lots of forms spam scripts will use some
sort of regex to find all form fields and then inject them with any
value that they want.  Just because your form uses a select dropdown
or hidden field doesn't mean that is what you're going to get back.
Most of these things in my experience are automated so they just do a
mass search for name="".  I use this to my advantage by doing two
things.  First I have a commented out field that if it is submitted I
fail the post.  Then I also have a hidden field that has a constant
value that must remain the same.  If this value is changed (only a
spammer would do it since it's hidden) fail the post.

- Add a configurable option to ignore posts that contain the domain
name in them.  Lots of these bots will send out a test that uses
random@<the current domain of the site> as a test.  I usually enable
this feature after the client has tested their form and are happy with
it.

Make sure that if any of these conditions fail you show the form back
to the user with a helpful error message.  This way if a real user
accidently triggers any of the security measures you can let them know
how to fix it, such as removing href= from input fields.

Good luck!

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux