Securing your Forms Against Spam

The advanced version of my form2mail script incorporates a number of features to help you to prevent people using the script to send spam.

The first of these features involves checking the document_referer field. The script validates that the value in this field is either one of the values you have identified when you configured the script or is blank. Where the field is non-blank the script is able to determine from this field whether the form that is being filled out is on your site or not. If the form is not actually on your site then the submission is ignored. This will prevent spammers from copying your form and making changes to it so as to allow them to use the form to send out spam emails to whoever they like.

The document_referer field is under your visitor's control to some extent though since they can turn it off in their browser or firewall so as to protect their privacy. Where that is done the field then contains nothing and so you can't tell whether the form is one on your site or is a copy that someone has made and modified. Where this is the case the script limits the sending of emails to only those addresses on the sites where you are using the form. This at least prevents the use of the script to send spam to third parties by someone using a modified copy of your form.

The next layer of security to prevent the script being used to send spam involves the $aspam field in the config file. By assigning a value to that field the script will then require a corresponding field to be a part of each form that call s the script. Using that field will affect every form that you have that uses the script and so before assigning a value to that field the first thing you should do is to add a hidden field to each of your forms with name="aspam" and the same value you are going to set the field to in the config file.

This in itself will provide some security in that any copies of the form that were taken before you added the hidden field will no longer work.

So if we are going to set:

$aspam = 'abcd';

The first thing we need to do is to add the following hidden field to ALL the forms calling the script:

<input type="hidden" name="aspam" value="abcd">

To actually use the anti-spam field in our form we simply change the field from type="hidden" to type="text" and then provide the people using the form with information on what they need to type in the field. Depending on how you identify what to type in the field the automated spambots may or may not be able to figure out what to enter into that field and if they get it wrong then their spam email will not be sent. This will prevent the less sophisticated spambots from being able to submit their spam.

This still has two disadvantages. The first is that you need to have some sort of description in the page of what to type in the field which the more sophisticated spambots will be able to read. The second is that you are using the same value for every submission of every form on your site. This second disadvantage means that if a spammer physically visits one of your forms and sees what value to enter in the field they can then set up a spambot tailored to the form that can constantly submit the form knowing what value to enter into the field.

The third layer of security overcomes these problems by substituting a CAPTCHA image thhat changes every time the form is displayed in place of the description of what to type. A simple example of how to do this is included with the script. To use the supplied simple CAPTCHA you need to first save the supplied content of the img folder to an appropriate location relative to your form. All we need do then is to include the image generated by the testimg.php in that image folder into our web page using an <img> tag. The supplied captcha.txt file shows you both the img tag and the way you need the apsam input field defined to work with it.

Simply having the two supplied files in the img folder and those two fields defined in your form is all that you need to do as the testimg.php code is already set up to work with the script. With those two fields in your form your visitor must enter the characters displayed in the image into the associated field for the script to submit the form since the value displayed in the image is passed to the script in a session variable as well as being displayed in the image. The session variable if present automatically overrides the value set in the config file.

Of course implementing each of these steps makes your form slightly less convenient for real people to use. These options are set up in such a way that you can progressively implement them into the forms on your site as you need them and provided that you implement them in the way I have described here starting with a hidden field in each form, you can have different levels of security implemented into different forms all using this same script.

So what do you do when my simple CAPTCHA image is no longer enough? Well that is the stage where more complex code is needed in the testimg.php file in order to make the value displayed in the image harder for the spambots to read. I haven't yet reached that point for any of the forms I am using with the script myself and so I haven't needed to write that more complex CAPTCHA script yet but if someone using my script does need to make the image harder to read then please ask and I will look at implementing a more advanced solution.


This article written by Stephen Chapman, Felgall Pty Ltd.

go to top

FaceBook Follow
Twitter Follow