I know its kinda common question, but I cant find a best answer (for now)...
What are the best approaches to reduce bots submit form and invalid email accounts in php and html?
Bots - capthca? hidden css? what else?
Invalid Email - This is truely insane job. How can I detect if the user type: [email protected], then i said the email is invalid? What if he type: [email protected], [email protected], etc... is there anyway to check whether the email is valid?
captchas are the most common way to prevent bots. Coding horror has a good article on the subject (see: http://www.codinghorror.com/blog/archives/001067.html and http://www.codinghorror.com/blog/archives/000712.html)
As to valid/invalid emails, your best bet is to require a validation step in registration. Don't activate the account until the user has used a link/special key sent in an email.
One way is to use a service like Akismet, which provide free API to hook up your form for validating form inputs against known spammers (and spam-like texts).
With so many email accounts, it is much an overhead to validate email accounts (you can always check the email string-validity (like [email protected]) using regex, but not quick or light enough to check if the account is valid).
Your best bet for checking valid email addresses is to send an email to it with a random value which you have the user click on.
e.g.
Welcome to McFadder's site!
Click here to validate your email address:
http://www.example.com/validate.php?Hash=c4ca4238a0b923820dcc509a6f75849b
You then have a database table (say, called UserEmailValidate) which contains the User ID, the hash.
To validate email addresses in the form, use JavaScript regular expressions, or PHP validation.
To avoid bots abusing your form, use captchas. http://recaptcha.net/ is a free service.
I think CAPTCHA is going to be your based option, I've used ReCAPTCHA in the past:
http://recaptcha.net/plugins/php/
You can only validate the email on face value as per the RFC.
http://en.wikipedia.org/wiki/E-mail_address
You might want to send an email to them and ask them to click on a link to validate their account.
Send a confirmation email to the address provided with an activation key that the user has to use to activate their account to verify that the email is valid.
To get rid of bots, you probably want to use a captcha.
We used a cross site request forgery block in combination with a captcha and a field hidden with CSS to cut out almost all faked emails on our site. It isn't perfect, but the volume was significantly reduced. If you combined all that with a human verification of the actual email and deleting unverified accounts you could tighten up the spam net even more.
Set a session cookie of a hashed and salted secret value
Submit the form with that secret cookie and make sure the session matches the hidden form field. This beats the lazy bot submissions
Add a captcha to beat better bots
Create a hidden field called "comments" that is hidden with CSS. Put a label that says "don't fill this out or your submission will be ignored" and style that hidden as well. Anybody that fills it out is either a bot or a dumbo and you can pretend to send the email but not really do it.
Add in askimet (no experience personally) and a quick verificiation email and you have a pretty reliable net that will skim out the crap for you.
First of all you can try simply not to deal with these problems by using alternative methods (like stackoverflow does). The next thing is to check if the mail "could" be a valid by resolving the hostname and let the user play the usual captcha game. You can either do something of your own or use third party services. You can make extensive use of cookies, flash and JavaScript, however that might annoy a few users and not prevent so many spammers. What do you mean by hidden CSS? Hide certain input fields via css and give them names like URL/firstmail/name and hope that a robot - not obeying the display:none; - will fill it out? Yes, could prevent a few. The last thing is to send the user a link to the given mail to validate and activate his account, if an account is not activated within two days, just drop it. You could even go one step further and ask the user in this mail to send YOU a mail to a specific address...