How Can I Stop Email Spammers Abusing My Web Contact Form?

HairyArse

Hi guys,

I have a contact form on my website which appears to be being used by email spammers - at one point my website was taken down by my hosts as my account was suspended as I was apparently sending a lot more than the allowed 150 emails an hour.

The reason I suspect it's my web form is that I receive a lot of spam supposedly sent through the actual web form so I'm sure it's the culprit.

The problem is, I can't see what I can do differently to my web form to stop this from happening. It's a very straight forward form that uses the mail function to send an email should anyone fill out the form.

Not sure it matters but I've added the main crux of the code below:


$Submit=$_POST['Submit'];
if (isset($Submit))
{


//the function escapeshellarg helps prevents users from entering malicous code into the form.

$name = $_POST['name'];
$name = escapeshellarg($name);

$emailadd = $_POST['email'];
$emailadd = escapeshellarg($emailadd);

$comments = $_POST['comments'];
$comments = escapeshellarg($comments);

$email = "$name\n\nWho can be contacted by emailing\n$emailadd\n\nSaid:\n\n$comments";

echo("<br><br>Thank you for filling in our contact form $name.<br><br> Your comments<br><br> <i>'$comments'</i><br><br> will be read and an appropriate response sent shortly.<br><br><hr><br>");

$headers = 'From: ' . $name . "\r\nReply-To:" . $emailadd;

mail("richard@allaboutthegames.net", "AATG - Contact Form", $email, $headers); 

};

Any suggestions?

vaaaska

Well, you have no security here basically. I'd be very worried if this were my site.

You need to validate things...perhaps use a token...regex, etc. But, and this is unconventional for the type of script that it is, you should consider using the Akisment comment spam filter for this.

It will validate your fields for you and return a flag...determining whether it's spam or not. I've been using this for awhile now and I'm amazed by how well it works (no spam has gotten through...and no honest comments have been tagged as spam).

http://akismet.com/development/

Grab whichever version you need...get a free WordPress key and set it up. Super simple...

HairyArse

Thanks for your reply Vaaaska and that solution looks like it might actually work but is there any chance the email spammer are bypassing the form and any validation altogether? If so wouldn't that render the above competely useless?

napasteve

Newbie here....

I deleted the contact form on my site, but spammers are still able to post? how do I stop this?

bradgrafelman

Try checking if your e-mail server is an open relay, using services such as this one or even this one.

Tyree

napasteve,
If the script is still on your site, the spammer can still use it, they don't care if just the html form is gone. Make sure the actual script is gone too!

Tyree

HairyArse,

This is a script I currently use for my email forms. It generates a random var that makes it hard for the spammer to spoof.

function validateEmail($email)
  {
    return (eregi("^[_\.0-9a-z-]+@([0-9a-z][0-9a-z-]+\.)+[a-z]{2,3}$",
                  $email));
  }

$recipient = 'your email here';
$defaultSubject = "Your Subject Here";

unset($message);

  switch ($_POST['submit'])
  {
      case FALSE:

    $messageVariable = 'msg' . md5(rand());

    break;

  default:

    foreach ($_POST AS $key=>$value)
       $$key = trim($value);

    if (!(strlen($name)))
       $___errors["name"] = "Please enter your name.";

    if (!(validateEmail($email)))
       $___errors["email"] = "Please enter a valid e-mail address.";

    if (!(strlen($$messageVariable)))
       $___errors["message"] = "Please enter a message.";

    if (count($___errors))
    {
       $___m = join("&nbsp;&nbsp;", $___errors);
       break;
    }

    $message = $$messageVariable;

    $subject = $defaultSubject;

    $headers  = "From: $name <$email>\n";
    $headers .= "X-Sender: <$email>\n";
    $headers .= "X-Mailer: PHP\n";
    $headers .= "X-Priority: 1\n";
    $headers .= "Return-Path: <$email>\n";

    if (strlen(getenv("HTTP_USER_AGENT")))
    {

       mail($recipient,
            $subject,
            $message,
            $headers);
    }

   header("location: success.php");

    break;
  }

Could be helpful. 🙂

motowater

if someone is spamming your forms, it will probably be from the same host. I would try restricting the max amounts of form requests in a given time based on the client's ip address, using either sessions or a database to check.

dalecosp

//the function escapeshellarg helps prevents users from entering malicous code into the form.

I might have to take issue with this statement. More accurate would probably be, "the function escapeshellarg help prevent some users from entering certain malicious code into the form", which should allow us to infer that some users are likely to be smart enough to find a means to exploit it.

I'd certainly attempt to tighten up security by doing some conditional testing using regular expressions. If you have samples of how they've been exploiting it, be sure and address those issues.

Also, I assume register_globals are OFF. Is this true?