"Mail-to-friend" PHP based security script

Posted on 2006-05-18
Last Modified: 2010-04-11
Hi X-perts,

I am building a real estate site with a "mail-to-friend" feature for the selected listings. I am using a standard PHP mail function.Is it really necessary to add a security image protection to prevent automatic script emailing? I have checked a lot of similar sites and only a few of them have that kind of protection.

Are therfe many cases of abusing PHP mail systems?

Thank you,

Question by:andy7789
    LVL 6

    Assisted Solution

    Well... here's my guess at this -- you most likely won't have problems if you write the form yourself and you require entries that aren't "standard" so that most automated tools made to spam from websites can't be used.

    However, if you're concerned that someone may specifically target your site, then CAPTCHA may be a good thing to implement.
    LVL 5

    Accepted Solution


    Stay away from the standards. Like not using "email" "name" "subject" in the field names. This will be one way protecting it. An other way is simply write a "message" validation on wich you check for "unwanted words". This is what we used and it works like a bliss. We created an array and checked the message foreach() entry in the array if it has a match. If it does words like viagra etc where used and thus the mail wasnt send...

    -Regards Chris

    Author Comment

    Thank you both. Just a two points. Even if I change typical form field names, its easy to get them directly from the page source. Also, I use a "bad words" system, but you have to put a lot of different combinations like vi7gra etc. I have a few Yahoo emails and recieve hundreds of spam messages with masked words like just mentioned. Probably, an extra CAPTCHA line would be a solution.


    LVL 51

    Expert Comment

    > so that most automated tools made to spam from websites can't be used.
    writing a simple onliner which uses any web form as spam relay for a few billions of mails is a matter of a few minutes, that has nothing to do with "standards" (as common formnaes etc.).
    You have to protect your site with something not computable, CAPTCHAs might be a good starter (even if most of them are breakable automatically too).
    LVL 5

    Expert Comment

    The true problem is that everything you come up with has a work arround. If they realy want to spam peeps through your site they will. All you can humanly do is make it tough to do so. Most scripts are build to exploit the mass of it, so make sure your not part of the mass...

    Regards & good luck,


    Author Comment

    Thank you all. It seems that I have to find a decent CAPTCHA solution - something tight, but not impossible to read ...

    Featured Post

    Do You Know the 4 Main Threat Actor Types?

    Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

    Join & Write a Comment

    Don’t let your business fall victim to the coming apocalypse – use our Survival Guide for the Fax Apocalypse to identify the risks and signs of zombie fax activities at your business.
    This story has been written with permission from the scammed victim, a valued client of mine – identity protected by request.
    It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…

    730 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    15 Experts available now in Live!

    Get 1:1 Help Now