2

I'm looking to set up a whistleblowing/anonymous tip website, but I've run into some problems. The basic idea is that you navigate to a splash page, fill in a few fields (name and location optionally, and then the message), then fire it off. At that point the message gets sent to a specific email inbox so that our team can look at it.

I've done a bit of research and PHP seems like my best bet, but I would also like to be able to log IP addresses for every message (or, more ideally, append them to the email before it is sent) so that I can be sure I'm not getting trolled or spammed. Can anyone point me in the right direction with this? I'm kind of a PHP noob, but willing to learn.

Thanks!

Tom Cardoso
  • 89
  • 7
  • possible duplicate of [php: geting ip addres](http://stackoverflow.com/questions/2638295/php-geting-ip-addres) – Dan Grossman Feb 04 '11 at 07:11
  • 1
    That doesn't sound very anonymous to me. – sevenseacat Feb 04 '11 at 07:19
  • I guess I'm using the term 'anonymous' a bit loosely here, I mostly just want a way of making sure people aren't gaming the system while submitting reports that don't require their names or e-mail addresses. – Tom Cardoso Feb 04 '11 at 07:28
  • You're using it completely wrong, to be precise - you mean "pseudonymous" - as you're identifying users by something (IP address in this case), but it's not their name. The main problem I see is that it's not even very strong pseudonymity, in most cases IPs can be linked back to the person using only legally and publicly available data. – Piskvor left the building Feb 04 '11 at 07:56

2 Answers2

2

The remote IP address will be available within your php script using the super global $_SERVER['REMOTE_ADDR']. You can append that to your mail.

Just to mention: If you log the ip address of the sender, you kind of miss something important if you want the sender to be ANONYMOUS. Because if you log the ip, then this is not really the case anymore.

yankee
  • 38,872
  • 15
  • 103
  • 162
  • You could store the salted hash of the IP instead of logging the IP itself. – Jason Plank Feb 04 '11 at 07:09
  • Thanks, this looks promising. Same goes for the salted hashes of the IP — if that means that I can still weed out multiple submissions by the same person without actually logging their IP, that would be pretty great... any idea on how to do this though? – Tom Cardoso Feb 04 '11 at 07:30
  • @Tom I would imagine you would want to use a database to store some information about each message sent (i.e. put the IP hashes in a table keyed by a unique message ID). That way when a new message is added your script can check for other messages from the same IP and decide whether or not it's spam. As for generating the hashes themselves, I think md5 will do what you need: http://php.net/manual/en/function.md5.php – Jason Plank Feb 04 '11 at 08:11
0

Problem

Spambots most of the times have a network of computers(hacked!) so blocking IP addresses most of the times does not work. Also I would like to point out the probably some legimate user who is not aware of the malware on his PC can't use your service because you are blocking his IP address. Otherwise CAPTCHA's were NOT necessary at all and Google, Yahoo! would not be using them at all because as you most likely know these images are hard to read sometimes.

Solution

You should just have a good spam filter(GMail's works very good) in place and use Akismet to detect spam-messages instead. They have very decent libraries in place so that you don't have to do any coding at all and it is going to work a lot better, then what you were about to implement.

Community
  • 1
  • 1
Alfred
  • 60,935
  • 33
  • 147
  • 186