How To Stop Spammers Using Your Feedback Form

Feb
04

Not securing your feedback form can leave it open to spammers possibly allowing
them to send junk mail to anyone with it appearing to have originated from
you. This could in the worst case scenario see your domain blacklisted by
many mail servers.

The Solution

Luckily there are a few things you can do to make your feedback form a lot
harder to exploit. The main technique spammers use is to try and insert bcc:
headers into the feedback form. Say for example you have a feedback form
with a message and an email field, this is passed to a PHP script without
any validation which does something similar to the following:

<?php
   mail('you@yourdomain.com', 'Feedback', $_POST['message'], 'From: '.$_POST['email']);

?>

If the spammer can send "fake@address.com%0ABcc:recipient1@domain.com,recipient2@domain.com"
in the email address field on your form then whatever they type in
the message box will not only be sent to you but to all those listed recipients
aswell. What if 100′s or 1000′s of bcc: recipients are listed?

A few extra lines of code and this problem can be solved eliminating the majority
of attacks on your forms. The following simply removes all occurances of
bcc:, cc:, to: or content-type: headers so that the content of the form can
only be submitted to you and not to anyone else. 

<?php
   $find = array("/bcc\:/i","/Content\-Type\:/i","/cc\:/i","/to\:/i");
   $message = preg_replace($find, '', $_POST['message']);
   $email = preg_replace($find, '', $_POST['email']);
   mail('you@yourdomain.com', 'Feedback', $message, 'From: '.$email);

?>

IP Addresses

You may also wish to capture the ip address of the person sending the form.

<?php
   $ip = $_SERVER['X_FORWARDED_FOR'] ? $_SERVER['X_FORWARDED_FOR'] : $_SERVER['REMOTE_ADDR'];
   mail('you@yourdomain.com', 'Feedback', $message, 'From: '.$email."\nX-From-IP:".$ip);

?>

This could be used in creating your own ‘blacklist’ once you know the ip address
of any offenders. The message can then only be sent if its not in your banned
ip list:

<?php
   $ip = $_SERVER['X_FORWARDED_FOR'] ? $_SERVER['X_FORWARDED_FOR'] : $_SERVER['REMOTE_ADDR'];
   $banned_ip = array('195.99.99.99','137.11.11.11');
   if(!in_array($ip,$banned_ip)) {

      mail('you@yourdomain.com', 'Feedback', $message, 'From: '.$email."\nX-From-IP:".$ip);
   }

?>

Posted by admin on Thursday, February 4th, 2010