Changing code to stop SPAM

RichT

Please can someone help.

I own a travel company with a website, where you can book online. Normally you would have to go through several pages to get to the booking online form, which would then send us an email with the information. We have however recently been experiencing a huge amount of SPAM mail coming through this channel. I queried this with the provider and they told me the following:

"A spammer will have found your script and will be using a script of their own to send spam through it.

If you ensure that the script only allows requests coming from a click through from another page on the site to result in an email being generated, then this should stop the spam. This means making the script check that the HTTP_REFERRER includes the site domain name"

I have been told this involves changing the code for my mail script, but as I didn't design the website I have no idea how to do this. I have looked at the PHP file and can see the email used, but do not want to change this as it is a main email address which we cannot do without.

Rich

mattm591

In my experience HTTP_REFERRER can be problematic as it relies on the browser sending that information, and not all do.

A way to get round your problem though is with an extra hidden value on the original form.

If you put in this on the page which was submitted to get to your php code (within the <form> tags),

<input name="sent" type="hidden" value="true">

Then on the page you don't want to be spammed place this at the top,

if(!isset($_POST['sent'])){
echo "Do not spam me!";
}

This should work the way you want it to.

leatherback

this is completely unreliable too, as most 'real' spammers are bots, who will analyze your page for hidden variables.

The best practice at the moment is to create a random code in an image, which is also stored server-side (e.g., in a session or a table). The user is asked to input this value when sending something. If they do not fill it out, you either send an error back, or you silently let the processing script fail.

However, this requires significant re-design of your page. If you ahve no experience doing this, your safest bet would be to ask a friend who knows PhP, or make very good backup of your original files.

edit: I had a search. Have a look here: http://www.sitepoint.com/article/toughen-forms-security-image

MarkR

I recommend the following:

Install an messages per day per IP address limit on the form
Require a Javascript-supplied field in the form
Have two checkboxes on the page, one labelled "I am a robot", another "I am a human". Require the "I am a robot" to be off and "I am a human" on.
Require the word "panda" to be entered into a particular field.

All of these will stop lame bots, but will allow all but the lamest humans.

Mark

sneakyimp

it would be helpful to see your php code. the problem is probably there. if they can use your page to send email to whoever they want, then they are probably putting newline characters in the form inputs and adding additional headers to CC or BCC whomever they please.

the recommendation from your server provider is probably a good one. given that the form has several pages, you can do this on the previous pages:

// PUT THIS AT THE TOP OF YOUR FILE
session_start();
$_SESSION['page_1'] = 1;

repeat that on all the subsequent pages of your form setting values for page_2, page_3, etc.

then on the page that actually sends the mail, you can make sure a visitor visited all the other pages by doing this:

if ($_SESSION['page_1'] !== 1) {
  die('STOP SPAMMING ME');
}
if ($_SESSION['page_2'] !== 1) {
  die('STOP SPAMMING ME');
}
// etc.

then after you have sent the mail you should unset all those session vars:

unset($_SESSION['page_1'];
unset($_SESSION['page_2'];
// etc.

BE WARNED that setting a session variable and having it show up on subsequent page accesses is in some rare cases a tricky business. HTTP is a 'stateless' protocol. This means the server doesn't know who the heck is visiting any given page at any given time unless that user presents them with a unique character string or number known as a SESSION ID. Generally speaking, your server/php has to either put the session id in a cookie or append the session id to every URL on your site if the user has cookies turned off.