If you are running a website you are likely to offer a contact form that visitors can use to send you emails for feedback or support. But as a legitimate user can use the form to send you an email so can a malicious spammer use the form to send his junk emails through your webserver, using your own good reputation to deliver unwanted medicines or worthless college degrees.

In the past I was using the standard FormMail.pl perl script to handle my contact forms but soon realized that this is such a widespread script that spammers know it inside out including all its vulnerabilities. So I turned into a custom PHP script that is based on the mail() function. A naive contact form implementation could be:

<form method="POST" action="emailer.php"> Your message:<br> <textarea name="comments" rows="10" cols="80"> <br><br> <input type="submit" value="send your feedback" name="submit"> </form>

→

The PHP script that deals with this html form to send the email with the user feedback could be:

<?php $message = $_POST['comments'] ; mail( "support@website.com", "contact form", $message); ?>

If you were to implement this in your website you would discover in no time how easy it is for spammers to use your form and flood either your own support or other peoples' email with their junk, at your expense. At minimum you would annoy people and probably your server would end up in a spammer black list and you couldn't send legitimate emails to your customers!

PHP is a very powerful server side scripting language so you can easily add checks and stops that will only allow legitimate use of the contact form. Here are some commonly used tricks:

• Captcha. Force the sender to prove he is human by reading and entering information e.g. the text shown on some picture or performing a simple addition like 1+1=2
   
• Block URLs. Don't allow URLs to be sent with the message. Spammers will invariably include some http:// address in their messages, so if you detect a URL show an error message instead of sending the email.
   
• Add delays. Making the PHP form loiter for 10 seconds before sending the email will be a minor inconvenience to a normal person but would throw the spanner in the works for a spammer trying to send 1,000,000 emails in an afternoon.
   
• IP filtering. Check the sender's IP address, and if it is the same guy using the form 1000 times in a row, then disallow it

Artificial delays and IP filtering can also prevent flooding attacks to your email (I think I am going to need that protection in the near future <g>). A very simple but effective procedure is to store the last sender's IP address in a file, and compare it to the IP address of the new sender. If they are the same don't allow the communication before a fixed time period has passed (e.g. 1 minute). Look how simple is this check in PHP:

<?php $fromIP = $_SERVER['REMOTE_ADDR'] . "\n"; $filename = 'lastip.txt'; $handle = fopen($filename, 'r+'); $ok = 1; if($handle) { $lastIP = fgets($handle); if($lastIP == $fromIP) { $modt = filemtime($filename); $nowis = time(); // unix time counts in seconds if($nowis - $modt < 60) $ok = 0; } rewind($handle); } else // file doesn't exist, create it $handle = fopen($filename, 'w'); fwrite($handle, $fromIP); fclose($handle); sleep(10); // anti-flooding measure if(0==$ok) { print <<<END <html><body> ERROR: You cannot send another message so soon!<br>Please wait 1 minute then retry </body></html> END; exit; } // IP ok, send the email ... ?>

We store the last IP address in a file called lastip.txt and use the modification date of the last write filemtime() as an indication of the last time the script was used. If the same IP address is calling and the time elapsed is under 1 minute we show an error message. We only keep track of a single IP address.

This technique isn't perfect as it is open to IP spoofing but should be enough to block many attacks. Sadly it also catches out customers that want to send two emails in a row in close succession... but that's the downside of all security measures.

Post a comment on this topic