NYCPHP Meetup

[Gary Mort]

Christina Karlhoff wrote:
>
> The situation:  Our company's website host server only processes 
> scripts in php, python, cld fusion [not in asp - go figure].  Our 
> website has three seperate user information request forms on it; all 
> were posted using a php mail script.  One day, all of a sudden, we get 
> 20-30 bogus forms mail to us per day.  Annoying and alarming.  So i 
> went searching for some way to control it.  I managed to insert a php 
> script with captcha into each.  but, we are still getting bogus forms 
> sent to us.  Not as many, but still annoying and no fun...email header 
> injections i take it?
>


Captcha prevents, to a degree, the automated use of your forms to send 
you email.

It won't prevent someone from manually using those forms to send you email.

Nor will it prevent someone from forging your email address and sending 
you spam.

So without know why the forms are bogus, it's somewhat hard to tell what 
the problem is.

As a first step, I'd make sure to code something so you track who 
submits an email through on a form(cookie plus ip address tracking along 
with placing a unique id for each email in the header) so you can 
compare the "spam" with your database and see where it is coming from.

Than attack the problem from that perspective.  If they all come from 
the same IP address range, add an extra captcha routine triggered just 
for them to confirm email.  Reject their address entirely.  Whatever.