views:

47

answers:

3

I have a classifieds website, and on each classifieds page, there is a form for tipping a friend where you just enter the persons email-adress and the tip will then be sent. The form is submitted to tip.php where all "magic" happens with checking and sanitizing etc etc...

Lastly I use php:s mail() function to send the email from tip.php...

Now, I wouldn't want spam-bots and automated robots etc to send mail and blacklist my server. What should I do?

One method which I would rather NOT use is logging IP:adresses of senders in a table (MySql) and then allow only x emails per sender.

As I said, the above solution is nothing I would prefer, there must be an easier way.

Is there any method you know of?

Is there any application to install maybe, on a linux server which does the job?

Thanks

+2  A: 

I would say that the most used method would be captcha. This will ensure that the one that sends the email is a man, but everything can be cracked. So I would recommend to find a really good one, just type captcha into google and you are good to go. Also you can use another method/thing to make it more viable, e.g. some question that can be answered a simple mathematical problem, etc.

realshadow
So what is postfix then? It wont do spam-filtering?
Camran
Postfix is an SMTP server.
David Dorward
+1  A: 

I think you should do something in the form which makes it difficult for robots to submit rubbish into it.

Either a piece of Javascript which robots don't run (Hint: The usually don't) or if you MUST, a captcha.

You should definitely monitor the use of this facility, as well as monitoring outbound messages, message queues, and watch for bounced mail though.

Quite a lot of web spam seems to come from humans who are paid to submit rubbish into peoples' forms, which is difficult to block.

You can of course, also use something like Akismet - an API where you can ask them to spam-scan form input; I'm sure its licence terms are very reasonable and if spam is a real problem, paying for it will be acceptable to management (using Akismet is much cheaper than paying expensive developers to write and maintain an in-house anti-spam system)

MarkR
Robots are getting smarter everyday. The authors know about the Javascript check, and are beginning to use Rhino to work around it... Don't count on Javascript working for very long.
gms8994
Unless you are worried about the 'bot authors making a bot specifically for your site - which you need not do unless you are Google, Yahoo etc, then a trivial Javascript check will beat them. Likewise, I have found that they always fill in an empty field with a tempting-sounding field name.
MarkR
A: 

Unless its a paid for service or you can restrict the recipients to a pre-approved list and can establish the bona fides of the users I would strongly recommend you don't do this. However...

Do have a look at spamassassin - but remember that one of its most important metrics is the Bayesian filtering engine - which needs to be trained using heuristics (but you can run spamassassin for your incoming mail and copy the database to your webserver).

Do make sure that you only allow authenticated customers (with an authenticated email) to use the facility, and limit the rate at which they can send messages (and the number of recipients) using a dead-man's lever.

C.

symcbean