Automated spam being sent through my php contact form...

Hello everyone! I wasn't entirely sure where to put this... I hope this is the right place.

I have a php contact form on several of my sites that sends me emails with the message and user information. After I started getting the spam messages, I set it up so that I could capture the IP address of the sender, so I could block it from my site. However, it doesn't work with the sender of the spam emails.

Here is an example of the spam emails:

Sender's Name: manjacklozcx200 Message: New two girls one cup video collections!
<a href=\"http://domainname.com">2 girls 1 cup video</a>
<a href=\"http://domainname.com">watch 2 girls 1 cup</a> Email Address: Location: NlkSmGRZ Sender's IP Address:

It's rather driving me crazy - anyone have any suggestions?

Oh, and here is the php that I use for capturing the IP addresses (it works for normal visitors, just not for the spam emails):

function get_userIP() {
$IPAry = array('HTTP_CLIENT_IP','HTTP_X_FORWARDED_FOR','REMOTE_ADDR');
while (list(,$val) = each($IPAry))
{
if( getenv($val) && getenv($val)!='unknown' ) return getenv($val);
}
return 'unknown';
}
$ip = get_userIP();

Thank-you for your help in advance!
Timothius

 

Why don't you secure your contact form instead of tracking IPs...

 

How would you recommend I do that?

 

You haven't showed your php.

 

Well, this is my php - I'm not an expert or anything and I realize this form doesn't have much for checks and balances, but I'm not sure of the best way of doing it...

Here is my php... (please don't laugh )

<?php
if ($_POST['message']) {
process_form();
} else {
showform();
}

function process_form() {
mail('info@domainname.com', 'domainname.com mail', 'Sender\'s Name: ' . $_POST['name'] . ' ' . 'Message: ' . $_POST['message'] . ' ' . 'Email Address: ' . $_POST['email'] . ' ' . ' Location: ' . $_POST['location'] . ' ' . ' Sender\'s IP Address: ' . $_POST['ipaddy']);

print<<<_SUCCESS
<p>Your Message Has been sent sucessfully!</p>
_SUCCESS;
}
function showform() {

function get_userIP() {
$IPAry = array('HTTP_CLIENT_IP','HTTP_X_FORWARDED_FOR','REMOTE_ADDR');
while (list(,$val) = each($IPAry))
{
if( getenv($val) && getenv($val)!='unknown' ) return getenv($val);
}
return 'unknown';
}
$ip = get_userIP();

print<<<_HTML
<div id="formdiv">
<form method="post" action="$_SERVER[PHP_SELF]">

<h2>Contact Us</h2>
<div>
<label>Your Name</label>
<br />
<input name="name" type="text" maxlength="50" />
<br />
</div>
<div>
<label>Email Address</label>
<br />
<input name="email" type="text" maxlength="100" />
<br />
</div>
<div>
<label>Location <em>(optional)</em></label>
<br />
<input name="location" type="text" maxlength="100" />
<br />
</div>
<div>
<label>Message</label>
<br />
<textarea cols="40" rows="7" name="message"></textarea>
<input name="ipaddy" type="hidden" value="$ip"/>
</div>

<div> <br />
<input name="submit" type="submit" value="Click to Send"/>
</div>
</form>
</div>
_HTML;
}

?>

Thanks!

 

Add and dont forget to change SPAM IP ADDRESS to the spammer's ip address

if($ip != "SPAM IP ADDRESS") {
print<<<_HTML
<div id="formdiv">
<form method="post" action="$_SERVER[PHP_SELF]">

<h2>Contact Us</h2>
<div>
<label>Your Name</label>
<br />
<input name="name" type="text" maxlength="50" />
<br />
</div>
<div>
<label>Email Address</label>
<br />
<input name="email" type="text" maxlength="100" />
<br />
</div>
<div>
<label>Location <em>(optional)</em></label>
<br />
<input name="location" type="text" maxlength="100" />
<br />
</div>
<div>
<label>Message</label>
<br />
<textarea cols="40" rows="7" name="message"></textarea>
<input name="ipaddy" type="hidden" value="$ip"/>
</div>

<div> <br />
<input name="submit" type="submit" value="Click to Send"/>
</div>
</form>
</div>
_HTML;} else {
echo "Got ya you spammer";
}

PHP:

 

hehe - well... as I mentioned earlier above I don't have the spammers IP address, so that doesn't work. If I *had* the spammers IP address I could just block him from my site ENTIRELY with my .htaccess file.

The problem is my form is a little unsecure. It is very basic, and I don't need much info from the form... I'm just not sure how the spammer is avoiding my IP address capture script...

 

Try $ip = $_SERVER['REMOTE_ADDR']; to get the IP address. If that doesnt work, integrate a CAPTCHA.

This is captcha.php:

<?
session_start();  
header("Cache-control: private");
$width = 100;
$height = 40;
$im = imagecreate($width, $height);
$bg = imagecolorallocate($im, 0, 0, 0);

// generate random string
$len = 5;
$chars = 'ABCDEFGHIJKLMNPQRSTUVWXYZ123456789';
$string = '';
for ($i = 0; $i < $len; $i++) {
$pos = rand(0, strlen($chars)-1);
$string .= $chars{$pos};
}

// grid
$grid_color = imagecolorallocate($im, 175, 0, 0);
$number_to_loop = ceil($width / 20);
for($i = 0; $i < $number_to_loop; $i++) {
$x = ($i + 1) * 20;
imageline($im, $x, 0, $x, $height, $grid_color);
}
$number_to_loop = ceil($height / 10);
for($i = 0; $i < $number_to_loop; $i++) {
$y = ($i + 1) * 10;
imageline($im, 0, $y, $width, $y, $grid_color);
}

// random lines
// $line_color = imagecolorallocate($im, 130, 0, 0);
// for($i = 0; $i < 30; $i++) {
// $rand_x_1 = rand(0, $width - 1);
// $rand_x_2 = rand(0, $width - 1);
// $rand_y_1 = rand(0, $height - 1);
// $rand_y_2 = rand(0, $height - 1);
// imageline($im, $rand_x_1, $rand_y_1, $rand_x_2, $rand_y_2, $line_color);
// }

// write the text
$text_color = imagecolorallocate($im, 255, 0, 0);
$rand_x = rand(0, $width - 50);
$rand_y = rand(0, $height - 15);
imagestring($im, 10, $rand_x, $rand_y, $string, $text_color);


header ("Content-type: image/png");
imagepng($im);
$_SESSION['captcha'] = md5($string);
?>

PHP:

Then on your contact form add:

<img src="/captcha.php" />
Write Captcha code here: <input type="text" name="captcha_code" />

HTML:

And before it send the email, you need to make sure that they entered the captcha code correct, so...:

if(isset($_POST['captcha_code']) && isset($_SESSION['captcha'])) {
if(md5($_POST['captcha_code']) == $_SESSION['captcha']) {

YOUR FORM SUBMIT CODE

} else {
echo 'Captcha code incorrect.<br />';
}
}

PHP:

 

Wow - thanks a ton for that RyanDoubleYou... now the only thing I'm not sure how to get working is the php code - I'm not sure where to put that in my logic so that it won't send the message or print "message sent successfully".

Do I have to rewrite my whole logic to make this work?

 

Upload captcha.php, then use this as your form.

<?php
if ($_POST['message']) {
process_form();
} else {
showform();
}

function process_form() {
if(isset($_POST['captcha_code']) && isset($_SESSION['captcha'])) {
if(md5($_POST['captcha_code']) == $_SESSION['captcha']) {

mail('info@domainname.com', 'domainname.com mail', 'Sender\'s Name: ' . $_POST['name'] . ' ' . 'Message: ' . $_POST['message'] . ' ' . 'Email Address: ' . $_POST['email'] . ' ' . ' Location: ' . $_POST['location'] . ' ' . ' Sender\'s IP Address: ' . $_POST['ip']);

echo '
<p>Your Message Has been sent sucessfully!</p>
';

} else {
echo 'Captcha code incorrect.<br />';
}
} else {
echo "No Captcha code";
}
}

function showform() {


$ip = $_SERVER['REMOTE_ADDR'];

echo '
<div id="formdiv">
Captcha code: <img src="/captcha.php" width="100" height="40" alt="Captcha" /><br/>
<form method="post" action="$_SERVER[PHP_SELF]">

<h2>Contact Us</h2>
<div>
Write Captcha code here: <input type="text" name="captcha_code" /><br/>
<label>Your Name</label>
<br />
<input name="name" type="text" maxlength="50" />
<br />
</div>
<div>
<label>Email Address</label>
<br />
<input name="email" type="text" maxlength="100" />
<br />
</div>
<div>
<label>Location <em>(optional)</em></label>
<br />
<input name="location" type="text" maxlength="100" />
<br />
</div>
<div>
<label>Message</label>
<br />
<textarea cols="40" rows="7" name="message"></textarea>
<input name="ip" type="hidden" value="$ip"/>
</div>

<div> <br />
<input name="submit" type="submit" value="Click to Send"/>
</div>
</form>
</div>
';
}

?> 

PHP:

 

hmmm... it seems to be always saying 'no captcha code' even when I enter it correctly???

 

add session_start(); at the top on the 2nd line on both captcha.php and this email page.

 

Interesting... when I put in the right captcha now it says "message sent successfully", but it never sends the email.
When I enter it incorrectly it gives the correct message.
When I don't enter anything, it says "captcha code incorrect"

Any ideas? (You've been incredible RyanDoubleYou - Thanks!!!!)

 

Are you sure that you have put your email in the correct spot on the code I gave you under the mail(); function.

 

Whoops - I forgot to substitute my email address... it sends the mail correctly.

However, the IP address shows up blank in the email that sends & it gives the incorrect message when nothing is entered into the captcha form?

 

Fixed the IP address thing - POST was calling the input name.
When I don't enter anything, it still says "captcha code incorrect" though. Not a big deal - I can live with that

 

these kind of spams usually occurs in tell a friend feature also

btw why u are accepting subject that u can simply make static because its just a contact form

 

Sorry, I'm not sure I understand what you are saying... I only have a message that the user fills in, not a subject line.