Home > Archive > PHP Language > April 2007 > How 2 protect my email address?
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
How 2 protect my email address?
|
|
| mouton 2007-03-28, 3:59 am |
| Hello,
I have a contact form on my website that sends form data to a php page
where the php mail() function collects and send them to me.
On this action page, one variable contains my email address in the form:
$myEmail = "myemail@blah.com";
The trouble is that I receive a lot of spam through this and do not know
how to avoid that. Could you please help me?
Thank you.
| |
| Martin Mandl - m2m tech support 2007-03-28, 3:59 am |
| On Mar 28, 9:48 am, mouton <nos...@nospam.com> wrote:
> Hello,
>
> I have a contact form on my website that sends form data to a php page
> where the php mail() function collects and send them to me.
>
> On this action page, one variable contains my email address in the form:
> $myEmail = "myem...@blah.com";
>
> The trouble is that I receive a lot of spam through this and do not know
> how to avoid that. Could you please help me?
>
> Thank you.
Dear Mouton,
using mail() without extensive filtering you create a spam portal.
Have a look around, there are lot's of articles around how to avoid
this. Try "spam mail php" in your favorite search engine ;)
good luck
Martin
------------------------------------------------
online accounting on bash bases
Online Einnahmen-Ausgaben-Rechnung
http://www.ea-geier.at
------------------------------------------------
m2m server software gmbh
http://www.m2m.at
| |
| Andrew Bailey 2007-03-28, 3:59 am |
|
"Martin Mandl - m2m tech support" <martin.mandl@gmail.com> wrote in message
news:1175070592.285015.208940@d57g2000hsg.googlegroups.com...
> On Mar 28, 9:48 am, mouton <nos...@nospam.com> wrote:
>
Hi Martin,
Try...
$myEmail1 = "myem...";
$myEmail2 = "@";
$myEmail3 = "blah.com";
$myEmail = $myEmail1 + $myEmail2 + $myEmail3;
Hope this helps
Andy
| |
|
|
| shimmyshack 2007-03-28, 10:00 pm |
| On 28 Mar, 09:35, "Andrew Bailey" <a...@idontwantanyspam.com> wrote:
> "Martin Mandl - m2m tech support" <martin.ma...@gmail.com> wrote in messagenews:1175070592.285015.208940@d57g2000hsg.googlegroups.com...
>
>
>
>
>
>
> Hi Martin,
>
> Try...
>
> $myEmail1 = "myem...";
> $myEmail2 = "@";
> $myEmail3 = "blah.com";
>
> $myEmail = $myEmail1 + $myEmail2 + $myEmail3;
>
> Hope this helps
>
> Andy
yeah what andy is saying is that if you hard code the stuff that never
changes - in the php script that does the mailing, then you dont have
to send the data to the form in the first place and can simply delete
that part of the script/markup that sends uneeded variables.
the best way to avoid spam is not to have your email on the page, or
anywhere on the site, but to provide as you have done, a form with no
email, which simply allows text message to get sent, together with
THEIR email, so you contact them back. This method allows anyone to
spam you just as before of course, but then to increase security on
the form you use a captcha 0 an image thats hard for OCR enabled
spambots to read, which prevents autoposting of your form.
of course this might be circumventable - is that a word - if the image
is too clear, there are various implementations around, but follow
something like googles, which has a nice random background, and makes
the letters "wibbly" - a technical term :)
wordpress has an add on as do most other high profile blogging and CMS
engines, so they are worth a look to see how its done well.
you could also look at your market, and refuse to support spam that
originates from an IP in china - if you very unlikely to benefit from
such communication. Do you need the form to be up and runnin 24/7/265,
would you benefit from taking a look at the time of day of decent
posts compared to spam, and make the form display a "come back later",
or "click here" where the click here is in javascript with somekind of
fuzzer or randomiser to make it harder for the bots to grab the
meaning of the code, or the link from it.
You could make 2 contact forms, on different pages, the chances are
that a human will only post to one, whereas a spmmer might post to
both, you can have a link on each one pointing to the other to entice
those bots to follow. Perhaps to help your customers one is called
"sales" and the other "info".
Perhaps you can run the text of the post through a reg exp spamming
engine before you get to see it, that will cut out any spam that gets
to you. I would either do that server side, or run spampal, with
bayseian filter on. There are loads of free antispam transparent
proxies out there for you to use, even if you cannot modify the actual
code.
| |
| Christoph Burschka 2007-03-29, 9:57 pm |
| Andrew Bailey wrote:
> "Martin Mandl - m2m tech support" <martin.mandl@gmail.com> wrote in message
> news:1175070592.285015.208940@d57g2000hsg.googlegroups.com...
>
> Hi Martin,
>
> Try...
>
> $myEmail1 = "myem...";
> $myEmail2 = "@";
> $myEmail3 = "blah.com";
>
> $myEmail = $myEmail1 + $myEmail2 + $myEmail3;
>
> Hope this helps
>
> Andy
>
>
Just WHAT does that accomplish?!
PHP code stays on the server, nobody ever sees this variable. How you construct
it makes absolutely NO difference.
The spam comes from somebody submitting the form, as intended. There's really
nothing you can do to protect your "email address" in this place - your own PHP
script is spamming you.
To stop robots from using the form, implement a CAPTCHA. To stop robots from
spamming OTHER people (far worse, considering your server gets blamed), be sure
to filter all the header fields properly, especially if there's a "FROM" field.
--
Christoph Burschka <christoph.burschka@rwth-aachen.de>
Math.-Techn. Assistent i.A.
-------------------------------------------------
RWTH Aachen
Rechen- und Kommunikationszentrum
Dienstgebäude Seffenter Weg 23
52074 Aachen
Tel: +49 (241) 80-20376
Fax: +49 (241) 80-29100
-------------------------------------------------
PGP: http://pgp.mit.edu:11371/pks/lookup...arch=0xFF4BDDE8
| |
| Michael Daly 2007-03-30, 7:58 am |
| Christoph Burschka wrote:
> The spam comes from somebody submitting the form, as intended.
More likely it comes from scraping the e-mail address off the raw text
of the page - whether HTML, PHP or any other source. If you make the
e-mail address look like an e-mail address, spammers find it and add it
to their databases. If it doesn't look like an e-mail address, they
don't find it. This will break if the spammers ever decide to render
the page before scraping it for e-mail addresses.
I did something like this some time ago. I have yet to receive a single
spam e-mail at the "hidden" address I use. Prior to that, I got tons of
spam at any e-mail address I've used on a web page.
There may be spammers entering forms, but they are not as numerous as
the dumb annoying spammers who do everything by brute force.
Mike
| |
|
|
> $myEmail1 = "myem...";
> $myEmail2 = "@";
> $myEmail3 = "blah.com";
As someone suggested, the fact that this is constructed on the server,
offers us nothing.
Would not make more sense to carry this style in the HTML, as Javascript?
Something like:
<script>
function em(who, domain, ext)
{
location.href = "mailto:" + who + "@" + domain + "." + ext;
}
</script>
<a href="" onClick="em('dave','msn', 'com')">Email Dave</a>
<a href="" onClick="em('sarah','hotmail', 'co.uk')">Email Dave</a>
By far, I am not suggesting this as the be all and end all solution, but
like someone else suggested ... ensuring that the resulting HTML does not
display the full email@domain.com style address on the page, or in the HTML
code certainly does help limit the spam.
Okay, so any programmer with 20 seconds to spare would write something to
unravel this, but with the "billions" of email addresses readily available
on so many websites, is it worth their effort?
Anyway, that's my thoughts, for what they're worth.
| |
| shimmyshack 2007-03-30, 7:58 am |
| On 30 Mar, 09:59, "Sean" <sean.anderson@[nospam]oakleafgroup.biz>
wrote:
>
> As someone suggested, the fact that this is constructed on the server,
> offers us nothing.
>
> Would not make more sense to carry this style in the HTML, as Javascript?
>
> Something like:
>
> <script>
> function em(who, domain, ext)
> {
> location.href = "mailto:" + who + "@" + domain + "." + ext;
> }
> </script>
>
> <a href="" onClick="em('dave','msn', 'com')">Email Dave</a>
> <a href="" onClick="em('sarah','hotmail', 'co.uk')">Email Dave</a>
>
> By far, I am not suggesting this as the be all and end all solution, but
> like someone else suggested ... ensuring that the resulting HTML does not
> display the full e...@domain.com style address on the page, or in the HTML
> code certainly does help limit the spam.
>
> Okay, so any programmer with 20 seconds to spare would write something to
> unravel this, but with the "billions" of email addresses readily available
> on so many websites, is it worth their effort?
>
> Anyway, that's my thoughts, for what they're worth.
yeah in fact any programmer who really wants email addresses just
needs to leverage a javascript engine, something from firefox perhaps
to get passed all the obfuscation, and other tricks. But as you say
its low hanging fruit.
I find this works though it is accessible (and strip_tags would beat
it)
<a id="contactaddr" href="#"><span>con<!-- no spam -->tact</span><!--
no spam -->@<span>myser<!-- no spam -->ver.</span>org</a>
then I use a piece of javascript in the head to create a real mailto
link in the DOM, or an onclick to a function, you could swop out the @
for @ I guess again reducing the exposed surface area.
This way it remains readable and accessible and copy and pasteable
when js is off, but becomes
clickable when js is on.
| |
| Jussist 2007-03-30, 7:58 am |
| >
> The trouble is that I receive a lot of spam through this and do not know
> how to avoid that. Could you please help me?
The best (and perhaps most obvious) solution is to use spam-filter in
email. Or do a google search, as suggested before. If you get
annoying amounts through, and cannot change your spamfilter, then some
tricks are a necessity.
regards,
Jussi
| |
| Michael Daly 2007-03-30, 9:57 pm |
| Sean wrote:
> <script>
> function em(who, domain, ext)
> {
> location.href = "mailto:" + who + "@" + domain + "." + ext;
> }
> </script>
If you're going to use JS, put part of it in other js files and load
them - that just smears the info across files which...
> Okay, so any programmer with 20 seconds to spare would write something to
> unravel this, but with the "billions" of email addresses readily available
> on so many websites, is it worth their effort?
.... makes this coding effort slightly more annoying.
If they grab the page rendering code from an open source browser
project, they could generate the page and look at that for the address.
We just have to hope they are too lazy and obvious addresses are too
easy to find for them to take that next step.
Mike
| |
| Ian Hobson 2007-04-01, 6:58 pm |
| mouton wrote:
> Hello,
>
> I have a contact form on my website that sends form data to a php page
> where the php mail() function collects and send them to me.
>
> On this action page, one variable contains my email address in the form:
> $myEmail = "myemail@blah.com";
>
Put your email address in the script you are calling, not in the
variable that goes to/from the browser.
Ian
| |
| Arancaytar 2007-04-01, 9:58 pm |
| Um, I think the answers here are all missing the point.
The purpose of a contact form that sends emails with PHP is that _your
email address is never shown to the user_. At all. The server takes
the user's text, sends it to you, and tells the user the message was
sent. Your address never even gets transmitted to the user's computer,
whether in one piece or in a lot of really hard to read pieces.
This makes all the talk of "obfuscating" an email address irrelevant.
Unless the mailing script is made in a way that completely defeats its
point - by including your address on the page - there is no email
address to protect. The spammer can try to break into the server to
see the script file with the address (really not worth it), or try to
abuse the form by sending spam through it. But they can't lift your
email address directly from it.
| |
| shimmyshack 2007-04-01, 9:58 pm |
| On 2 Apr, 01:07, "Arancaytar" <arancaytar.ilya...@gmail.com> wrote:
> Um, I think the answers here are all missing the point.
>
> The purpose of a contact form that sends emails with PHP is that _your
> email address is never shown to the user_. At all. The server takes
> the user's text, sends it to you, and tells the user the message was
> sent. Your address never even gets transmitted to the user's computer,
> whether in one piece or in a lot of really hard to read pieces.
>
> This makes all the talk of "obfuscating" an email address irrelevant.
> Unless the mailing script is made in a way that completely defeats its
> point - by including your address on the page - there is no email
> address to protect. The spammer can try to break into the server to
> see the script file with the address (really not worth it), or try to
> abuse the form by sending spam through it. But they can't lift your
> email address directly from it.
....actually the responses moved on from saying what you said - plus
adding a captcha, antispam on the client, and various other ways to
stop contact form spam - to how to protect email addresses if they /
were/ on the page, which is the only option for some....
|
|
|
|
|