-1

I am continuously receiving spam from contact us page.

In all spam there is no proper E-Mail, the E-Mail address comes across like this: Amsterdam

I have applied javascript validation on the contact us form so there should be no chance to pass invalid email address.

Is a hacker posting data directly to my php file?

As my form action HTMLFORMresponseFeedback.php to this file.

I have heard we can post data via curl to any phpfile.

What security I need to apply to disable this approach?

Will this condition work?

if($_SERVER['HTTP_REFRER']=='http://abc.com/contact_us') {

} else {
    // redirect
};
Jason
  • 15,017
  • 23
  • 85
  • 116
Rana.Asif
  • 397
  • 2
  • 10
  • possible duplicate of [How to prevent robots from automatically filling up a form?](http://stackoverflow.com/questions/2387496/how-to-prevent-robots-from-automatically-filling-up-a-form) – Eric J. Jan 26 '13 at 20:24

2 Answers2

3

You have used JavaScript so that it's impossible to pass an invalid email? Sorry that isn't true. Most spam bots do not have JS engines, and so your validation is irrelevant.

You should look at implementing the following:

  • Server-side email address format validation
  • Look into CAPTCHA options, such as reCAPTCHA, or an alternative method of verifying the sender is actually a human.
  • Akismet, a great way to identify spam clients.
BenM
  • 52,573
  • 26
  • 113
  • 168
2

You could do several things including:

1) Putting a fake field that only bots will see. Then if that field is submitted with the rest of the form you can ignore it (and ban them if desired). You can also trap bad bots who follow a hidden link.

2) Use a CAPATCHA like reCAPTCHA

3) Use a field that requires the user to answer a question like what is 5 + 3. Any human can answer it but a bot won't know what to do since it is auto-populating fields based on field names. So that field will be either incorrect or missing in which case the submission will be rejected.

4) Use a token and put it into a session and also add it to the form. If the token is not submitted with the form or doesn't match then it is automated and can be ignored.

5) Look for repeated submissions from the same IP address. If your form shouldn't get too many requests but suddenly is it probably is being hit by a bot and you should consider temporarily blocking the IP address.

6) Use Askimet. It is great at identifying spam.

John Conde
  • 217,595
  • 99
  • 455
  • 496