How To Stop Spammers Using Your Feedback Form
Not securing your feedback form can leave it open to spammers possibly allowing them to send junk mail to anyone with it appearing to have originated from you. This could in the worst case scenario see your domain blacklisted by many mail servers.
The Solution
Luckily there are a few things you can do to make your feedback form a lot harder to exploit. The main technique spammers use is to try and insert bcc: headers into the feedback form. Say for example you have a feedback form with a message and an email field, this is passed to a PHP script without any validation which does something similar to the following:
mail('you@yourdomain.com', 'Feedback', $_POST['message'], 'From: '.$_POST['email']);
If the spammer can send "fake@address.com%0ABcc:recipient1@domain.com,recipient2@domain.com" in the email address field on your form then whatever they type in the message box will not only be sent to you but to all those listed recipients aswell. What if 100's or 1000's of bcc: recipients are listed?
A few extra lines of code and this problem can be solved eliminating the majority of attacks on your forms. The following simply removes all occurances of bcc:, cc:, to: or content-type: headers so that the content of the form can only be submitted to you and not to anyone else.
$find = array("/bcc\:/i","/Content\-Type\:/i","/cc\:/i","/to\:/i"); $message = preg_replace($find, '', $_POST['message']); $email = preg_replace($find, '', $_POST['email']); mail('you@yourdomain.com', 'Feedback', $message, 'From: '.$email);
IP Addresses
You may also wish to capture the ip address of the person sending the form.
$ip = $_SERVER['X_FORWARDED_FOR'] ? $_SERVER['X_FORWARDED_FOR'] : $_SERVER['REMOTE_ADDR']; mail('you@yourdomain.com', 'Feedback', $message, 'From: '.$email."\nX-From-IP:".$ip);
This could be used in creating your own 'blacklist' once you know the ip address of any offenders. The message can then only be sent if its not in your banned ip list:
$ip = $_SERVER['X_FORWARDED_FOR'] ? $_SERVER['X_FORWARDED_FOR'] : $_SERVER['REMOTE_ADDR']; $banned_ip = array('195.99.99.99','137.11.11.11'); if(!in_array($ip,$banned_ip)) { mail('you@yourdomain.com', 'Feedback', $message, 'From: '.$email."\nX-From-IP:".$ip); }
For more ways of protecting your forms why not take a look at our page on Security Images
This article is copyright protected ©
White Hat Web Design have created the above article to help our web readers better understand the Internet and web applications, whilst we are happy for anyone to link back to this page, we will not accept any copying of its content or publication in any medium without written permission from White Hat Web Design.
Please link back using the URL http://www.white-hat-web-design.co.uk/articles/form-spam.php or contact us
