[Last Call] Learn how to a build a cloud-first strategyRegister Now


"Mail-to-friend" PHP based security script

Posted on 2006-05-18
Medium Priority
Last Modified: 2010-04-11
Hi X-perts,

I am building a real estate site with a "mail-to-friend" feature for the selected listings. I am using a standard PHP mail function.Is it really necessary to add a security image protection to prevent automatic script emailing? I have checked a lot of similar sites and only a few of them have that kind of protection.

Are therfe many cases of abusing PHP mail systems?

Thank you,

Question by:andy7789

Assisted Solution

LindyMoff earned 600 total points
ID: 16718207
Well... here's my guess at this -- you most likely won't have problems if you write the form yourself and you require entries that aren't "standard" so that most automated tools made to spam from websites can't be used.

However, if you're concerned that someone may specifically target your site, then CAPTCHA may be a good thing to implement.

Accepted Solution

dutchclan earned 600 total points
ID: 16722805

Stay away from the standards. Like not using "email" "name" "subject" in the field names. This will be one way protecting it. An other way is simply write a "message" validation on wich you check for "unwanted words". This is what we used and it works like a bliss. We created an array and checked the message foreach() entry in the array if it has a match. If it does words like viagra etc where used and thus the mail wasnt send...

-Regards Chris

Author Comment

ID: 16723993
Thank you both. Just a two points. Even if I change typical form field names, its easy to get them directly from the page source. Also, I use a "bad words" system, but you have to put a lot of different combinations like vi7gra etc. I have a few Yahoo emails and recieve hundreds of spam messages with masked words like just mentioned. Probably, an extra CAPTCHA line would be a solution.


Cyber Threats to Small Businesses (Part 2)

The evolving cybersecurity landscape presents SMBs with a host of new threats to their clients, their data, and their bottom line. In part 2 of this blog series, learn three quick processes Webroot’s CISO, Gary Hayslip, recommends to help small businesses beat modern threats.

LVL 51

Expert Comment

ID: 16724305
> so that most automated tools made to spam from websites can't be used.
writing a simple onliner which uses any web form as spam relay for a few billions of mails is a matter of a few minutes, that has nothing to do with "standards" (as common formnaes etc.).
You have to protect your site with something not computable, CAPTCHAs might be a good starter (even if most of them are breakable automatically too).

Expert Comment

ID: 16725619
The true problem is that everything you come up with has a work arround. If they realy want to spam peeps through your site they will. All you can humanly do is make it tough to do so. Most scripts are build to exploit the mass of it, so make sure your not part of the mass...

Regards & good luck,


Author Comment

ID: 16725854
Thank you all. It seems that I have to find a decent CAPTCHA solution - something tight, but not impossible to read ...

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

An overview of cyber security, cyber crime, and personal protection against hackers. Includes a brief summary of the Equifax breach and why everyone should be aware of it. Other subjects include: how cyber security has failed to advance with technol…
Your business may be under attack from a silent enemy that is hard to detect. It works stealthily in the shadows to access and exploit your critical business information, sensitive confidential data and intellectual property, for commercial gain. T…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question