Routine spam on php contact form

Question

I have a contact form on two different websites I have made for clients. At around 8-9pm everyday a blank message is sent using the contact form and straight to my clients' respective email addresses.

PHP:

<?php
$name = $_POST['full-name'];
$phone = $_POST['phone'];
$email = $_POST['email'];
$message = $_POST['message'];
$from = $_POST['full-name']; 
$to = 'mobileguitarworkshop@hotmail.com';

if(!empty($_POST['field'])) die();

$email_from = 'mobileguitarworkshop@hotmail.com';

$email_subject = "Enquiry from $name.\n";

$body = "From: $name.\n".
        "Email: $email.\n".
        "Message: $message.\n";

$headers = "From: $email \r\n";
$headers .= "Reply-To: $email \r\n";

mail($to, $email_subject, $body, $headers); 
header("Location: http://mobileguitarworkshop.co.uk/success.html");
exit();
?>

HTML:

<form action="contact.php" method="post" class="contact-form">

                    <label for="full-name">Name</label>
                    <input name="full-name" type="text" id="full-name" required>

                    <input type="text" id="field" name="field"/>

                    <label for="phone">Phone</label>
                    <input name="phone" type="tel" id="phone">

                    <label for="email">Email address</label>
                    <input name="email" type="text" id="email" required>

                    <label for="message">Message</label>
                    <textarea name="message" id="message"></textarea>

                    <input name="send" type="submit" value="SEND" id="sendBtn">
                </form>

I've tried adding 'required' to the Name and Email Address inputs to stop spammers, and also a hidden field that, if filled, directs them to 'success.html' without posting the message. If anyone can explain why this is happening that would be great. The hosting service I'm using is 1&1 IONOS. Thanks, Jack

2

CSRF tokens for the win! – Kevin Kopf Mar 05 '20 at 13:35

Wesley Smith · Accepted Answer · 2020-03-05T14:14:20.147

3

The spammers may be sending a request directly to the contact form endpoint, bypassing your form entirely. This means that required fields in the html wont do much to stop that. You'll need to check those properties on the backend to prevent those submissions. Something like this would work:

if(empty($_POST['full-name']) || empty($_POST['email'])) {
 die();
}

If I were you, I'd also look into implementing a CSRF token. See How to properly add CSRF token using PHP

While we're talking, we really should sanitize the $_POST['message']; with something like the below to remove any questionable html content your users may have submitted:

$message = strip_tags($_POST['message']);

edited Mar 05 '20 at 14:14

answered Mar 05 '20 at 13:34

Wesley Smith

19,401
22
85
133

Thanks for your reply. I've added these to my code and implemented a CSRF token. Another issue is all the emails coming from the form go directly into the client's hotmail Junk folder. Any ideas? – Jack Scott Mar 05 '20 at 14:04
@JackScott Indeed, thats a pretty common issue with libraries that send email with a "from" address whose domain doesnt actually match the domain the code is on, ie email supposedly from `'mobileguitarworkshop@hotmail.com` but send by your server at `someotherdomain.com` will be perceived as "junk" by most email clients. see https://stackoverflow.com/questions/9988325/everytime-my-mail-goes-to-spam-in-phpmailer You could configure your scripts to send email using an SMTP server connection etc which would relay the email through that actual domain and avoid that problem – Wesley Smith Mar 05 '20 at 14:13

Routine spam on php contact form

1 Answers1