Spam protection on the site

Index
» Articles
» Spam protection on the site

«« Prev Next »»

Spam protection on the site

We know what spam is, because we have faced with such a problem or read about it. We also know how spammers gather addresses for distributions. It is not a secret that spam can’t be defeated completely. The problem is how to protect users who leave there contacts by the minimal efforts.

Earlier tested methods of protection

The most dangerous are programs which download sites and take from the page mail addresses. If you have a little site the following text autoreplacing will be enough:

<?php $text = preg_replace("~(<a[^>]+href=)([\""]?)mailto:([w_.-]+)([w_.-])@". <br>"([w_.-])([w_.-]+.[a-z]{2,4})2([ >])~i", "1"mailto:spamux@nospam.com\" <br>onMouseover=\"this.href="mai" + "lto:3" + "4" + "%40" + "5" + "6";\"\7", $text); ?>

Unfortunately it doesn’t work if you have a big site.

It is hard to create a new method of protecting if we have a tested method – form for sending message on the site. Now we’ll try to project it. Advantages of that method are obvious: nobody can take addresses for his spam database from you site. Sending message having hidden an address (like spammers do) is impossible, because web-server will fix IP address.

Lists of public proxy servers are regularly refreshed, that’s why it is very easy to block access.

Form sender

We’ll start with it because it is the most important part.

Installing a form sender on the site it is very important to protect it from hackers’ attacks which are none the better than spam is. That’s why we have to do our best in that direction.

At first we’ll try to escape stupid double clicks and sending a lot of equal queries. The idea is that message won’t be sent if user hasn’t opened the page with the form. Having opened that page message will be sent only one time. It can be easily carried out with the help of sessions in PHP. On opening the page we’ll launch session and save in it a variable $flag. Session identifier will be as a hidden element in the end of the form. User enters a message and sends a form. Receiving the form script launches the session and check presence and value of the variable $flag. If variable doesn’t exist it means that it is a second click and message won’t be sent. There will appear error message. If variable exists and its data suit, script send a letter and deletes session.

Secondly, we’ll protect from smart hackers, writing message logs. If user sends filled form script will look at logs check their content. So, following items should be prohibited:

Send message to the same address more often than appointed period;
Send the same text to different addresses;
Use form sender very frequently – for example, 10 messages per 24 hours for one user.

ID sessions will be in the end of the form. The reason is that hacker will have to download the whole form and analyze it. It is more complicated process than sending HTTP-query.

To hide mail addresses is very simple. Autoreplacing mechanism doesn’t require additional energies, and you can keep on writing your site pages. Complexities appear when you try to protect form sender from the web-hackers. That protection requires a lot of energy and complex code.