HomeCategoriesGeeky stuff

Cut down on webform spam

March 25, 2006 - 13:57 — Poorhouse

Spam...the curse of the modern webmaster - and everyone else. Long gone are the days when replacing any email addresses on your website with lovely looking contact forms would prevent spam. Now the Evil Empire of email abusers have invented ways of clicking the "send" button a million times, and worse.

So how to reduce the onslaught? It's not hard to write code that says "don't send a message", but the problem is differentiating between messages that should be sent and those that shouldn't.

If the spam isn't out of hand, one idea is to try and analyse the patterns of the spam you are getting via your webforms. To do this, there are several "server variables" you can play with. These include things like what web browser your potentially nefarious site visitor is using, what their IP address is and what webpage sent them to the current page. Sadly for this application, most of this info can be faked or not given out by especially evil and/or privacy concerned people, but it may help stem the flow nonetheless.

In recent versions of the PHP scripting language you can access the three examples above via the following variables, each of which return a string.

$_SERVER["HTTP_USER_AGENT"]
$_SERVER["REMOTE_ADDR"];
$_SERVER["HTTP_REFERER"]

Many more examples of server variables accessible via PHP can be found on the PHP website.

You could therefore store this sort of information (in a database, or get it emailed to you perhaps). If you spot a differentiating factor in these variables that lets you know that the sender of a message is likely a spammer then just change the code of your send-message page to ignore / delete / abuse them.

For example, a ridiculously simple bit of code:

if ($_SERVER["HTTP_USER_AGENT"] == "Whizzy spam sender program version 1")
{
print "I don't want to send your message";
}
else
{
print "You seem friendly";
mail("youraddress@wherever.com","Message","This is a message from your website");
}

PHP site coders, especially those using bloggeresque software like Wordpress, might be interested to see a set of scripts called Bad behaviour. These allow you to deny various spambots even visiting your site, let alone sending messages. Some of it works on the above principle but as they say "It goes far beyond User-Agent and Referer" and has plenty of spammer profiles built in to save you having to analyse the patterns yourself.