How to solve spam mail issue – PHP – SitePoint





im getting lot of spam in websites, how can i solve this issue…??
im have tried few methods.
1.google recpatch.
2. try block country with ip address.
all four method in single form but still getting spam mail…
First off, you’ll never filter out all spam. The thing is are your methods working? Are you still getting spam with the stop words you are checking for and from the countries you’re filtering out?
Personally I wouldn’t let the spammer know that you have detected spam. It gives them the chance to edit their spam to get round your checks. Let them think the email has been sent and they’ll go on to the next spamee.
You could try, what I have recently learned is called a form honeypot. Create a check box on the form with the text eg “I accept the terms and conditions” but with CSS style it
so that humans can’t see it but a bot will and will then check it. Then when processing the form simply don’t proceed with the sending of the mail if the box has been checked.
1.google recpatch.
I’ve noticed that some bots have learnt to get around Recaptcha. That is the problem with common Captcha types, they are the one they are working on cracking.
Hidden fields…
These are usually effective in my experience.
Personally I wouldn’t let the spammer know that you have detected spam. It gives them the chance to edit their spam to get round your checks. Let them think the email has been sent and they’ll go on to the next spamee.
Agreed, thet them think they have won, when if fact they have not. And don’t give them clues as to the purpose of the hiiden honeypot inputs. Using type="hidden" tells them they shouln’t see it.
a form honeypot.
The hidden inputs are honeypots.
Another one that I have found very effective is a form timer. Record the time on the form request. Record the time of submission. Compare the two to get the time elapsed. If it is below a value you set, consider it a bot.
You can also use an access token, to stop those who spoof your form on their own machine and send the submission request to your server. A random string (different every time) in a hidden input. It is recorded and passed to the validation script, then compared against the value submitted from the form.
A good combination of methods used together canwork.
You can also use an access token, to stop those who spoof your form on their own machine and send the submission request to your server. A random string (different every time) in a hidden input. It is recorded and passed to the validation script, then compared against the value submitted from the form.
This is called Cross Site Forgery Request token, or CSRF token for short.
CSRF token
Funny, I knew there was a term for it, but could not remember what it was called, just how to doit.
Besides bad words also check text for unwanted url parts like '<','http','www','.com','http:','@' etc.
I have an old list (many years ago) of agent/spiders and a snip of code I used. As it is a long list I put it on a file and uploaded it. This was one of the first checks I did. I also had a database table blockedips to hold a list of ips that I blocked and I would query this table and put these ips into an array $badips. This code was all on a file that was included on all my pages before output to the browser so if it is a blocked ip they just wouldn’t have access at all.
So before doing any text searches for bad words they have to pass the spider test and my blockedips list with this simple IF condition.
If text did not pass the word check I would save their ip address and date into a database table called ip_tracking then I query the ip_tracking table using today’s date and the ip address and I count the records. I set a threshold of 75 and if this count is surpassed, their ip was added to the blockedips table. Bots can hit your form rather quickly and I caught many at this setting. Anyway this is what I did many years ago on a site… I am sure other might have a more modern approach.
spiders.php (8.2 KB)
Another check that can detect form spoofing, and really should be part of any robust validation system is checking all the inputs and values are as they should be.
You can create a function to check each input in turn. Start with an array of all the form’s inputs, then check if each one isset(). In a valid subission from your site all should be set (with the exception of checkboxes) but spoofed forms may miss some inputs out.
Then with the values, some values are pre-set in the form, such drop-down selects, radios and checkboxes. Check the submitted values for these against an array of proper values that you have offered as choices. Bots will often tamper with the pre-set values, an honest user would not do this, so the bots give themselves away doing this.
Again all part of the validation process, but checking user input matches the type and obays any contraints will catch out the bots. Eg, checking a string obays any min/max length constrints, also min/max numerical inputs, required inputs are !empty().
Basically every constraint you put on form inputs has to be checked in validation, and bots will reveal themselves by not adhering to those constraints.
Powered by Discourse, best viewed with JavaScript enabled

source



Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.