0

I have searched SO and have found a couple of good ideas but nothing that has 100% solved this php mail problem I am having.

NOTE: When I delete this file from the server the spam stops. Also Captcha is not really an option, this is an Ajax call and it needs to be fast. I'm not 100% sure how the spammers doing it but any help would be appreciated big time.

Here is the bit of HTML added to the form:

<input name="spam_stopper" value="DO NOT CHANGE THIS VALUE" style="display:none;"/>

Here is the additional code I added at the top of the mail.php file that hasn't stopped the spam:

if ($_POST['spam_stopper'] != 'DO NOT CHANGE THIS VALUE') {
        echo '<h3>Incorrect use of this form!</h3>';
        exit;

}


if(!strpos($_SERVER['HTTP_REFERER'],'my-sample-domain-name.com'))
{
        echo '<h3>Incorrect use of this form!</h3>';
        exit;

}
if($_SERVER['REQUEST_METHOD'] != "POST"){
   echo("Unauthorized attempt to access page.");
   exit;
}
Community
  • 1
  • 1
Mitch Moccia
  • 519
  • 2
  • 8
  • 23
  • 100% no, but a good Captcha is close. i don't see why you can't use one. –  Jan 12 '12 at 01:56
  • 1
    Could you also elaborate why Text Captchas answer http://stackoverflow.com/a/3825272/76989 is not a solution to your problem? – mmhan Jan 12 '12 at 02:00
  • I'd rather not have to depend on some third party service. Have you ever used uniqid(); to create a one time token? – Mitch Moccia Jan 13 '12 at 02:11

1 Answers1

1

you are allowing access via POST submission of your own form. So, if I keep submitting it using JavaScript on your own website, say, using Firebug, then what's to stop me?

You should have a once-only-valid token accompanying each send-mail request to ensure that your forms cannot be submitted more than once, even from your own website.

Milad Naseri
  • 4,053
  • 1
  • 27
  • 39
  • Thanks for your response. Do you have any code samples by any chance? – Mitch Moccia Jan 12 '12 at 02:22
  • 1
    Unfortunately, not at the moment. You can generate a random key using, say, `uniqid();` and store that both in the session as the expected token, and in the form as the token to be sent. Once the form is submitted once, you invalidate that token, (and maybe replace it with another) so if the spammer resubmits the form you will not accept it. – Milad Naseri Jan 12 '12 at 02:27