Sanjoy Roy

[MCM, MCP, SCJP] – Senior PHP Programmer

How To Stop Spammers Using Your Feedback Form


Not securing your feedback form can leave it open to spammers possibly allowing them to send junk mail to anyone with it appearing to have originated from you. This could in the worst case scenario see your domain blacklisted by many mail servers.

The Solution

Luckily there are a few things you can do to make your feedback form a lot harder to exploit. The main technique spammers use is to try and insert bcc: headers into the feedback form. Say for example you have a feedback form with a message and an email field, this is passed to a PHP script without any validation which does something similar to the following:

   mail('you@yourdomain.com', 'Feedback', $_POST['message'], 'From: '.$_POST['email']);

If the spammer can send “fake@address.com%0ABcc:recipient1@domain.com,recipient2@domain.com” in the email address field on your form then whatever they type in the message box will not only be sent to you but to all those listed recipients aswell. What if 100’s or 1000’s of bcc: recipients are listed?

A few extra lines of code and this problem can be solved eliminating the majority of attacks on your forms. The following simply removes all occurances of bcc:, cc:, to: or content-type: headers so that the content of the form can only be submitted to you and not to anyone else.

 $find = array("/bcc\:/i","/Content\-Type\:/i","/cc\:/i","/to\:/i");
   $message = preg_replace($find, '', $_POST['message']);
   $email = preg_replace($find, '', $_POST['email']);
   mail('you@yourdomain.com', 'Feedback', $message, 'From: '.$email);

IP Addresses

You may also wish to capture the ip address of the person sending the form.

$ip = $_SERVER['X_FORWARDED_FOR'] ? $_SERVER['X_FORWARDED_FOR'] : $_SERVER['REMOTE_ADDR'];
   mail('you@yourdomain.com', 'Feedback', $message, 'From: '.$email."\nX-From-IP:".$ip);

This could be used in creating your own ‘blacklist’ once you know the ip address of any offenders. The message can then only be sent if its not in your banned ip list:

 $ip = $_SERVER['X_FORWARDED_FOR'] ? $_SERVER['X_FORWARDED_FOR'] : $_SERVER['REMOTE_ADDR'];
   $banned_ip = array('195.99.99.99','137.11.11.11');
   if(!in_array($ip,$banned_ip)) {
      mail('you@yourdomain.com', 'Feedback', $message, 'From: '.$email."\nX-From-IP:".$ip);
   }

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: