How safe is PHP mail from spam?

**robertsaunders** · 11-28-2006, 10:53 PM

Recently I have been using the email riddler at DD instead of CGI mail forms because I found the latter resulted in too much spam.

Today I read my first PHP tutorial and discovered PHP mail. What I am wondering if whether it is worth using it, or whether I am better of using the email riddler. What do you think?

The basic script that I am thinking about using will be something like below. Please let me know if there is any you think I need to add or subtract to protect against SPAM. (You will notice that I haven't included my real email address below - I am completely paranoid about SPAM!)

Code:

<html>
<body><?php
function spamcheck($field)
  {
//eregi() performs a case insensitive regular expression match
  if(eregi("to:",$field) || eregi("cc:",$field)) 
    {
    return TRUE;
    }
  else
    {
    return FALSE;
    }
  }//if "email" is filled out, send email
if (isset($_REQUEST['email']))
  {
  //check if the email address is invalid
  $mailcheck = spamcheck($_REQUEST['email']);
  if ($mailcheck==TRUE)
    {
    echo "Invalid input";
    }
  else
    { 
    //send email
    $name = $_REQUEST['name'] ; 
    $email = $_REQUEST['email'] ; 
    $subject = $_REQUEST['subject'] ;
    $dates = $_REQUEST['dates'] ;
    $message = $_REQUEST['message'] ;
    mail("name@myemail.com", "$subject",
    "$message\nDates we would like to book: $dates\n", "From: $name <$email>" );
    echo "Thank you for using our mail form $name";
    }
  }


else
//if "email" is not filled out, display the form
  {
  echo "<form method='post' action='mailform2.php'>
  Name: <input name='name' type='text' /><br />
Email: <input name='email' type='text' /><br />
Dates: <input name='dates' type='text' /><br />
  Subject: <input name='subject' type='text' /><br />
  Message:<br />
  <textarea name='message' rows='15' cols='40'>
  </textarea><br />
  <input type='submit' />
  </form>";
  }
?></body>
</html>

Looking forward to reading your thoughts.

Rob

**boxxertrumps** · 11-29-2006, 12:40 AM

if you have a DB with the ip addresses and The # of times a day the person mails you, you'll be able to identify problem users. You could also use a randomized php Pic for verification

**djr33** · 11-29-2006, 12:44 AM

Or a login of some sort.

An open access form could be abused quite easily.

The above tips can help, though.

**robertsaunders** · 11-29-2006, 01:53 AM

Thanks for your reply.

Originally Posted by boxxertrumps

You could also use a randomized php Pic for verification

Sounds interesting. Do you know where I might find an idiots guide that shows me how to do this. (Bearing in mind that I only read my first php tutorial today!)

I did a quick google search but could follow the instructions that I found.

Rob

**djr33** · 11-29-2006, 06:24 AM

It's called "CAPTCHA"... acronym for something. There are quite a few recent threads about it... take a look around the php section (and "other" and perhaps "html"... not sure where they all were).

**BLiZZaRD** · 11-29-2006, 06:32 AM

CAPTCHA = Completely Automated Public Turing Test to Tell Computers and Humans Apart

They left out some letters, of course... CAPTTTTCAHA was a little much I guess

If they used all the letters though they could have Captain Caveman as their icon!

**robertsaunders** · 11-29-2006, 03:49 PM

Thanks for your replies. I found an idiots guide to captcha at:

http://www.captcha.biz/captcha-explained.html

I've uploaded the test file to www.vweekender.co.uk/testcaptcha/start.html

but it's not working. Is this a problem with the code or the server?

Rob

**Twey** · 11-29-2006, 04:50 PM

The code.

If you search, you'll find a thread I've posted on how to make a "good" CAPTCHA. However, I think I may have been a little misleading in this thread. Simply put, there is no such thing as a good CAPTCHA. CAPTCHA-breaking programs have advanced a level on which the only totally reliable way to fool a bot is to make a CAPTCHA that even humans can't read.

**mwinter** · 11-30-2006, 01:14 PM

Originally Posted by robertsaunders

Recently I have been using the email riddler at DD instead of CGI mail forms because I found the latter resulted in too much spam.

Was the spam actually generated using the form, or was it just sent to the same mailbox?

Today I read my first PHP tutorial and discovered PHP mail.

Using PHP is no different from using CGI. CGI is just a means for a Web server to communicate with a process for the purposes of receiving and responding to requests. In fact, PHP comes with an executable that uses the CGI model.

Mike