Website Design June 17th, 2009
As many business owners and webmasters are all aware, spam leads via form mail are a regular issue in the web world. Spammers adopt a variety of novel techniques to achieve their desired aim. But spammers cannot be given a free ride either, and we need to devise adequate strategies to counter their unethical practices. This post is specifically aimed to highlight the methods generally adopted by spammers, and the appropriate strategies to counter them. Why am I posting about it? Because I deal with them all the time!
From the view source of web pages spammers know the field names as well as form action. Mostly this action page is used to send emails. For example, let’s say the action is set to send_mail.php and the field names are name and email_address. Spammers can easily submit the values through a URL like www.yoursite.com/send_mail.php?name=Jeffemail@example.com. They will have an automated program to change the name and email and will keep on submitting the URL and mails are sent.
In this case spammers use their own page to submit the form, and the form action is set to www.yoursite.com/mail.php. This method is used so that the POST validation used in the mail script is over ridden. This process can also be automated.
Here – spammers manually insert the values and submit the form. This method, however, is rarely used and the solution to block manual submission are limited.
Captcha code is one of the best methods used by web masters to avoid spam mail. It is dynamic text, and is generally shown in an image box. With every load / refresh click, the captcha code changes. The user will need to enter the text shown in the image to an adjacent text field. Successful submission can only be made when both the values match in the server side. Captcha code can be integrated easily using PHP Captcha Library. A simple captcha code using icons would be more preferable so as to make it more user- friendly.
Make sure that all mandatory fields are validated properly In the server side. PHP Filter function can be used to attain this. Java script validation won’t work if it’s disabled from the client browser; so server side validation is a must.
Filter all the inputs from the form as spammers usually insert script tags or URLs in to form. It’s then mandatory to strip the html tags and characters which are mostly used by spammers such as ‘http://’,’mailto:’,’viagra’ etc.
Always make the form method to POST (<form method="post">) and the mail sending script should check only for POST values and not GET or REQUEST method. This will make sure that URL submission won’t execute the script.
HTTP Referer will make sure that the request has come from the same domain. Submission of forms from another domain can be blocked using this method.
If spamming is done through manual submission, the solution is to block the IP address and for this the htaccess file can be used to implement this.
If the form details are saved in to database use mysql_real_escape_string to avoid SQL injection.
All methods mentioned above, either singly or in combination, could insulate you from a host of spam leads that one is confronted with in every day life. These could ultimately turn out to be your bulwark against all unethical practices resorted to by spammers, who as we all know, do create inconveniences for all web masters.
This post, showcasing the methods adopted by spammers and the counter measured to be initiated, is intended to enlighten every one on the ways and means of making your website more secure and trustworthy. If none of these work, maybe you know where to buy a shot gun? 🙂