NYCPHP Meetup

[nycphp-talk] Preventing spam with php mail function

Lars Gelfan ldgphp at ldgmedia.com
Thu Feb 23 16:20:06 EST 2006


It's hard to know exactly what you mean by "exploiting the php mail
function" but Chris made some excellent suggestions.

If it's an issue of you including the email address as a hidden field (or
using "mailto" links anywhere on your site), then, yes that is an easy way
for bots to harvest the addresses. You should never include your email
addresses in a hidden form field, especially if that makes it possible for
someone to easily alter the form and use your server to send out spam. From
what I can tell, however, it sounds like the main problem is your company is
getting too much mail, not that someone is using your form as a relay.

If you are getting flooded with fake form submissions, there are multiple
strategies you can do, some of which were already mentioned, and the best
plan usually involves both client-side as well as server-side solutions.

One thing I might caution about using the HTTP_REFERER method is that many
"privacy" software applications filter this out (as I found out the hard way
on an e-commerce site once) and could prevent legit submissions. Certainly a
mix of cookies, session tracking, ip logging, "captchas", etc. would prevent
submission flooding.

And you can use JavaScript functions to replace "mailto" links to at least
slow down bot email harvesting.

-Lars




On 2/23/06 3:50 PM, "Halter, Shari" <SHalter at ThorntonTomasetti.com> wrote:

> Chris,
> 
> Thanks so much for your very thorough advice.
> 
> There is no good scripting method or practice, then, that is better to use,
> like validation or using include files instead of building the php code into
> the form, itself?  (I've heard this could prevent some bots from sniffing
> out the mail details.)
> 
> Shari


-- 

L A R S  G E L F A N
.....................
lars at ldgmedia.com
o: 212.267.5012
m: 917.554.4593




More information about the talk mailing list