anti spambot email harvesting - email contact form

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
original89
Forum Newbie
Posts: 22
Joined: Wed Nov 17, 2004 8:25 am

anti spambot email harvesting - email contact form

Post by original89 »

hello.

I hope you can help me, i've been reading through the forums and have not been able to find anything really that might be able to help me stop email harvesting from my holiday property booking website.

I have a contact form on every property owners page that calls the owners email details from the database, the form i have uses 'hidden' as i dont really want to display the email on the page. (although this appears in the source code)

echo "<input type=\"hidden\" name=\"recipient\" value=\"$listing_emailAddress\">\n";

this is my problem, the email harvesters are having a field day, does anyone know how i might be able to create a form that can encrypt the email address in the source or point me in the direction of a form that i can customise.

my users arent impressed getting 'enlargement' adverts posted to their holiday cottage reservations

many thanks
David
hairyjim
Forum Contributor
Posts: 219
Joined: Wed Nov 13, 2002 9:04 am
Location: Warwickshire, UK

Post by hairyjim »

User avatar
pickle
Briney Mod
Posts: 6445
Joined: Mon Jan 19, 2004 6:11 pm
Location: 53.01N x 112.48W
Contact:

Post by pickle »

You could use MING to make a flash file of each email address. You can setup the file to behave just like an ordinary link, but the code of the website won't actually contain the email address.
Real programmers don't comment their code. If it was hard to write, it should be hard to understand.
original89
Forum Newbie
Posts: 22
Joined: Wed Nov 17, 2004 8:25 am

thanks

Post by original89 »

hairyjim - i think this link is close, i will try this and post back, although the instructions are in german it doesnt help me too much, i guess i just create this and call it into my page where the email is appearing in the source code? hopefully this will scramble it all up into a big mess?

http://vextron.mirrors.phpclasses.org/b ... /1873.html

pickle - youve lost me there, im afraid its not a link but a form i have which sends the email.

thanks
User avatar
pickle
Briney Mod
Posts: 6445
Joined: Mon Jan 19, 2004 6:11 pm
Location: 53.01N x 112.48W
Contact:

Post by pickle »

Yep, I did lose you.

Instead of storing the email address itself in the form, could you maybe store the ID of the entry from the DB. So, instead of storing "client@domain.com", store "2". Then in your page that handles the form, pull out the email associated with the index "2".
Real programmers don't comment their code. If it was hard to write, it should be hard to understand.
original89
Forum Newbie
Posts: 22
Joined: Wed Nov 17, 2004 8:25 am

nope

Post by original89 »

its close but not close enough, i dont understand the instructions and my php is well lets say still at basic level.

thanks.
original89
Forum Newbie
Posts: 22
Joined: Wed Nov 17, 2004 8:25 am

pickle

Post by original89 »

wouldnt that still make the email address appear in the code?, ill have a think along those lines though.

thanks.
kettle_drum
DevNet Resident
Posts: 1150
Joined: Sun Jul 20, 2003 9:25 pm
Location: West Yorkshire, England

Post by kettle_drum »

Why not use php to send the emails instead of the user. Make a form on the site that accepts the message and then use mail() to send it to the client. Or save them to a database so that you can check them before they are sent.
User avatar
pickle
Briney Mod
Posts: 6445
Joined: Mon Jan 19, 2004 6:11 pm
Location: 53.01N x 112.48W
Contact:

Re: pickle

Post by pickle »

original89 wrote:wouldnt that still make the email address appear in the code?, ill have a think along those lines though.

thanks.
No, the email wouldn't be stored in any code. The form would look kind of like this:

Code: Select all

&lt;form ... &gt;
  &lt;input type = "hidden" name = "address_index" value = "2"&gt;
  &lt;input type = "text" name = "message"&gt;
  &lt;input type = "submit"&gt;
&lt;/form&gt;
Then your page that handles it could look like this:

Code: Select all

$passed_index = $_POST['address_index'];
$address_query = "SELECT address FROM table WHERE index = '$passed_index'";
$result = mysql_query($address_query);
$row = mysql_fetch_assoc($result);
$email_to_send_to = $row['address'];
Real programmers don't comment their code. If it was hard to write, it should be hard to understand.
original89
Forum Newbie
Posts: 22
Joined: Wed Nov 17, 2004 8:25 am

Post by original89 »

kettle drum - im using a form (well trying to) and i hide the information and i use the mail function so the email is sent direct to the property owner. this is seen by the harvesters in my source code, when they execute the page.

pickle - i think youve found me - but i think im out of my depth here as im not sure if this would actually produce different results on my page. . would it help if i pasted my code? so i can explain it a bit better? or is that a bit cheeky.

thanks.
User avatar
patrikG
DevNet Master
Posts: 4235
Joined: Thu Aug 15, 2002 5:53 am
Location: Sussex, UK

Post by patrikG »

Check this one out: http://www.zapyon.de/spam-me-not/index.html

It's a simple, but clever method of encrypting the mailto link (or any link, for that matter), and it works as far as I can tell. I've used it on a number of websites and so far, no problems. They also offer the script to obfuscate mailto-links in PHP.

Do bear in mind that once an email has been harvested, it's "tainted" and will remain so for a long while.
original89
Forum Newbie
Posts: 22
Joined: Wed Nov 17, 2004 8:25 am

hi

Post by original89 »

Patrick

thanks for that, id actually seen that one and it works well if it is a hard coded mailto link and the hex is exactly what i want to see, but i am using a form with a bit of the php that goes like this. So you see i only hide the email returned from the query so it still appears in the source, so it gets spammed.

Code: Select all

// get the email address for the person who posted a listing 
     global $conn, $lang, $config, $listing_emailAddress;
		$listingID = make_db_extra_safe($listingID);
		$sql = "SELECT ".$config['table_prefix']."listingsDB.Title, ".$config['table_prefix']."UserDB.emailAddress, " .$config['table_prefix']."UserDB.user_name FROM ".$config['table_prefix']."listingsDB, ".$config['table_prefix']."UserDB WHERE ((".$config['table_prefix']."listingsDB.ID = $listingID) AND (".$config['table_prefix']."UserDB.ID = " . $config['table_prefix']."listingsDB.user_ID))";
      $recordSet = $conn->Execute($sql); 
      if ($recordSet === false) 
      { 
         log_error($sql); 
      } 
      // return the email address 
      while (!$recordSet->EOF) 
      { 
         $listing_emailAddress = make_db_unsafe ($recordSet->fields[emailAddress]); 
         $listing_ID = make_db_unsafe ($recordSet->fields[ID]); 
         $listing_username = make_db_unsafe ($recordSet->fields[user_name]); 
         $listing_Title = make_db_unsafe ($recordSet->fields[Title]); 
         $recordSet->MoveNext(); 
      } // end while 

  echo "<div align="center">";
    echo "<form name="mailman" method="post" action="email_agent.php" onsubmit="return formCheck(this);">\n"; 
      echo "<input type="hidden" name="recipient" value="$listing_emailAddress">\n"; 
      echo "<input type="hidden" name="action" value="mail">\n"; 
      echo "<input type="hidden" name="listing_username" value="$listing_username">\n"; 
      echo "<input type="hidden" name="listingID" value=$listingID />\n"; 
      echo "<input type="hidden" name="headline" value="$listing_Title" />\n";   
      echo "<tr><td colspan="2" align="center"><input type="submit" value="Send"></td></tr></table>"; 
      echo "</form>"
?>
Weirdan | Help us, help you. Please use

Code: Select all

and

Code: Select all

tags where approriate when posting code. Read:  [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url][/color]
User avatar
phpScott
DevNet Resident
Posts: 1206
Joined: Wed Oct 09, 2002 6:51 pm
Location: Keele, U.K.

Post by phpScott »

yes but if you follow a little of what pickle suggested and put the uniqueId of the row that stores the email into your recipient input type then when the page gets submitted do another query to extract the email address then send create and send the email.

Pickle gave you a very good example of how it should work that way it won't be stored in the form.
original89
Forum Newbie
Posts: 22
Joined: Wed Nov 17, 2004 8:25 am

yes

Post by original89 »

Hi

yes i think thats the route i need to take i will try and figure out how to implement it.

thanks v m.
original89
Forum Newbie
Posts: 22
Joined: Wed Nov 17, 2004 8:25 am

i think im getting there.

Post by original89 »

okay ive been pondering on this and my head is really hurting now, i am a bit of a newbie at this so its a bit tricky for me to get my head around this, apologies.

so i would only extract the email after the form has been submitted, replacing my existing code with the listing id. currently on submit this trigegrs my email_agent php and this actually does the post.

So if i remove remove the query to extract the email should i put this into my email agent php? so the source wouldnt show the listing email just the id? is this right.

here is my email_agent code.

Code: Select all

<?php 
   include("include/common.php"); 
   include("$config[template_path]/user_top.html"); 
   global $conn, $config, $lang; 
$listingID = $_POST[listingID]; 
if (!empty($_POST)) { 
extract($_POST); 
} else if (!empty($HTTP_POST_VARS)) { 
extract($HTTP_POST_VARS); 
} 
if (!empty($_GET)) { 
extract($_GET); 
} else if (!empty($HTTP_GET_VARS)) { 
extract($HTTP_GET_VARS); 
} 
      if ($action == "mail") 
      { 
         if ($recipient == "") 
         { 
            die ("<h3>$lang[friend_listing_provide_email]</h3>"); 
         } 
         if ($sender == "") 
         { 
            die ("<h3>$lang[friend_listing_enter_name]</h3>"); 
         } 
         if ($sender_email == "") 
         { 
            die ("<h3>$lang[friend_listing_enter_email_address]</h3>"); 
         } 
         if ($comment == "") 
         { 
            die ("<h3>Please post some comments</h3>"); 
         } 
         $message = $lang[friend_listing_default_message]; 
         $message = stripslashes($message); 
   $headers .= "From: ".$sender." <".$sender_email.">" .  "\r\n";
   $headers .= "Bcc: <".$admin_email.">\r\n";
         $temp = mail($recipient, $lang[friend_listing_default_subject], $message, $headers) or print "<h3>Sorry, could not send your message. Please try again later.</h3>";
         if ($temp == true) 
         { 
            echo "$lang[friend_listing_sent]<p><a href="listingview.php?listingID=$listingID">Please return to listing $listing</a></p>"; 
         } 
      }//end if 
   else 
   { 
      echo "<h3>You must have something to email!</h3>"; 
   } 
include("$config[template_path]/user_bottom.html"); 
?> 

?>
Post Reply