Spammers are among the most innovative people in the net. Like virus programmers, they seem to be able to find new means to send their spam and bypass existing protection. What most webmasters do nowadays to prevent spammers from harvesting email addresses from their website is to put an email contact form instead of posting their actual email address on their website. So instead of seeing user@domain.com in their ‘Contact Us’ page, you will see a contact form instead. This worked well in the beginning but now, the spammers found another way and they made it worst! Instead of just harvesting emails from our websites, they now use our resources to send their spam. This can result to a slowing down of the server to blacklisting of the server’s IP which is very very bad!
This problem was brought to my attention by Benj Arriola who he himself has posted an article on how to prevent email contact form spamming.
So how do they do it? First, let’s look at how most contact forms look like. Most contact forms will have these:
- Name of Sender
- Email of Sender
- Message Subject
- Email Message
What the spammers do is simply include email headers in these fields in the correct format and let your code do the rest. How? Like this:
- They put the name of sender that they want.
- They put the email of sender that they want
- Then in message subject, they first type the following in some plain text editor such as notepad:
Subject that they want
Bcc: recipient1@domain.com,recipient2@domain.com,…
They can enter as many Bcc recipients as they want - They type their spam message
- They click submit and poof! The email gets sent to all the Bcc recipients using your server’s resources and identity.
Bad? you bet! So how do we solve this? Here are few tips. Assuming we have the following form:
In sendmail.php, you do this:
// anti-spam code
list ($sender_name) = explode ("\\n", $_POST['sender_name']);
list ($sender_email) = explode (”\\n”, $_POST['sender_email']);
list ($subject) = explode (”\\n”, $_POST['subject']);
$message = “\\n\\n” . $_POST['message'];
// email sending code goes here…
So what exactly did we do?
The first three lines of the anti-spam code simply gets only the first line of whatever was placed in our sender_name, sender_email, and subject fields. This effectively removes extra header fields that the spammers could have placed in them.
On the other hand, the fourth line adds two extra spaces before the the start of message effectively disabling possible headers that the spammers may have placed in the message body.
This code is tested and seems to work for now… We can never tell when these spammers will find a new workaround.
Lastly, I’m sorry if I wasn’t able to explain this much clearer. I’m typing this in a short span of time only. If you need clarifications, please feel free to post them as comments below and I will try to answer your queries.
February 19th, 2006 at 2:37 am
Nice solution, but I still did a find and replace kind of script and if it finds email header code, I prevent it from sending so the client website also does not get spam.
But you know what I found out?
An easy way people are doing it at work… was they simply added another input text field and made it invisible with CSS. And when that field gets a value, the email is not sent. Makes sense huh? Tell me what you think also…. on my blog. hehe.
February 19th, 2006 at 3:46 am
Sweet! The hidden text field method seems nice. But I think spambots will quickly work around this in a few months. i still think that server-side protection like me checking and your find/replace method are better.
June 5th, 2007 at 9:17 am
I know of some code that reproduces many many (in the order of hundreds of thousands) of pre-fabricated fictional email address for internet email spiders to find. It would be a treat to see the face on some spammer jerk’s face to find out most of his addresses are not to anyone at all! He wouldn’t know which were good or which were bad ones! Priceless! Worthless to him!