Help ... how to prevent spam from the feedback form .. (php)

do proper validation on the variable that you put in the "from" section of the php mail function

just replace any \n in the variable to empty string.

do proper validation on the variable that you put in the "from" section of the php mail function

just replace any \n in the variable to empty string.

i did some validation


if (feedbackform.Email.value == "")
{
alert("Please enter a value for the \"Email\" field.");
feedbackform.Email.focus();
return false;
}

CAPTCHA might help.

CAPTCHA might help.

like this ?

http://www.zubrag.com/scripts/antispam-image-generator.php

btw ... i had capture some of this spammer IP Addres... how should I quote in the php form to block them from filling the form

if (feedbackform.Email.value == "")
{
alert("Please enter a value for the \"Email\" field.");
feedbackform.Email.focus();
return false;
}

The above is javascript which is execute on client browser, the validation need to be done on the server side php, just validating empty value do not help, this is where the bcc inject happen, you need to only allow a valid email character but nothing else.

Here is the sample code in php that will do the trick to stop bcc inject, the following sample code detect the sender name or sender email or recipient email contain a "\n" (newline) character, which should not be appear in a name or email and stop executing the script.

$sender_name = $_REQUEST["sender_name"];
$sender_email = $_REQUEST["sender_email"];
$recipient_email = $_REQUEST["recipient_email"];

if (strpos(" ".$sender_name,"\n") > 0 ||
strpos(" ".$sender_email,"\n") > 0 ||
strpos(" ".$recipient_email,"\n") > 0) {
exit;
}

btw ... i had capture some of this spammer IP Addres... how should I quote in the php form to block them from filling the form


ip addr can be changed. :)

like this ?

http://www.zubrag.com/scripts/antispam-image-generator.php


yup. Its useful, i also uses it but in asp version since my site is build in asp. :)

Checking sender/recipient email is not enough. Checking referral domain/IP is more secure. Normally, I have 1 form, say is contact.html and will post to email.php. The email.php can check referral url or domain to make sure it is valid. Most spammers connects directly to your email.php, thus by pass your checking in client site javascript. Even with sender/recipient checking, they can send these in the script.

So, server site checking + referral limit + image verification, should cut down 90% of your problem

This is the code in my feedback form looks like:


if(trim($_POST["txtEmail"])!="")
{
if (eregi("Content-Type:",$_POST["txtEmail"]) || eregi("MIME-Version:",$_POST["txtEmail"])){
echo '<span class="default">Please *DO NOT* try to abuse this function to SPAM other people! I know you are smart so use you brain for something useful! Your IP {' . $_SERVER['REMOTE_ADDR'] . '} has been recorded.</span><br><br>';
mail('admin@yourdomain.com','Spammer Bot Attempt', $_SERVER['REMOTE_ADDR']);
}
else
{
$emailPattern = '/^[^@\s]+@([-a-z0-9]+\.)+[a-z]{2,}$/i';
if (!preg_match($emailPattern, $_POST["txtEmail"])){
echo '<span class="default">Invalid e-mail address!</span><br><br>';
}
else
{
mail('feedback@youremail.com', "FeedBack", $feedback, "From: " . $_POST["txtEmail"]);
echo '<span class="default">Thank you for your feedback</span><br><br>';
}
}
}

Help ... how to prevent spam from the feedback form .. (php)

1. Add the CATCHA code as mention by ahnah to block the robotic spam.

2. Restrict the amount of email addresses to have a copy.

3. Validate all the email addresses.

4. If can, use a mail server that can restrict the amount of emails per hour and also can do reverse DNS check before delivery the email.