Hochman Consultants - Results Driven Internet Marketing
Client Login

Code to Prevent Email Address Scraping and
Form Spam via PHP Mail Injection Attacks

Email spam is a major problem for enterprises and individuals because it can lead to fraud, identity theft, computer viruses, and wasted time. In addition, misconceived efforts to block spam with overly aggressive filtering can inconvenience legitimate email contacts.

This page contains HTML and Javascript code for preventing email address from being harvested from your website, and PHP code to block form spam.

This simple Javascript function will fool virtually all email address harvesting programs:

<script type="text/javascript">

//generate an email address

function contact(domain, user, tld) {

  document.write('<a href=\"mailto:' + user + '@' + domain + '.' + tld + '\">')

  document.write(user + '@' + domain + '.' + tld + '</' + 'a>')

}

contact("kcl.ac","alan.turing","uk");

</script>

The following code (adapted from something I found on at HighRankings Forum) can greatly reduce the amount of form spam. 

// Change 'email' to the name of the field where your user should 
// enter their own email address.
if (empty($_POST) || !isset($_POST['email'])) {
    header("Location: /");
    exit;
}

// Your form should have a honey pot field 'pooh' that is left blank by human users
if (!isset($_POST['pooh']) || $_POST['pooh']!="") {
    sleep(rand(2, 5)); // delay spammers a bit
    header("HTTP/1.0 403 Forbidden");
    exit;
}
$crlf = "\r\n";

// Insert into PHP scripts before mail()

// Check $_GET if your contact form uses GET method.

$badStrings = array("Content-Type:",
"MIME-Version:",
"content-type:",
"mime-version:",
"multipart/mixed",
"content-transfer-encoding:",
"to:",
"Content-Transfer-Encoding:",
"bcc:",
"cc:",
"href=");

function all_ascii( $stringIn ){
    $final = '';
    $search = array("\r","\n");
    $replace = array(" "," ");
    
    $hold = str_replace($search[0],$replace[0],$stringIn);
    $hold = str_replace($search[1],$replace[1],$hold);
    
    if(!function_exists('str_split')){
        function str_split($string,$split_length=1){
            $count = strlen($string);
            if($split_length < 1){
                return false;
                } elseif($split_length &gt; $count){
                return array($string);
                } else {
                $num = (int)ceil($count/$split_length);
                $ret = array();
                for($i=0;$i < $num;$i++){
                    $ret[] = substr($string,$i*$split_length,$split_length);
                }
                return $ret;
            }
        }
    }
    $holdarr = str_split($hold);
    foreach ($holdarr as $val) {
        if (ord($val) < 128) $final .= $val;
    }
    return $final;
}
// Loop through each POST'ed value and test if it contains
// one of the $badStrings:
foreach($_POST as $k =&gt; $v){
    foreach($badStrings as $v2){
        if(strpos(all_ascii($v), $v2) !== false){
            sleep(rand(2, 5)); // delay spammers a bit
            header("HTTP/1.0 403 Forbidden");
            exit;
        }
    }
}
// Continue onward to mail()

About the Author

After graduating from Yale with two degrees in Computer Science, Jonathan Hochman set up his own consulting company in 1990. He has been an Internet marketer since 1994. To send feedback, please visit http://www.hochmanconsultants.com/.

Creative Commons License You may distribute this article in its entirety under a Creative Commons Attribution 3.0 License. Please attribute the author by name and link (URL).

For additional information, please contact Hochman Consultants.