Stop the Spam!
August 20, 2006 2:38 PM   Subscribe

I am getting spam to addresses picked up from a PHP mail script - can I stop this?

I have built a small site for a Film Society which has three "contact us " style pages, with a simple form and a send button. The send button uses the PHP Mail function to send an email with the question or comment to an email address (depending on the page) which is stored in a MySQL table and is retrieved before the Mail function is called.

The email addresses in question are receiving spam which looks to have come from the website (ie sent through the form) but infact contains nonsense and spam-like messages. It looks to be automated, so not somebody typing stuff in manually.

Firstly, how is this being done when the email address is only stored server side and secondly, is there anything I can do to stop it?
posted by jontyjago to Computers & Internet (13 answers total) 2 users marked this as a favorite
 
Using Captchas to validate the user is an easy way to get rid of automated SPAM.
posted by stovenator at 2:45 PM on August 20, 2006


Install a Captcha program. It will show distorted letters and require a user to reproduce them, which machines & scripts (usually) cannot do.

The easier way is to ask a simple math program that's randomly generated.

See an example over at one of my sites here.
posted by disillusioned at 2:46 PM on August 20, 2006


ie sent through the form

how is this being done when the email address is only stored server side and secondly

Are they using the form or aren't they? If they're using the form, they don't need to know the email address, and I'm sure there are robots (and/or low-paid people) out there that search google for form pages and automatically submit spam, in the hope it will be published and boost their google ranking.
posted by cillit bang at 3:09 PM on August 20, 2006


The OP said that the spam looks automated, and if this is the case, the Captchas are moot. There's no way they could capture the PHP-hardcoded address unless it bounced from your mailserver, and the bounce went to a mailbox they were monitoring.

I'd suggest making sure you aren't using a COMMON mail address (such as mike@blah.com... mike and hundreds of other words are used in dictionary spams). Also Google your E-mail address (if you dare, given the AOL leak) and see if you may have inadvertantly used it somewhere else.
posted by rolypolyman at 3:11 PM on August 20, 2006


Yeah, and what cillit bang said.... if your mailing page is a HTML page rather than a PHP script, and your address is passed to the script, then it is available in the HTML page and can be extracted by a bot.
posted by rolypolyman at 3:12 PM on August 20, 2006


That's not what I said.
posted by cillit bang at 3:19 PM on August 20, 2006


>The OP said that the spam looks automated, and if this is the case, the Captchas are moot. There's no way they could capture the PHP-hardcoded address unless it bounced from your mailserver, and the bounce went to a mailbox they were monitoring.

I so don't get this. The email addresses are receiving spam via the form. That's the most logical, occam's-razor explanation. Nobody has to know the email address to do that.

And the email address is neither "PHP-hardcoded" nor visible in HTML. Read the post!
posted by AmbroseChapel at 4:29 PM on August 20, 2006


The email addresses in question are receiving spam which looks to have come from the website (ie sent through the form) but infact contains nonsense and spam-like messages.

Do those two statements ("from the website" and "spam-like") really contradict each other? If not, your use of "but" confuses the issue. If so, you should explain why you believe spam-like messages couldn't have been sent through the form.
posted by scottreynen at 4:53 PM on August 20, 2006


Let's assume that you're getting the spam via the form.
  • There's no way to stop this if it's people doing it.
  • Captchas will stop it if it's a script doing it.
  • What's probably more of a concern is the form being vulnerable to injection, and it's not just you getting the spam, it's a million other people, using your script, which will make you unpopular
  • One thing you can do, if it's a script attacking your form, is just to change its filename, though it's only temporary, and of course you'd need to fix all links to it.
Which makes me think ... you could code a website so that, say, your "contact" link in your nav, every time it was loaded, linked to a different random URL. You load it and get a link to "contact-8372615238.php", I load it and get a link to "contact-3214528794.php". That file would be written out every time your nav loaded, and cleaned up later by a cron job.

Lots of file-read-and-write action on the server, but wouldn't it stop form spam? The script can't note the location of your email form as a constant, although of course it would be trivial to hit a page first then grab its location from the nav.
posted by AmbroseChapel at 5:14 PM on August 20, 2006


If the spam is originating from the form, MailSprocket may prove helpful. It's GPLed.
posted by lurkingular at 8:59 PM on August 20, 2006


Thank you all for your suggestions. The spam is coming from the form as the emails have the title "Email from FilmSoc website..." which is what the Mail function uses. If I change the email address in the database, the new address gets the messages, not the old one so they don't seem to have stored the addresses themselves, as it is my server sending the mail not theirs.

Obviously I agree that if it's people doing this there's not a lot I can do, but I will look at the random page address AmbroseChapel suggests, and then if that doesn't change things I'll try the Captcha route.
posted by jontyjago at 11:56 PM on August 20, 2006


Most likely, it's not people doing it. There are now 'bots out there that will happily spam ANY form multiple times a day whether it looks like a post/email/guestbook form or not.

Your best bet is a CAPTCHA or something like it - and keep in mind that the 'bots aren't very smart. A simple question like "what color is an orange?" will work as well as a CAPTCHA and will annoy your visitors much less.
posted by mmoncur at 12:48 AM on August 21, 2006


My "random filename" thing wasn't really a suggestion for you, right now, I was just musing. It's a bit complicated and there's probably something I haven't considered. Go the captcha/question route.
posted by AmbroseChapel at 3:05 AM on August 21, 2006


« Older finding one month of housing in Vienna   |   My friends are wealthy. I am not. Why do I feel... Newer »
This thread is closed to new comments.