Category: Code

Posted on

Spam-proof email addresses on web sites

Over the weekend, I cobbled together another handy javascript method for foiling evil spam bots, whilst making life easy for web developers. The script below enables you to change the subject of the email as you go as well – you could add other variables like a link title too if you wished. Functions are very useful devices!

Firstly, the content of email.js:

function sibaem(subject) {
var username = "emailprefixhere";
var domain = "whatever.com";
var atsign = "@";
var address = username + atsign + domain;
document.write('<' + 'a' + ' ' + 'href=' + '"mailto:' + address + '?Subject=' + subject + '">');
}

Save the above as email.js in your scripts folder and link to it in the head of your document like this:

<script src="scripts/email.js" type="text/javascript"></script>

Then in the body of the document, call the function with the following code where you want an email to appear, for example:

<script type="text/javascript">
<!--
sibaem( "Website enquiry" );
document.write ( 'email me</a>' );
//-->
</script><noscript><a href='contact_form.php' title='Complete my contact form'>contact me</a></noscript>

If you wish to make the user changeable and for the email address to be visible to the human eye on your site, here’s the content of email.js:

function sibaem(username, subject) {
var domain = "whatever.com";
var atsign = "@";
var address = username + atsign + domain;
document.write('<' + 'a' + ' ' + 'href=' + '"mailto:' + address + '?Subject=' + subject + '">' + address + '</a>');
}

and here’s what goes in the body:

<script type="text/javascript">
<!--
sibaem( "youremailusername, Website enquiry" );
//-->
</script><noscript><a href='contact_form.php' title='Complete my contact form'>contact me</a></noscript>

Posted on

Image protection with .htaccess

How to stop people stealing your images/bandwidth remotely:

(1) Make an image called dontsteal.gif and place it in a directory below the directory in which you are going to put the .htaccess file.

(2) Open notepad and copy this code … no hard carriage returns between lines.

RewriteEngine On
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://whateverdomain.com/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://www.whateverdomain.com/.*$ [NC]
RewriteRule .*.(gif|GIF|jpg|JPG|zip|ZIP|png|PNG|swf|SWF)$ http://www.whateverdomain.com/dontsteal.gif [R,L]

(3) Change whateverdomain.com to whatever your domain is called.

(4) This code works with apache servers with mod_rewrite.

Posted on

Countering form spam bot attacks

Spammers, the dregs of the internet, are now using automated bots to explore form security.

The bot completes the form to test for possible usage as a spam relay, attempting to inject extra headers which, if successful, will send the response to the bot owner.

To counter their tactics, fields like the mailto, from and subject fields can be checked server side (all user input should be checked server side).

eg.

mailto:

$to=$mailTo;
if ($to !== "")
{
die("Getawoollyoneupyah, spammer!");
}

from and subject fields:

if ((preg_match(' /[rn,;'"]/ ', $_POST['Email'])) || (preg_match(' /[rn,;'"]/ ', $mailSubject)))
{
die("Go away, spammer!");
}

Then, to prevent the bot filling in the form at all, the contact name field for example, can be checked as the bot attempts to fill in all fields with an email address.

elseif (eregi("[^-a-z ]", $_POST[Name]))
{
echo "Characters in name field are invalid.";
$_POST[Name] ="";
}

More information about the relevant email injection exploit can be found here:

http://computerbookshelf.com/email_injection/
http://securephp.damonkohler.com/index.php/Email_Injection

There’s a form testing script linked here as well as an explanation re asp scripts:

http://www.twologs.com/en/services/test/spamrelay.asp

and a script to ban known spam bots here:

http://www.foto50.com/spammercheck.phps