Php Development » anti spam

email domain really exists

mahesh chari — Mon, 29 Nov 2010 07:28:44 +0000

How to check users email address domain really exists?

We know how spam bothers much on contact pages of web application,even we use captcha ,there will be manually generated spam.
And we don’t know given email address is fake or real.

Good thing is that we can check is given email address fake or not with php .For this PHP has handy function that checks the email domain for real time exists.

Bad thing is that this function is not bundled until 5.3 on windows server.

checkdnsrr

function is_emaildomain($email)
 {
 return (bool)checkdnsrr(preg_replace('/^[^@]++@/', '', $email), 'MX');
 }

real ip address

mahesh chari — Tue, 30 Jun 2009 13:02:18 +0000

A simple function to find the real IP address of the client with php

As the internet growing as long as spamming,hacking,fishing,bots also increasing,there by normal user can easly decepted by with them. in many security application we need to find the real ip address to ban or record the ip related activities.here we use small function that returns and modify the PHP global remote address variable.

Usually we’ll use $_SERVER['REMOTE_ADDR'] to get clients IP address. But this doesn’t return the real IP address all time. Basically when someone using PROXY that valiable returns proxy IP the client using. So here’s a function you can use to detect real ip address of client. Here are extra Server variable which might be available to determine the exact IP address of the client’s machine in PHP, they are HTTP_CLIENT_IP and HTTP_X_FORWARDED_FOR

function real_ip(){
	if(isset($_SERVER['HTTP_X_FORWARDED_FOR'])){
		$_SERVER['REMOTE_ADDR']=$_SERVER['HTTP_X_FORWARDED_FOR'];
	}elseif(isset($_SERVER['HTTP_X_REAL_IP']){
		$_SERVER['REMOTE_ADDR']=$_SERVER['HTTP_X_REAL_IP'];
	}
return $_SERVER['REMOTE_ADDR'];
}

check ajax request

mahesh chari — Sun, 28 Jun 2009 22:18:34 +0000

how to find the given request from ajax with php

In my recent project ,i have to restrict a page from direct accessing from browser with typing address on browser .this page must only accessible with ajax only.thank god there is a solution to find this with php server global variable that works with php5.then i made it a simple following function.

function is_Ajax() {
return (isset($_SERVER['HTTP_X_REQUESTED_WITH']) &&
($_SERVER['HTTP_X_REQUESTED_WITH'] == 'XMLHttpRequest'));
}

captcha php tutorial

mahesh chari — Mon, 01 Jun 2009 12:10:56 +0000

A simple php captcha image tutorial

Captcha is a test for user if he is real human or computer. In this example we use PHP GD2 functions to create the image on the fly. To test this functionality we need following files.We already discussed about anti spam web contact form in my provious post.this is one of methods.
Php_captcha.php :- in this file we create the captcha image and store the data in PHP session.
Captcha_test.phpl :- in this file we run the user form and validate the user for is he bot or not.
captcha.JPG :- this image is used as back ground for generated PHP captcha. This file must have at least read permission on the main server.

You can download the source code here and you can test in your local server. Remember your PHP must have GD extension to run this example. You can read comments on the script for detail explanation.

Example source Code

php_captcha_example_tutorial_source code

Example source Code

php_captcha_example_tutorial_source code

protecting web contact forms from spam bots

mahesh chari — Sat, 16 May 2009 07:06:22 +0000

Protecting web forms from spam bots using PHP

Spam bot is a program that submits the data to server by guessing form fields with html code.
For detailed article please refer my previous post.

Here some methods of preventing Spam bots that automatically submits.

Using captcha
Using random hidden field
Using hidden input text box.
Email header injecting.
Checking referrer page
Following basic rules

We can prevent the Spam bots with some basic rules
Prevent email harvesting on your web pages, see my previous post anti email harvesting.
Generally Spam bots looks for form tag and contained input, check box, radio boxes, option element (Hhhh all the form elements), fills their data with their spam data so we can take this as advantage, some spam bots stores this information and sends with proxy without resubmitting the web contact form, so we can prevent this type of technics.
Use deferent form fields than usually, like use ‘ xyz_nm’ instead ‘name’.Change the form field’s name in regular interval, like put ‘zmon_nm’ on ‘Monday’, ‘ztue_nm’ on ‘Tuesday’.
Use random named hidden input field with a default value is empty on every form submission like captcha, if the default value of the hidden field changed other than default, it is sure Spam.
Put one input text box element with random name and hide it with CSS style, since it won’t visible to general user, the default value could not changed, if any changes made to this value of input it is definitely Spam.
Don’t put email address in the form elements, instead put it in sever side variable.
Check for page referrer, however some server’s firewalls don’t allow this information, they strips the data.
Use captcha like methods or services that are available present , but this captcha has some inconvenience to the user.
Disabling or filtering HTML message in form elements, since maximum spam bots try to fill HTML data.
Make sure to access all the forms for login users and track down their messaging and ban certain user.

 
#function that validate the user email
function is_valid_email($email){
$eregpat="^[A-z][A-z0-9_-]+([.]([A-z0-9_-])+)*[@][A-z0-9_]+([.][A-z0-9_]+)*[.][A-z]{2,4}$";
return eregi($eregpat,$email );
}
 
#function that validate user comments
function is_valid_comments($data){
return ($data=="");
}
#function that clean the user data againest 
#email header injection so we clean it
function safe_mail($data){
#clean non standerd alpha numeric and some special symbels
#clean email related headers like header,from,body,'cc','bcc',\r\n etc
$patterns=array('/[^a-zA-Z0-9\.-@_]/','from','header','body','CC','BCC');
return preg_replace($patterns,'',$data);
}
 
 
function send_mail($data){
#do what ever you want here with user data
#like storing into database or sending email to admin
}
 
#clean all data from user contact form and process this to store in mysql and sending email

function process_contactform(){
$data=array();
$data['name']=safe_mail($_POST['sfsf_name']);
$data['email']=safe_mail($_POST['jflsjls_email']);
$data['website']=safe_mail($_POST['kipmp_website']);
$data['comments']=safe_mail($_POST['comments_sfs']);
send_mail($data);
}
 
 
require_once('recaptchalib.php');
 
// Get a key from http://recaptcha.net/api/getkey
$publickey = "6LdVSQYAAAAAAFwb2919Sf8Uhcq3Z55bQc7d8Bx0";
$privatekey = "6LdVSQYAAAAAAIVT-VaJlea6WuOlLqJtt0UUK6xZ";
 
# the response from reCAPTCHA
$resp = null;
#error cacher
$errors = array();
 
if(isset($_POST['Submit'])){
# was there a reCAPTCHA response?
if (isset($_POST["recaptcha_response_field"])) {
        $resp = recaptcha_check_answer ($privatekey,
                                        $_SERVER["REMOTE_ADDR"],
                                        $_POST["recaptcha_challenge_field"],
                                        $_POST["recaptcha_response_field"]);
 
        if ($resp->is_valid) {
                echo "You got it!";
        } else {
                # set the error code so that we can display it
                $errors[] = $resp->error;
        }
}
 
#check the page that submits is belong to our domai or not
#remember some servers don't allow this data or don't have information
if(strpos('localhost', $_SERVER['HTTP_REFERER'])==false){
$errors[] ='This page can be prcessed from this domain only.';
}
 
#check email validation
if(isset($_POST['jflsjls_email']) and !is_valid_email($_POST['jflsjls_email'])){
$errors[]='Invalid email address.'; 
}
 
#check comment validation 
if(isset($_POST['comments_sfs']) and !is_valid_comments($_POST['comments_sfs'])){
$errors[]='Trying to email header injection.';
}
 
#check user is bot or not
if(isset($_POST['owjrj_ran']) and !$_POST['owjrj_ran']==''){
$errors[]='You are spam bot.';
}
 
#check user is bot or not
if(isset($_POST['mpmpm_rwrw']) and !$_POST['mpmpm_rwrw']==''){
$errors[]='You are spam bot.';
}
 
#check all errors and process contact form
if( isset($_POST['Submit']) and count($errors)==0){
process_contactform();
}
 
 
}
 
#if errors display
if(isset($_POST['Submit'])){
if(count($errors)>0){
echo '';
foreach($errors as $k=>$v){
echo ''.$v.'
';
}
echo '
';
}
}
?>

HTML code




Contact Form


 


  
    
      Contact Me
              
    
    
       Name 
            
    
    
      Email: * 
      
    
    
       Web Site 
      
    
    
      
	  
	  
	  
        
        Comments*
    
    
      
    
    
      
	  
	  
    
    
      
         
        * Required field

Download Source Code

web-contact-form-with-anti-spam-methods download link here

email obfuscation

mahesh chari — Thu, 14 May 2009 11:47:37 +0000

protecting E-mail Address on web pages with php, javascript from E-mail spammers

E-mail Spam is flooding the Internet with many copies of the same message, in an attempt to force the message on people who would not otherwise choose to receive it.Most spam is Commercial advertising, often for dubious products, get-rich-quick schemes, or quasi-legal services. Spam costs the sender very little to send — most of the costs are paid for by the recipient or the carriers rather than by the sender.

How do they catch email address of users? Or how do they email harvesting?

There are many ways to get users email address but here we talk about only two ways.

From web pages:

Spammers have programs which spider through web pages, looking for email addresses, e.g. email addresses contained in mailto: HTML tags [those you can click on and get a mail window opened],a word contains @ symbol ,a word contains mailto:

From various web contact or enquiry forms.

Some sites request various details via forms, e.g. guest books & registrations forms.
Spammers can get email addresses from those either because the form becomes available
on the world wide web, or because the site sells / gives the emails list to others.
some spammers use weak security web forms on certain websites to protect web form from spammers please refer my post

Preventing E-mail harvesting on web pages

e-mail Address munging or e-mail Obfuscation

Address munging is the practice of disguising, or munging, to prevent it being automatically collected by spam bots.
Some examples are

no-one at example (dot) com
no-one@elpmaxe.com.invalid
moc.elpmaxe@eno-on
no-one@exampleREMOVEME.com.invalid
remove .invalid
no-one@exampleNOSPAM.com.invalid
n o – o n e @ e x a m p l e . c o m
no-one@example.com (as HTML)

Even though the email harvesting reduced in measurable amount, with this method the main user has to predict the original. Now days some spam bots also overcomes this method.

Using javascript

Most of the spam bots don’t execute the javascript and they use regular expression to catch the address.
So we can advance the method of munging with following examples

For static web pages e-mail Obfuscation

<script type="text/javascript">
var name = 'user';
var at = '@';
var domain = 'example.com';
document.write(name + at + domain);
script>

<script>
document.write(‘m’+’y’+’m’+’a’+’i’+’l’+’ &#64;’+’y’+’o’+’u’+’d’+’o’+’m’+’a’+’i’+’n’+’ &#46’+’c’+’o’+’m’);
script>
//In the above example we use html equivalent ASCII chars @ for  symbol and . for ‘.’ Character.

For dynamic web pages with PHP server side language e-mail Obfuscation

function safe_asciimail($email){
$length=strlen($email);
	if($length==0)return '';
	$email=strtolower(trim($email));
	$email_array=str_split($email);
	$ascii_email_array=array();
	for( $i=0;$i<count($email_array);$i++){
		$c=$email_array[$i];
		$ascii_email_array[]='&#'.ord($c).';';
	}
return '';
}
 
//We can call this method as follow 
//safe_asciimail(‘mymail@yourdomain.com’);