PDA

View Full Version : How safe is PHP mail from spam?



robertsaunders
11-28-2006, 10:53 PM
Recently I have been using the email riddler at DD instead of CGI mail forms because I found the latter resulted in too much spam.

Today I read my first PHP tutorial and discovered PHP mail. What I am wondering if whether it is worth using it, or whether I am better of using the email riddler. What do you think?

The basic script that I am thinking about using will be something like below. Please let me know if there is any you think I need to add or subtract to protect against SPAM. (You will notice that I haven't included my real email address below - I am completely paranoid about SPAM!)


<html>
<body><?php
function spamcheck($field)
{
//eregi() performs a case insensitive regular expression match
if(eregi("to:",$field) || eregi("cc:",$field))
{
return TRUE;
}
else
{
return FALSE;
}
}//if "email" is filled out, send email
if (isset($_REQUEST['email']))
{
//check if the email address is invalid
$mailcheck = spamcheck($_REQUEST['email']);
if ($mailcheck==TRUE)
{
echo "Invalid input";
}
else
{
//send email
$name = $_REQUEST['name'] ;
$email = $_REQUEST['email'] ;
$subject = $_REQUEST['subject'] ;
$dates = $_REQUEST['dates'] ;
$message = $_REQUEST['message'] ;
mail("name@myemail.com", "$subject",
"$message\nDates we would like to book: $dates\n", "From: $name <$email>" );
echo "Thank you for using our mail form $name";
}
}


else
//if "email" is not filled out, display the form
{
echo "<form method='post' action='mailform2.php'>
Name: <input name='name' type='text' /><br />
Email: <input name='email' type='text' /><br />
Dates: <input name='dates' type='text' /><br />
Subject: <input name='subject' type='text' /><br />
Message:<br />
<textarea name='message' rows='15' cols='40'>
</textarea><br />
<input type='submit' />
</form>";
}
?></body>
</html>





Looking forward to reading your thoughts.

Rob

boxxertrumps
11-29-2006, 12:40 AM
if you have a DB with the ip addresses and The # of times a day the person mails you, you'll be able to identify problem users. You could also use a randomized php Pic for verification

djr33
11-29-2006, 12:44 AM
Or a login of some sort.

An open access form could be abused quite easily.

The above tips can help, though.

robertsaunders
11-29-2006, 01:53 AM
Thanks for your reply.


You could also use a randomized php Pic for verification

Sounds interesting. Do you know where I might find an idiots guide that shows me how to do this. (Bearing in mind that I only read my first php tutorial today!)

I did a quick google search but could follow the instructions that I found.

Rob

djr33
11-29-2006, 06:24 AM
It's called "CAPTCHA"... acronym for something. There are quite a few recent threads about it... take a look around the php section (and "other" and perhaps "html"... not sure where they all were).

BLiZZaRD
11-29-2006, 06:32 AM
CAPTCHA = Completely Automated Public Turing Test to Tell Computers and Humans Apart


They left out some letters, of course... CAPTTTTCAHA was a little much I guess :D

If they used all the letters though they could have Captain Caveman as their icon!

robertsaunders
11-29-2006, 03:49 PM
Thanks for your replies. I found an idiots guide to captcha at:

http://www.captcha.biz/captcha-explained.html

I've uploaded the test file to www.vweekender.co.uk/testcaptcha/start.html

but it's not working. Is this a problem with the code or the server?

Rob

Twey
11-29-2006, 04:50 PM
The code.

If you search, you'll find a thread I've posted on how to make a "good" CAPTCHA. However, I think I may have been a little misleading in this thread. Simply put, there is no such thing as a good CAPTCHA. CAPTCHA-breaking programs have advanced a level on which the only totally reliable way to fool a bot is to make a CAPTCHA that even humans can't read.

mwinter
11-30-2006, 01:14 PM
Recently I have been using the email riddler at DD instead of CGI mail forms because I found the latter resulted in too much spam.

Was the spam actually generated using the form, or was it just sent to the same mailbox?



Today I read my first PHP tutorial and discovered PHP mail.

Using PHP is no different from using CGI. CGI is just a means for a Web server to communicate with a process for the purposes of receiving and responding to requests. In fact, PHP comes with an executable that uses the CGI model.

Mike

robertsaunders
12-01-2006, 12:06 AM
Was the spam actually generated using the form, or was it just sent to the same mailbox?


It was sent to the same mail box.

mwinter
12-02-2006, 06:39 PM
Was the spam actually generated using the form, or was it just sent to the same mailbox?

It was sent to the same mail box.

Then you're probably too late to do anything about it, anyway. If you're on a list of addresses used by spammers, hiding your presence on the Web won't stop unwanted mail.

Mike

thetestingsite
12-02-2006, 06:44 PM
The best way to stop the unwanted mail is by changing your email address at this point.

robertsaunders
12-03-2006, 12:30 AM
It's not for me - it's for a new site (and new email address) that I'm designing for a friend. I'm not sure whether to use a php mail form, use the email riddler to create a mailto link or just include the email address as an image.

Rob

Twey
12-03-2006, 01:59 AM
Use the mail form. Although bots can still use it to spam you, they won't get hold of your email address, so should you remove the form the spam ought to stop.