Email Forms - Blocking Spammers

I have a couple of email forms I have created that use PHP to email the
collected data to the appropriate recipient.

A concern has been raised by clients about the form being hacked by
spammers.

Is this likely to be a problem? If so what is the best way to stop it
happening. All I can think of is to maintain a log of, say, users ip
addresses and use this the limit the frequency with which the form can be
used.

Is there a better way?

Hamilton

I noticed that Message-ID: <3%Zcd.129$_l2.9856@news.xtra.co.nz> from
Spidah contained the following:

>I have a couple of email forms I have created that use PHP to email the
>collected data to the appropriate recipient.
>
>A concern has been raised by clients about the form being hacked by
>spammers.


If you allow recipients addresses to be entered into the form, this is
a Bad Thing.


--
Geoff Berrow (put thecat out to email)
It's only Usenet, no one dies.
My opinions, not the committee's, mine.
Simple RFDs http://www.ckdog.co.uk/rfdmaker/

As far as I know, spammer's aren't scouring the web for feedback /
contact-us forms. I moved to a "email form" and haven't gotten any
spam from it. Likewise, I moved my employer's email to a "form" and
they haven't gotten any spam either.

"Spidah" <h.laughland@eggstra.co.nz> wrote in message news:<3%Zcd.129$_l2.9856@news.xtra.co.nz>...
> I have a couple of email forms I have created that use PHP to email the
> collected data to the appropriate recipient.
>
> A concern has been raised by clients about the form being hacked by
> spammers.
>
> Is this likely to be a problem? If so what is the best way to stop it
> happening. All I can think of is to maintain a log of, say, users ip
> addresses and use this the limit the frequency with which the form can be
> used.
>
> Is there a better way?
>
> Hamilton

Brad Kent wrote:

> As far as I know, spammer's aren't scouring the web for feedback /
> contact-us forms. I moved to a "email form" and haven't gotten any
> spam from it. Likewise, I moved my employer's email to a "form" and
> they haven't gotten any spam either.


You don't understand, it's not you getting spammed, it's spammers using
you to spam others.

Old form mail scripts sometimes accepted the email address of the
recipient as a form variable. This made it very easy to use for
novices, because they didn't have to touch the script at all. They just
had to put the address in a hidden field or a select in the form.

The problem is, the spammers would exploit this by creating their own
version of the form. Then they run their spam list through your form
handler, not only using someone else's resources but letting them get
blamed for the spam.

You can use form mail scripts, but the addresses either have to be
hard-coded in the script or validated somehow.



Brian

"Default User" <first.last@boeing.com.invalid> wrote in message news:<I5uH1G.Gq0@news.boeing.com>...
> Brad Kent wrote:
>
> > As far as I know, spammer's aren't scouring the web for feedback /
> > contact-us forms. I moved to a "email form" and haven't gotten any
> > spam from it. Likewise, I moved my employer's email to a "form" and
> > they haven't gotten any spam either.
>
>
> You don't understand, it's not you getting spammed, it's spammers using
> you to spam others.
>

My contact-me form in no way accepts a "to" address
My address is hard-coded in the handling script.

That would be worse than bad.

>As far as I know, spammer's aren't scouring the web for feedback /
>contact-us forms.

Spammers seem to find insecure versions of programs like "formmail"
with frustrating rapidity.

>I moved to a "email form" and haven't gotten any
>spam from it. Likewise, I moved my employer's email to a "form" and
>they haven't gotten any spam either.

The threat here is using your web server to spam the world,
incidentally getting mail from the web server blocked by a lot of
ISPs. They don't usually spam the webmaster as that would give
away the security hole.

One of the most important things about your form is: DON'T allow
input from the browser to specify a destination address. DON'T put
the To: address in a hidden field on the form. DON'T put the To:
address in a cookie. Preferably, hard-code it as a fixed string
that points at one of YOUR mailboxes.

Also: DON'T allow input from the browser to specify a From: address.
(It's better to make that a fixed string, also.) DON'T allow input
from the browser to do anything to the headers or body that might
cause a bounceback to the From: address (e.g. attach a virus,
excessive length, cusswords, etc.)

DON'T mail something back to an email address entered on a form.

You can relax some of these rules if using the form requires a login
and a password that can't be obtained just by filling in another
form (e.g. it waits a few days for the credit card payment to clear
before permitting use).

Gordon L. Burditt