Colour Key:
- || Page Links
- a. Site Menu
- || Emphasis Only
Antispam Script for Website Contact Forms
Script kiddies seem to be rampant this year. Two of our clients' sites have
been hit with the same off-the-shelf spam script in as many months. Our IP
blocking software works well for known spammers, but these script kiddies
pop-up out of the woodwork everywhere. So after rejecting php.net's offerings
for antispam coding strategies, we decided to come up with a simple, generic
script that can just be included with any mail processing script.
We're targeting the spammer who will attempt to inject their own email header
information into one or more form fields. This way they can Cc and Bcc to
as many addresses they want to and customize other header info.
How this script works is firstly by concatenating all POST values into one
long string, then search the string against an array of terms and phrases
('needles') used by spammers to modify headers. If a match is found, the script
exits with a blunt error message:
<?php
// spammer detection script
// string needle array assignments
$needles[] = 'MIME-Version:';
$needles[] = 'Content-Type';
$needles[] = 'Content-Transfer-Encoding';
$needles[] = 'Subject:';
// concatenate POST vars to $strHaystack
$strHaystack = '';
$limit = count($_POST);
foreach ($_POST as $index => $value){
$strHaystack .= $value;
}
// do search
$limit = count($needles);
for ($i=0; $i < $limit; $i++){
if(eregi($needles[$i],$strHaystack)){
die('Go spam someone else\'s server!');
}
}
?>
Copy and paste the code into a new php file and include it with your mail
processing script. For added control over when the anti-spam script runs,
paste the code into the conditional statement which executes when the email
form is submitted.
