Combating Spam (part 5 of 6)

SERVER-SIDE VALIDATION

In most cases client-side validation is not enough, or even adequate. Spambot programmers always seem to find a way to shove their useless crap into your mailbox. Luckily, there are some clever ways around this.

At this point, I don’t think it’s necessary for your server to validate every field all over again. You have already done this on the client-side. At this stage, anything violating the validation is spam anyways; so if flagged, simply abort the mail.

The last thing you want to do is allow spam to cause a strain on your server because of constant validation checks from never-ending junk mail.


Hidden Fields

Spambots typically search FORM pages for available fields to fill out. (This is easily accomplished via the HTML “name” attribute) Knowing this, you can create a hidden form field that is not available to the user, and then do a simple check to see if anything has been entered. If so, a spambot must have filled it out, so abort the email.

Note: The field must be made hidden via CSS and not HTML because smarter spambots can easily check if the “hidden” HTML attribute has been set. It can then decide to bypass the field.


Access Denied

Most spambots search the net for common page names like “contact.html” or “contact.php” and spam them directly via HTTP requests.

Pages with contact forms should only be accessed via the navigation of the website. Any attempt to directly access a php page is a security violation and in some most cases attributed to spambots or curious minds (a.k.a. hackers).

The solution for this is to set a variable in the calling page for the contact form and pass it as a parameter to the form page (set the variable to something other than “yes” or “true” as these are common) In the contact form page do a check for this variable, and if set, access is granted, otherwise, display an error or authorization warning.



Illegal Characters

This, once again, is the most important check you can do, especially on the server side of things.

Using a regular expression, check ALL fields for illegal characters. This is similar to the client-side validation process. Simply check for illegal characters, and if any field has them, abort the email process.

TIP: Make sure “magic_quotes_gpc” is disabled in your PHP.ini. If not, the server will append a backslash to things like apostrophes and quotes. This makes it a pain to do validation because it sends these backslashes in the mail message.

Part 4
Part 3
Part 2
Part 1