Free Consultation

phone (972) 863-1011

Our Blog

Preventing Form Spam, Part 2

This is a continuation of a previous post, Preventing Form Spam.

A new year has begun, and form spammers are still on the hunt for fresh forms. In order to stave them off, we have developed an improved form mailer script to keep legitimate email inquiries in, and SEO robot spam out.

Previously, we published a script addon for users of the webformmailer.php script, which added some basic spam protection to the existing script. In this post, we present an enhanced version, which includes some extra goodies like: a log of spammer IPs that are automatically blocked (you can add your own here), a log of rejected spam form submissions for later review, including every user’s IP address in the emailed form, more streamlined coding, and extra protection from spammers who don’t actually use your form. Regarding that last bit, in addition to robots that crawl the web and submit bogus information inside of your forms, there are also robots that will attempt to submit information directly to your server without using your forms at all. While renaming your script to something other than the default webformmailer.php would cut down on this type of situation, we went a step further.

You’ll note the addition of $safe_input_name in the code, which is designed to ensure that the spammer was not going after your server scripts directly. $safe_input_name refers to┬áthe name of a non-standard field (e.g., ‘numberofpeople’), which must be present in the submission. If this field is missing, it is a sign that robots are directing submissions to your server, and thus posts without this field will be flagged as spam. Then, these culprits will no longer be able to submit any forms after being added to the blacklisted IP log. Feel free to take more drastic measures at this point, like locking them out of your site completely.

Before you use this script, ensure that you’ve read and understood Part 1. Not a user of the webformmailer.php script? Look our for a modified version of send_contact.php for your use in the near future. Depending on your needs, even current webformmailer.php users may want to take a look!

/* == GoDaddy Webformmailer.php Script Addon ========== */
// Courtesy of, Jan-2010

// Modification of the GoDaddy webformmailer.php script to
// allow for IP tracking and blocking for suspected spammers.

// Ensure that you customize the parameters below.

/*    Script Parameters
------------------------------------------------------- */
// Set timezone:

// Modify paths, and ensure both files are writable.

$log_rejectedforms = '/path/to/log_rejectedforms.log';
// Comment out this line to disable tracking of rejected form
// submissions

$log_badips = '/path/to/log_badips.log';
// Comment out this line to disable blacklisted IP addresses

$server_vars = array ('Date' => date('m-d-Y h:i a'),
                      'Referrer' => $_SERVER['HTTP_REFERER'],
                      'Browser' => $_SERVER['HTTP_USER_AGENT'],
                      'Method' => $_SERVER['REQUEST_METHOD'],
                      'IP' => $_SERVER['REMOTE_ADDR']);
                      // Add other parameters if desired

$spam_input_name = 'spambot';
// Name of input field that is removed by Javascript

/* Spammers can also post directly to webformmmailer.php
   without using your form. Choose a name that is *not*
   something spammers are likely to use (e.g., message,
   subject), but that is still part of your form */

$safe_input_name = 'redirect';
// Name of input field that is part of a valid submission

$include_ip = true;
// Add IP address to form email

$orig_webformmailer = 'webformmailer-godaddy.php';
// Filename of the real, renamed webformmailer.php script

/*    No modification below this line is required
-------------------------------------------------------- */
    $input_vars = $_GET;
    if ($include_ip == true) {
        $_GET['IP'] = $server_vars['IP'];
        // Add user's IP address to form submission
} else if ($_SERVER['REQUEST_METHOD'] == 'POST') {
    $input_vars = $_POST;
    if ($include_ip == true) {
        $_POST['IP'] = $server_vars['IP'];
        // Add user's IP address to form submission

if ((!isset($_SERVER['HTTPS'])) || (strtolower($_SERVER['HTTPS']) != 'on')) {
    $server_url = 'http://' . $_SERVER['HTTP_HOST'] . '/';
} else {
    $server_url = 'https://' . $_SERVER['HTTP_HOST'] . '/';

if (isset($log_badips)) {
    $bad_ips = file($log_badips, FILE_IGNORE_NEW_LINES | FILE_SKIP_EMPTY_LINES);
    foreach($bad_ips as $bad_ip) {
        // Check submission against blacklisted IPs
        if ($bad_ip == $server_vars['IP']) {
            // If this IP is already in the database, exit.

if (isset($input_vars[$spam_input_name]) || !isset($input_vars[$safe_input_name])) {
    // Submission is suspected spam
    header('Location: '. $server_url . $input_vars[$spam_input_name]);
    // Redirect user to URL in $spam_input_name
    if (isset($log_badips)) {
        $fh = fopen($log_badips, 'a') or die('Can\'t open file.');
        fwrite($fh, $server_vars['IP'] . "\n");
        // Record user's IP in blacklisted IP file
    if (isset($log_rejectedforms)) {
        $fh = fopen($log_rejectedforms, 'a') or die('Can\'t open file.');
        // Record rejected form submission in file
        fwrite($fh, '/* ' . str_repeat('-', 60) . " */\n");
        // Line spacer
        foreach ($server_vars as $key => $value) {
            fwrite($fh, $key . ': ' . $value . "\n");
            // Include all server variables
        fwrite($fh, "--\n");
        // Insert spacer
        foreach ($query_vars as $key => $value) {
            fwrite($fh, $key . ': ' . $value . "\n");
            // Include all submission variables
        fwrite($fh, "\n");
        // Insert spacer
    // Suspected spam, exit



Posted on 9th of January 2010

Leave a Comment: