[nycphp-talk] Preventing spam with php mail function

Halter, Shari SHalter at
Thu Feb 23 15:50:00 EST 2006


Thanks so much for your very thorough advice.  

There is no good scripting method or practice, then, that is better to use,
like validation or using include files instead of building the php code into
the form, itself?  (I've heard this could prevent some bots from sniffing
out the mail details.)


We've Moved!

Our new address is 51 Madison Avenue, New York, NY 10010.
Our telephone and fax numbers remain the same.

Shari L. Halter
Web Programmer
Thornton Tomasetti
51 Madison Avenue
New York, NY  10010
T 917.661.7800  F 917.661.7801  
D 917.661.7970  
SHalter at

-----Original Message-----
From: csnyder [mailto:chsnyder at] 
Sent: Thursday, February 23, 2006 3:00 PM
To: NYPHP Talk
Subject: Re: [nycphp-talk] Preventing spam with php mail function

On 2/23/06, Halter, Shari <SHalter at> wrote:
> I have just joined this mailing list, and hope to attend the next 
> meeting on Tuesday.  I hope this question is not too rudimentary for this
> Is there a widely-accepted solution to prevent spammers from 
> exploiting the php mail function (as forwarded from HTML forms, for 
> instance)?  I have seen several out there, but is there any particular 
> approach that is considered best?  The less elaborate, the better --I 
> don't really need Pentagon level
> security-- but right now there is nothing and the site owners are 
> getting swamped with spam.
> I would appreciate any quick pointers you could offer.
> Shari Halter

The best antidote for spam is, first and foremost, a good spam filter on the
email server. Maybe that's not the answer you're looking for, but it is
actually pretty hard to prevent scripts or dedicated humans from POSTing to
a public form on a website.

Aside from filtering messages on the email end, there are some things you
could try to make it harder to spam the form, or not worth the

1) remove the incentive. Why are people spamming your contact form?
What's in it for them? Do you post the submissions somewhere? Are the owners
a high-value spam target? Can a spammer craft a form submission so that it
gets sent to multiple recipients? Perhaps the form can be changed to be less
of a spam magnet.

2) require a valid HTTP_REFERER on form submission. This is easy for a
spammer to spoof, but they might decide not to bother. Only prevents
scripted abuse.

3) require the poster to decipher a captcha (words encoded as an image, like
Yahoo! uses on registration) Again, there are workarounds for spammers, but
would they bother?

4) Capture the IP address of the poster as part of the submission, and use
php or firewall to block the abusers. This only works if they're not

I think a lot of people put up HTML contact forms a few years back thinking
that it would somehow protect them from spam, but it doesn't.

Chris Snyder
New York PHP Community Talk Mailing List
New York PHP Conference and Expo 2006
Show Your Participation in New York PHP

The information in this email and any attachments may contain
confidential information that is intended solely for the
attention and use of the named addressee(s).  This message or
any part thereof must not be disclosed, copied, distributed or
retained by any person without authorization from the addressee.
If you are not the intended addressee, please notify the sender
immediately, and delete this message. 

More information about the talk mailing list