I've been working on an anti-spam email PHP script for one of the sites I'm developing. The script is designed to be a generic script which can be reused across multiple sites.

It works in multiple stages:

  1. Sending form must send a returning url variable. If it does not, the script shows a general error. This is intended to prevent cross site scripting hacks.

  2. HTTP_REFERER must be in an allowed array which I maintain. If HTTP_REFERER is null or is not contained in this array, an error is returned.

  3. Email address must be syntactically valid, otherwise an error is returned.\

  4. REMOTE_ADDR is checked against a blacklist of known spammer IPs. If the REMOTE_ADDR is in the list, an error is returned

  5. All fields are checked for spam keywords against a list of common spam words. If any spam words are found, the IP is added to the blacklist and an error is returned.

  6. finally, the recipient address is hard coded so emails come to me and me only.

Now...I'm after feedback on how this works. Am I going overboard ? Is there any additional security measures that I should be taking ? I have considered adding a hash key system to the script, would this be overkill ?

    Overkill maybe. This is email being generated by a form? Who sees the form to send the email in the first place? Who gets the email sent by the form?

    If this is to deal with form-based emails, and what you are trying to resist is a form-sending spambot, why not just password protect the form with one of those 'type the letters in this distorted image' dealies? That slows the the spambots down.

      The email is send from a form. The form is visible by anyone and everyone. The emails come only to me. But I've been receiving dozens of spams a day from this form so I was looking to toughen it up.

      I thought about using a Captcha system to slow down the bots, but I personally hate those things and I'd rather not subject users of the form to the inconvenience. Plus, I've seen spam bots recently that can get around them.

        Any user-supplied data that will be used in any of the mail() arguments other than the "message" argument should be "sanitized" for any mail header injections. This can be done by looking for "\r" and "\n" in those fields, and also checking for a string length greater than the maxlength of the field in question.

          I should have mentioned that I am using the PHPMailer class for actually sending the email. I foolishly assumed that this has built in sanitisation of the fields to prevent injection attacks but now I realise its not mentioned anywhere in the documentation. I guess I should test it to make sure this is the case.

            I think PHPMailer does this via its EncodeHeader() method.

              I think you might be right. I'll add some sanitisation to it anyway.

              It seems to be working, I've not received the usual stream of emails I was getting, and there are two new IP addresses in the blacklist 🙂

              Does anyone know of a good comprehensive list of spam keywords and known spammer IPs ?

                khendar wrote:

                1. Sending form must send a returning url variable. If it does not, the script shows a general error. This is intended to prevent cross site scripting hacks.

                I'm not sure I understand this one. A robot will follow a link on some other page, therefore it will supply the same query string as a browser.

                [*]HTTP_REFERER must be in an allowed array which I maintain. If HTTP_REFERER is null or is not contained in this array, an error is returned.

                This will give false positives. Many legitimate users will send no HTTP_REFERER.

                [*]Email address must be syntactically valid, otherwise an error is returned.\

                Reasonable practice, but it won't stop any spammers. All spam bots always populate every email field with a random syntactically valid email address.

                [*]REMOTE_ADDR is checked against a blacklist of known spammer IPs. If the REMOTE_ADDR is in the list, an error is returned

                Won't stop a lot of spammers. Most use zombie networks and/or open proxies. Might stop a few lamers.

                [*]All fields are checked for spam keywords against a list of common spam words. If any spam words are found, the IP is added to the blacklist and an error is returned.

                Sounds like a reasonable idea. How long do you blacklist them for?

                [*]finally, the recipient address is hard coded so emails come to me and me only.
                [/LIST]

                Be sure that the subject and/or other fields are not suceptible to header injection.

                [quote
                I have considered adding a hash key system to the script, would this be overkill ?[/QUOTE]

                I don't know what you mean.

                Mark

                  Write a Reply...