PHP / MySQL Scripts > Preventing PHP Form Email Spam

Preventing PHP Form Email Spam

by Steve Dawson (written in PHP) download PHP Contact Form


Have you been the victim of a contact form spam attack from your PHP contact form on your website? Many people have and it is quite easy to prevent contact form spam and mail form injection header attacks. Or just use the PHP contact form script which will prevent any malicious email contact form spam or email injection attacks.

The purpose of this script is to allow a visitor to your website to fill in a form on your website and you will receive the information they have typed in, in an email. The person who filled in the form will be sent a courtesy email informing them you have received their enquiry and will deal with it as soon as you can. With just one line of PHP include code; you can place the contact form on any page on your website as along as the page ends with the .php page extension.

Before we get to the script, many people do not actually know why or how the 'spammers' are using the contact forms to send out mass emails to all and sundry. I will explain a little bit about what they are doing and how to prevent it on your own contact forms, if you do not want to use the example form I have written.

With the current trend of having your PHP contact form used as a mass mailer by spammers, there is now a need to prevent this from happening to your contact form on your website. If you have never suffered from this kind of hacking attempt, then you are quiet lucky. But how do you know that you have been a victim of an email form mail injection attack?

The most likely way you can tell if you have succumbed is that you are receiving quiet a few mail returned emails due to the email address not being recognised.

What the 'spammers' are doing and the way they are 'hijacking' your contact form is that they are utilising a vulnerability in the PHP mail() function which allows them to add and inject extra mail headers in your email text fields. As an example; if you take a standard PHP contact form which looks like thus:-

Preventing PHP Form Email Spam - Example PHP Contact Form layout

Without adding a PHP routine which will check all the 3 input boxes on your PHP contact form for http, CR and LF characters then your PHP contact form is open for abuse. A quick simple fix for any PHP contact form is to check the input boxes for the CR ('\r') and CF ('\n') and http text characters and either strip them out or prevent the form from being sent in the first place.

A better way would be to use a PHP routine which will strip out any of the characters you would not normally associate with being in an email and so going that one step further to protecting your contact from an email injection attack.

So to protect your own contact form you can follow the steps below, or just download the pre-built PHP form I have already written (its Free!) , but you will need to know what you are doing and a bit about PHP to get it right. Always check the form after you have made any modifications as you do not want to be blocking every email!

Protecting your own PHP Contact Form from spam emails.

Add the following lines of code to your existing PHP contact form before the mail() function. You will need to make sure that you change the variable name to that of your contact form. What we are trying to achieve is to check each of the form input boxes for the text 'http' as this is the basis of very website address and what the spammers are trying to get across to you,

Preventing PHP Form Email Spam - Example PHP Contact Form layout
Preventing PHP Form Email Spam - Example PHP Contact Form layout

By just adding the above to your existing PHP contact form, it will cause the PHP script to top and prevent the sending of any email which it finds the code. This can prevent a huge amount of hassle if your PHP contact form gets targeted.

Why PHP Contact Form Spam

A quick point to remember is that there are two types of people who target your forms. The first in being a specially written search robot which just scans the web looking for PHP contact forms with vulnerabilities, which they can use to send out the mass emails.

The second is the single form spammer who are paid (believe it or not!) to search the web for contact forms to copy and paste a preset emails which will make use of your forms mail() function and send out mass emails. These emails look like they have come form your contact form, which is not very nice, especially when you get contacted many of the recipients asking why you have sent them emails!

The PHP Spam Free Contact Form

If you do want to modify your existing contact for as it seems s like too much hassle, then you can download and use the one which I have pre-written and have made available. It has a function in the script where you can turn on or off the spam check feature, for testing purposes. The installation of the script is very easy and you just need to download the contactme.zip file and then edit the file in a text editor and enter your own email address, which will receive the emails when the contact form is filled in and also the email subject like so:

Preventing PHP Form Email Spam - Example PHP Contact Form layout

Then you just need to use the following standard PHP include code to place the contact form into your existing website:

Preventing PHP Form Email Spam - Example PHP Contact Form layout

and that should be just about it and don't forget to try out the contact form and ensure that emails are being sent to your designated email address.

After reading through this article and downloading the script, you should be able to add a PHP contact form to your website. Any problems with this script or any other, please feel free to use the forums for assistance.