Receiving Spam from my Form Using PHPMailer

Question

I am coming to stackoverflow for this because everything I search pretty much talks about email from a form using PHPMailer going to a users spam box. But, I need info on receiving spam from the form itself. I use it on a small, very light traffic real estate agents website. She gets spam from time to time and I don't know how to resolve it. PHPMailer seems to be the go to tool for sending email with PHP, so I figure spam/security is pretty well covered. I must be doing something wrong.... I am using class.phpmailer.php of course, and here is my code:

if ($_SERVER["REQUEST_METHOD"] == "POST") {
  $name = trim($_POST["name"]);
  $email = trim($_POST["email"]);
  $phone = trim($_POST["phone"]);
  $message = trim($_POST["message"]);


if ($name == "" OR $email == "" OR $phone == "" OR $message == "") {
    echo "You must specify a value for name, email address, phone, and message.";
    exit;
}

foreach( $_POST as $value ){
    if( stripos($value,'Content-Type:') !== FALSE ){
        echo "There was a problem with the information you entered.";    
        exit;
    }
}

if ($_POST["address"] != "") {
    echo "Your form submission has an error.";
    exit;
}

require_once("phpmailer/class.phpmailer.php");
$mail = new PHPMailer();

if (!$mail->ValidateAddress($email)){
    echo "You must specify a valid email address.";
    exit;
}

$email_body = "";
$email_body = $email_body . "Name: " . $name . "
";
$email_body = $email_body . "Email: " . $email . "
";
$email_body = $email_body . "Phone: " . $phone . "
";
$email_body = $email_body . "Message: " . $message;

$mail->SetFrom($email, $name);
$address = "email@domain.com";
$mail->AddAddress($address, "A Name Here");
$mail->Subject    = "Message from " . $name  . " on website contact form";
$mail->MsgHTML($email_body);

if(!$mail->Send()) {
  echo "There was a problem sending the email: " . $mail->ErrorInfo;
  exit;
}

header("Location: index.php?status=thanks");
exit;
}

The HTML is very simple:



    
      Thank you for contacting us. We'll be in touch with you very soon.
    

    Name
    First and Last
    
    

    E-Mail
    name@email.com
    
    

    Phone Number
    With area code
    
    

    Message
    How can we help you?

sled · Accepted Answer

A simple technique to avoid spam is to use something called a honey-pot, which is a text field which is not visible to normal users but a dumb spam-robot will probably enter something into that field.

if ($_SERVER["REQUEST_METHOD"] == "POST") {

  // robot detection
  $honeypot = trim($_POST["email"]);     

  if(!empty($honeypot)) {
    echo "BAD ROBOT!"; 
    exit;
  }

  $name = trim($_POST["name"]);
  $email = trim($_POST["real_email"]);
  $phone = trim($_POST["phone"]);
  $message = trim($_POST["message"]);

  // rest stays as is

In your HTML file you need to insert another "hidden" text field which is the honeypot:

E-Mail
name@email.com

Note how I changed the name of the actual, visible email text field to "email_real". It would be even better to avoid the word "email" completely in the real email field, since many robots are dumb.

The invisible honeypot input field should be called "email" though. Why? Because most robots are scanning for some standard input fields like "email", "address" etc. - so it's important to give the honeypot a common form field name.

Another neat trick is to swap some common field names, i.e swap the name for email and zip fields, so robots will fill in a numeric value for the email address and an email address for the zip code which will fail the validation.

It's not a 100% guarantee to kill all spam but it worked quite well for me without forcing the user to solve an annoying captcha...

Receiving Spam from my Form Using PHPMailer

Answers (1)

Related Questions