[nycphp-talk] Preventing spam with php mail function

Lars Gelfan ldgphp at
Thu Feb 23 16:20:06 EST 2006

It's hard to know exactly what you mean by "exploiting the php mail
function" but Chris made some excellent suggestions.

If it's an issue of you including the email address as a hidden field (or
using "mailto" links anywhere on your site), then, yes that is an easy way
for bots to harvest the addresses. You should never include your email
addresses in a hidden form field, especially if that makes it possible for
someone to easily alter the form and use your server to send out spam. From
what I can tell, however, it sounds like the main problem is your company is
getting too much mail, not that someone is using your form as a relay.

If you are getting flooded with fake form submissions, there are multiple
strategies you can do, some of which were already mentioned, and the best
plan usually involves both client-side as well as server-side solutions.

One thing I might caution about using the HTTP_REFERER method is that many
"privacy" software applications filter this out (as I found out the hard way
on an e-commerce site once) and could prevent legit submissions. Certainly a
mix of cookies, session tracking, ip logging, "captchas", etc. would prevent
submission flooding.

And you can use JavaScript functions to replace "mailto" links to at least
slow down bot email harvesting.


On 2/23/06 3:50 PM, "Halter, Shari" <SHalter at> wrote:

> Chris,
> Thanks so much for your very thorough advice.
> There is no good scripting method or practice, then, that is better to use,
> like validation or using include files instead of building the php code into
> the form, itself?  (I've heard this could prevent some bots from sniffing
> out the mail details.)
> Shari


L A R S  G E L F A N
lars at
o: 212.267.5012
m: 917.554.4593

More information about the talk mailing list