[bally123]

I thought I had the perfect PHP mailform script but for some reason these damn bots are still bypassing the validation in my html by just linking straight to the php file I think

Can i insert some code so the mailform.php check the information is only being submitted from my site?

Here is my code

PHP Code:

<?php
////////////////////////////////////////////////////////////////
// PERFECT                                                    //
// -------                                                    //
// PHP E-mail Receive Form Electronic Content Text            //
// File: feedback.php                                         //
// Version: 1.8 (April 21, 2008)                              //
// Description: Processes a web form to read the user input   //
//    and then send the data to a predefined recipient.  You  //
//    are free to use and modify this script as you like.     //
// Instructions:  Go to "http://www.centerkey.com/php".       //
// License: Public Domain Software                            //
//                                                            //
// Center Key Software  *  www.centerkey.com  *  Dem Pilafian //
////////////////////////////////////////////////////////////////

// Configuration Settings
$SendFrom =    "$fname <$femail>";
$SendTo =      "info@domains.com";
$SubjectLine = "$subject";
$ThanksURL =   "thanks.html";  //confirmation page

// Build Message Body from Web Form Input 
$MsgBody=<<<END
{$_POST['fname']} has made an enquiry about: {$_POST['subject']}\n\n{$_POST['fmess']}\n\nTheir contact details are:  
{$_POST['fname']}\n{$_POST['fadd1']}\n{$_POST['fadd2']}\n{$_POST['fcity']}\n{$_POST['fpost']}\n\n{$_POST['fnumber']}\n{$_POST['femail']}
END;
$MsgBody = htmlspecialchars($MsgBody, ENT_NOQUOTES);  //make safe 

// Send E-Mail and Direct Browser to Confirmation Page
      if (count($_POST) > 0)
      $Spam = count($_POST) == 0 || stristr($MsgBody, "cc: ") ||
          stristr($MsgBody, "href=") || stristr($MsgBody, "[url") || stristr($MsgBody, "http://");
      if (!$Spam)
          mail($SendTo, $SubjectLine, $MsgBody, "From: $SendFrom"); 
header("Location: $ThanksURL");
?>

[Jcbones]

Look into honeypots they do work. Bots are blind to certain things.

one of them is 'styles'

Code:

<style type="text/css">
.check 
{
display:none;
}
</style>

<input class="check" type="text" name="email" value=""/>

PHP Code:

//script to validate honeypot
if($_POST['email'] != NULL)
{ echo 'Your a spam bot, I will send no emails'}
else {
     mail(myemails);
} 


[mdhall]

CAPTCHA systems are pretty effective at stopping spam.

[bally123]

Is there away of preventing the script from being accessed from any other domain or ip other than the one its hosted on?

[Jcbones]

Yes,

.htaccess DENY/ALL

[wirehopper]

BotScout.com: Proactive Bot Detection,Screening, & Banning

[bally123]

Code:

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^http://domain.com/.*$      [NC]
RewriteCond %{HTTP_REFERER} !^http://domain.com$      [NC]
RewriteCond %{HTTP_REFERER} !^http://www.domain.com/.*$      [NC]
RewriteCond %{HTTP_REFERER} !^http://www.domain.com$      [NC]
RewriteRule .*\.(jpg|jpeg|gif|png|bmp|php)$ - [F,NC]

Will this do or should I just use "deny from all"?

[wirehopper]

Referrer isn't always reliable.

reCAPTCHA: Stop Spam, Read Books

[bally123]

The referer didnt work although my form has validation throughout including numbers only for the contact number I am still getting emails where they have bypassed the javascript validation on the form :doh:

is reCAPTCHA my only option? I am abit reluctant to use it because it puts potential customers off when trying to submit a quick enquiry.

[wirehopper]

Other things you can try are to encrypt an email address or deliver it as an image on the page.

Hiding Your Email Address

Spam Proof eMail Address Generator

You can Google for more, there are many solutions.

These are nice options because clicking on the links allows the person to use their email client to send the message, instead of a web form. Saves you time on development and security. The only downside is that the person contacting you may not give you all the information - but - what you are almost guarenteed to get is their email address, which is the most important thing for responding.

Good luck.