On Jan 18, 2008 9:50 AM, Javier Huerta <jhuerta@xxxxxxxxxxxxxxxx> wrote: > I am wondering if there is a way to block out email addresses in specific > format from a form? We ahve a form that people have to enter an email > address, and the form has been getting used by bots to send spam to a > listserv. The email address they enter is in this type of format > gfjhjfg@xxxxxxxxxxxx, and of course it is always just a bit different every > time. Any help is greatly appreciated. > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > Hi Javier! At my work we had tons of issues with spam bots randomly hitting our contact forms. They would inject all sorts of random garbage along with the standard email header injection attempts to try and send mass mails through the forms. We've worked on a standardized form processing script that has some basic ideas implemented that has cut down on 99% of the spam in our forms yet also does _not_ use any horrible CAPTCHA crap. If you use one of those you're basically saying you hate your users and want to make them miserable. Here are a few of the ideas we use: - Require a user enter an email address and then validate this address using PEAR::Validate::email() with the true parameter to resolve host names. That would always require at least a valid domain name. - Filter all the fields against a set of invalid keywords. Also make this set of keywords extendable on a per site basis because some sites get hit with different keywords. Here is a set you can start with array('to:','from:','cc:','bcc:','href=','url=') - Trick the bots. I noticed lots of forms spam scripts will use some sort of regex to find all form fields and then inject them with any value that they want. Just because your form uses a select dropdown or hidden field doesn't mean that is what you're going to get back. Most of these things in my experience are automated so they just do a mass search for name="". I use this to my advantage by doing two things. First I have a commented out field that if it is submitted I fail the post. Then I also have a hidden field that has a constant value that must remain the same. If this value is changed (only a spammer would do it since it's hidden) fail the post. - Add a configurable option to ignore posts that contain the domain name in them. Lots of these bots will send out a test that uses random@<the current domain of the site> as a test. I usually enable this feature after the client has tested their form and are happy with it. Make sure that if any of these conditions fail you show the form back to the user with a helpful error message. This way if a real user accidently triggers any of the security measures you can let them know how to fix it, such as removing href= from input fields. Good luck! -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php