Site

Preventing SPAM Bots Sending Mail Through Your Website (Non-Intrusive Way)

Comments

Sunday, November 2nd, 2008
Tags: bots, easy, email, example, intrusive, mail, non, prevent, preventing, script, site, spam, web

You can find a lot of ways to prevent spam from your site these days but I've really tested this method and it has been 100% effective (so far). It will stop automatic bots but a human will be able to work out how to get around it pretty easily (but when do humans have time to do that).

To begin with: this script is written in PHP but you can easily translate it.

 
   session_start();
   $_SESSION["spam_prevention"] = '1';

First off, on the page with the form to email to you, declare a unique session variable on this page with any value you want. Why? So when the user submits this form to the script that sends the email, you know the user definitely came from the page with the form, and it's not a bot attacking your email script. So before your email script, test to see if $_SESSION["spam_prevention"] exists.

 
<input type="text" name="spam_prevention"
    style="display:none; visibility:hidden;" />

Another method is to put a text field on your form and hid it with CSS. 99.9% of the SPAM bots out there will disregard any CSS styles, and at the same time the SPAM bots will fill out every field within your form. So if this field is filled out, it's a good guess that it wasn't a human that filled it out.

This isn't bullet proof, but it works quite well and it doesn't require the user to fill out any spam prevention captcha fields etc.

Let me know how you go with this script if you try it.

A common security mistake

Comments

Wednesday, May 7th, 2008
Tags: browser, Internet, link, mistake, page, PHP, referral, script, Security, session, site

This is one of the most common mistakes developers (of any language) make so I thought I should let you know why you shouldn't use this method.

The Scenario:
You have a page on your site and you don't want people to simply link to this page unless they have clicked on a link from your own site. Lets say your page is called 'page2.php' and it's located at 'www.your-site.com/page2.php.'

When the user enters the 'page2.php' page you can easily determine which page they came from, in PHP you can use the $_SERVER['HTTP_REFERER'] function to determine the referring page. With this function you would check that it contains www.your-site.com in the value.

For what ever reason why you might want to check the referring address to your page, checking the referral address against your own domain name isn't bullet-proof.

Why? The referral address is set by the user's agent (their Internet browser), some browsers have the option for you to edit this value and some browsers don't even set this at all.

There are many solutions to this scenario, but I would recommend using sessions where you can set the a session variable on 'page1.php' which contains the link to 'page2.php.' When the user enters the 'page2.php' page, you can then check to see if that variable has been set, if it hasn't then the user must have come from a different location.

It's a little bit more of a setup, but it's secure.

site

Archives

Categories