Preventing Spam When Using Php's Mail Function

First of all, if this is not the correct place for this topic please an Admin move it accordingly.

Recently i read at the PHPBuilder.com website this excelent article Preventing spam when using PHP's mail function that explains in a very easy way how to avoid spammers send their spam from your own server.

Generally speaking, almost all websites includes some kind of contact form which is used to send emails with the php mail() function, this contact form can be used for a lot of purposes like for example to send comments or sugestions, to report problems on your website, to register users, etc. and can be used and abused by spammers to send out their spam without your knowledge.

This article is very easy to understand and to implement, includes functions for checking valid emails and to prevent scripts to be exploited.

You can use it as a good starter point to prevent this issue to happen and I hope it helps somebody.

Best regards,

 

 

 

Comment/Reply (w/o sign-up)

No problem, I accept this post here.
However, on the topic subject, I would like to understand something. Do you mean that you could send mails without this kind of contact form, and having your mail being received correctly ?

Comment/Reply (w/o sign-up)

Thanks yordan to move it, and i don't completely understand your question but just in case, my answer is yes.

For example, you have a page -form.php- with a contact form and other data in it, that when it is submitted goes to another page -mail.php- which receives all of the submitted data and then sends an email with the mail() php function as usual. For the sake of the example, this is the same code from the article without any kind of validation. The code of the mail.php is:


If you don't perform any kind of validation in any of these pages, then it is very easy for a spammer to send emails with your page in this case with your mail.php page.

How??? It is very simple, first you only need to view the source code of your form to get the variable names and to where it will be redirected. The first ones are all the elements of your form and the second one is the value of the ACTION property of the form.

So, it is very easy to send a request like this:

http://your-domain.com/mail.php?body=gotcha&email=barbie@fake-domain.com%0Abcc:spam-1@some-domain.com,spam2@some-domain.com

to abuse it and send my spam.

On the other hand, if you do some kind of validation, your pages will be a lot more secure and will help you to prevent this situation. This is my code with some validation:


You can test both of this issues by going to:

1. My test mail page without any validation
2. My test mail page with some validation

BTW, both pages do not send any email really.

Best regards,

 

 

 

Comment/Reply (w/o sign-up)

OK, now I see, thanks a lot Tavox.

Comment/Reply (w/o sign-up)

Well, by doing a little validation and even programming in a "good" way, these kind of problems won't happen, of course, I know one thing: when you do something for yourself or you're still learning and quite well, you try to do different things, but when you're working and doing for somebody else, not always you have time to do it in a very "perfect" way, the main thing for most clients are that it would work, usually they don't care about the code, or what language it is or how it's possible and for that reason, I really can say that there are lots of "bad" scripts/programs written out there, to get money and to make it work..

I saw some really bad scripts, especially written in php, the main things as I said that they would work, and they do! When things like frameworks appeared, it's a little safer for people who write their applications in Zend framework or any other good framework, it is more secure, it saves time too and you have a better application, the bad thing about it in my opinion, that there are thousands of copies in some library directory of for example zend frameworks they are there, even though only 4% of them are used..

To conclude, for example I remember I always wanted to write "the best way" in my sites or cms and I even do Today, but when I started doing something not for myself I understood that the main thing is to make it work, I still prefer to make a good application though, but time is money, but with experience I think still most of them are quite good, even written fast I remember I thought to write for others, you need to comment and write it that other people who might try to edit them or something, that it would be as easier as possible for them, but in most cases, if you wrote the application, bigger chances are that they or he/she will ask support from you again and not from any other guy for support, so you can write it your style or by how you like it

Comment/Reply (w/o sign-up)

Yordan, no problem and i'm glad that now you see it better.

Quatrux, you are right, TIME IS MONEY, and when you work for someone else it is a thing that counts a lot, other thing that also counts a lot is that IT MUST WORK. Related to good and bad scripts, always both of them will exists and we can't do anything about them, but for ours, yes we can.

I know that nothing is perfect and never will be, but i'm the kind of person that always try to do my best effort in anything i do, and when it is about programming a bit more, because i know that i can improve my code. I think that it is better to first try in your personal projects and then with the experience that you gain with it apply to your professional work which pay the bills.

BTW, my code posted here is to much simple and i only make it for testing purposes, also, i know that it is not correctly coded, it is not complete and finally I must complete and improve it shortly.

So, please be honest with me and tell me what do you think about it???

Best regards,

Comment/Reply (w/o sign-up)

Is there any way to block incoming spam mails using PHP script
Preventing Spam When Using Php\'s Mail Function

The script you provided is really good to block out going spam mails from the server on which your sript is running,, but how to block the in coming spams mails on your server. Is there any useful script for that also...
???

Regards muryam

-question by Muryam

Comment/Reply (w/o sign-up)

Few weeks before I have seem an article that state the use of regular expression is not
necessarily safe to vaildate an email address. (sorry I forgot the web address)

So, did you think add some hidden fields with values that generated dynamatically would help a bit ?
Also, is this fields really help for this checks.

---
Magiccode9

Comment/Reply (w/o sign-up)

Hidden fields are not useful because an attacker could still alter/inject data into the data sent through hidden fields. The best way to do this is all within the server.

Comment/Reply (w/o sign-up)

If hidden fields are not safety and should done all checking with server-side.
What's the best way to check it ?
Is this kind of checking enough ? like,



Thanks,

---
Magiccode9

Comment/Reply (w/o sign-up)