Help with anti-spam routine

[Jim Weinberg]

I maintain a website for a state-wide collectors club. Recently, I've been having a running battle with spammers sending garbage membership forms to our website. I noticed that they had one thing in common: the value of the total dues was always zero.

I thought I had the problem solved by creating a server-side script (PHP) to pre-process the incoming forms before sending them on to the membership chairperson. And, it seemed to be working ... sort of.

The problem now is that when a form is processed that has a total value of zero, it's sent to a separate mailbox -- as it's supposed to -- and it appears that a blank email (no subject, no body) is also sent to the membership mailbox.

I'm wondering if the PHP routine could be sending the blank email.

Could someone please look over the code and see if that's what could be happening?

Here's the code I'm using:

<?php

$send_to = "membership@ohiobuttons.org";
$total = $_POST[Total];
if((is_int($total) and $total==0) or strlen($total) == 1) $send_to = "postmaster@ohiobuttons.org";
$subject = "$_POST[subject]";
$headers = "From: $_POST[email]";
$message = "\n\n";
foreach($_POST as $field => $value)
{
if($field != "subject" and $field != "email" and $field != "Submit" and $value != " " and $value != "")
$message .= "$field: $value\n\n" ;
}
$message = str_replace("_"," ",$message);
$message = stripslashes($message);
mail($send_to,$subject,$message,$headers);

echo "<script>window.close(true)</script>";

?>

Thanks in advance for your help.
Jim

[olveyphotodesign]

Jim,

Two things you need to do is first don't rely solely on JavaScript to validate form data. I'm not a hacker, but it took me less than a minute to duplicate your membership form and stripping it of it's scripts. This allowed me to corrupt the data. I took out the maxlength attribute from the email field. This opens the door to spam.

This also opens the door to experiementing with your processing script. Even with your JavaScipt turned on I was able to enter a space " " as the data submit. Since my form page was not generated by JavaScript, JavaScript as to ask to close my window. No let's me try again without having to reload the page.

The real issue though is that you are trusting and processing unfiltered user data in your script. I would immediately stop using the $headers variable in the mail function. I believe it is so you send a copy of the application to the users email address. This is want is used to turn your site into a spam relay.

You need to process all of the $_Post data to ensure it is valid.

Code:

// removes whitespace from beginning and end of data, also empties data field if someone enters only a space
$bademail = trim($_POST['email']);
// check email format using php build in function
// ! mark means false, so if invalid email set flag to true
if (!filter_var($bademail, FILTER_VALIDATE_EMAIL) {$emailFlag = true;}

[Jim Weinberg]

olveyphotodesign.

I know what you're saying about javascript. That's why I wrote up the PHP routine to start with. I added the code you suggested. If you don't mind, try sending the "spam forms again and I'll see if it traps them correctly.

Thanks again,
Jim

[olveyphotodesign]

Jim,

I did as request and resubmitted the request.

I have to ask, because I could never get PT2 to post, did you add an IF statement to check for the email flag being set to True? then you could stop the form from being submitted and redirected to the appropriate address.

The second thing is you need to ensure you have the Filter_var function installed on your php server.

I hope it helped,
Ben

[Jim Weinberg]

Ben.

Trapped every one! Thanks for all your help.

Jim