Jan’s PHP and fun blog

devoted to PHP and MySQL the most

My WordPress plug-ins New PHP forum script

The principles of successful SPAM protection

April 6th, 2008 · No Comments
PHP




The SPAM problem causes serious damages to many webmasters. For those who are using WordPress I created the CAPTCHA-Godfather plug-in which can be downloaded from this page or this page too.

Anyway, if you’re about to create your own PHP script to fight against SPAM, here are a few basic rules which will make your website spam-free:

  1. The cookie; The cookie should be saved inside of the database and it should be unique (or random) for every opened page on your website. After submitting the form the cookie should be compared. If it equals to the value stored in the database, then continue. Otherwise the script warns a user. The point is that no-one can submit any form without loading the page firstly. Of course, if the user disabled cookies in his/her browser, then there could be a problem… So mention the fact that cookies must be enabled for successful “form submit” on your web pages.
  2. The Timestamp; This very simple protection can save you a lot of time. The timestamp idea is based on the fact that that any user cannot spend 0 or only a few seconds before the comment/message is left. Say that 5 seconds are necessary for a human to write even a short message. Simply add this restriction into your scripts along with the cookie thing.
  3. The IP protection; Always check if the IP address of the submitter is the same as the IP address of the user who opened the page. For this purpose you must use the cookie protection as well. Save the IP in the first step and compare it to the IP ($_SERVER['REMOTE_ADDR']) of the submitter. If they don’t match, there could be some problem. This may look like a useless protection because the logic says “The IPs must be equal”. However, this is not truth in all cases. Some spam bots may work with more IP addresses. Just to act as a paranoid, use the IP protection :) .
  4. The protection based on “bad” word; These words can be viagra, cialis, xanax and so on. Say that you’re website is devoted to fish. Why would members of your website use such words? There is no reason for such activities. Let’s use the words-filter ;) .
  5. The CAPTCHA protection; A dynamically generated image from text; This is the CAPTCHA protection. It is necessary to avoid sharing the verification text through the img alt=”" HTML tag. Instead use the id variable which loads the string from the database. Of course, the string should be generated as a unique variable. Don’t use predefined strings as they can be penetrated. If you use the word “match” along with id of value 1, then spammers can call your form with the id of 1. Of course, if you are using all of the above-mentioned ways of protection, then you don’t have to worry.

These principles are used within the CAPTCHA-Godfather plug-in. No spam bot can break this protection :) ! Although human spammers can break it is some cases, the words-verification filter may lower the amount of successful penetrations to zero. You could use the IP-banning protection as well, however IP addresses may change as time goes by.

More about PHP to come soon…

Create a free edublog to get your own comment avatar (and more!)

0 responses so far ↓

  • There are no comments yet...Kick things off by filling out the form below.

Leave a Comment

*
To prove you're a person (not a spam script), type the security word shown in the picture.
Anti-Spam Image