[nycphp-talk] Preventing spam with php mail function

csnyder chsnyder at
Thu Feb 23 15:00:16 EST 2006

On 2/23/06, Halter, Shari <SHalter at> wrote:
> I have just joined this mailing list, and hope to attend the next meeting on
> Tuesday.  I hope this question is not too rudimentary for this group.
> Is there a widely-accepted solution to prevent spammers from exploiting the
> php mail function (as forwarded from HTML forms, for instance)?  I have seen
> several out there, but is there any particular approach that is considered
> best?  The less elaborate, the better --I don't really need Pentagon level
> security-- but right now there is nothing and the site owners are getting
> swamped with spam.
> I would appreciate any quick pointers you could offer.
> Shari Halter

The best antidote for spam is, first and foremost, a good spam filter
on the email server. Maybe that's not the answer you're looking for,
but it is actually pretty hard to prevent scripts or dedicated humans
from POSTing to a public form on a website.

Aside from filtering messages on the email end, there are some things
you could try to make it harder to spam the form, or not worth the

1) remove the incentive. Why are people spamming your contact form?
What's in it for them? Do you post the submissions somewhere? Are the
owners a high-value spam target? Can a spammer craft a form submission
so that it gets sent to multiple recipients? Perhaps the form can be
changed to be less of a spam magnet.

2) require a valid HTTP_REFERER on form submission. This is easy for a
spammer to spoof, but they might decide not to bother. Only prevents
scripted abuse.

3) require the poster to decipher a captcha (words encoded as an
image, like Yahoo! uses on registration) Again, there are workarounds
for spammers, but would they bother?

4) Capture the IP address of the poster as part of the submission, and
use php or firewall to block the abusers. This only works if they're
not distributed.

I think a lot of people put up HTML contact forms a few years back
thinking that it would somehow protect them from spam, but it doesn't.

Chris Snyder

More information about the talk mailing list