MailMe - PHP Form Mailer With Spam Blocking

Spam is an incredible problem and it is getting worse - your e-mail address is a commodity and if you put it on a web page,  it WILL eventually be found, spammed and sold to other spammers.   The problem is that you have a web page and you need to make it possible for people to send you e-mail from your page but you don't want to get bombarded with spam - what can you do? 

First you need to understand what is likely to happen.  The most likely scenario is that an e-mail harvesting robot will find your page and look though it trying to find e-mail addresses.  This robot may be programmed to look for a particular list of possible characters on either side of the @ in your e-mail address or it may look for the "mailto:" in your e-mail link or any number of other tricks.

Ok, so now you understand what the robot is looking for - how do you keep it from finding it?  Well, there are several things you can try:

  1. Just put the "mailto:" link on your page and hope that no robot finds it. Dream on!
  2. Add NOSPAM (or whatever) to your e-mail address like this Info@NoSpam.Bogus.Dom and hope the robots don't figure out to remove the NoSpan and that your users do.  This MAY work for a while, if you can train your visitors how to use it.
  3. Replace the "@" in your e-mail address with it's quoted equivalent(%40) or even convert all of the characters in the mailto: and your e-mail address to their quoted characters.  Just doing the @ will stop some robots, but as web designers get better so will the robot designers.  I suspect that there are already robots that automatically unquote the entire page before trying to harvest addresses from it.
  4. You can even use advanced features of your web server to attempt to defeat the robot harvesters but usually by the time you figure out which robot is attempting to harvest your e-mail addresses and you block them on the server - it's already too late and they can simply change their name and try again.  There is a very good article describing this method and it's shortcomings here.
  5. You can use a form mailer program.  Unfortunately, most of these programs embed the e-mail address in the body of the e-mail form so the robots can still find them.

So as you can see, each of the above methods MAY work, some of the time, but none are absolutely secure - so what do you do?  It's really simple - you don't put the e-mail addresses on the web page.  The only secure way to allow your users to send you e-mail from a web page without robots being able to get your e-mail address is a modified version of #5 above that DOESN'T put the e-mail address on the web page.

This is the the premise of the MailMe.php scrip I am going to present here.  E-mail addresses are stored securely on the server in the source of the PHP script and the end user (either human or robot) can't see them.

Please feel free to send me a message using this script (pick "Real Feedback") or send a test message (pick "Just Testing") and a copy will be CC'ed to you.  BTW, the version below does no validation of the values entered.  It was presented as a straight php proof of concept, however, I have started using a javascript enhanced version to lower the number of people who send me "Real Feedback" with nothing in it. ;)  If you are interested in the source to the enhanced version click here.


------ Script Starts Here ------

<?php

// This work is licensed under the Creative Commons Attribution 2.5 License. 
// To view a copy of this license, visit 
// http://creativecommons.org/licenses/by/2.5/ 
// or send a letter to Creative Commons, 543 Howard Street, 5th Floor, 
// San Francisco, California, 94105, USA.
//
// Attribution (do not remove): 
//    Original Creation of Arkie.Net - http://www.arkie.net/~scripts/


// Add as many Names/ Departments -- e-mail addresses as you want here
$eMail[] = array( 'Information''Information@bogus.dom' );
$eMail[] = array( 'Tech Support''Support@bogus.dom' );

//  Handle older versions of PHP
if( ! isset( $_POST ) )    $_POST = &$HTTP_POST_VARS;
if( ! isset( 
$_SERVER) ) ) $_SERVER = &$HTTP_SERVER_VARS;

?>
<HTML>
  <HEAD>
    <TITLE>Mail Me!</TITLE>
  </HEAD>
  <BODY>

<?php if( ! isset( $_POST["EMail"] ) ) { ?>

<form method="POST" name="MailForm">
  <div align="center">
    <center>
    <table border="0" cellpadding="4" cellspacing="0">
      <tr>
        <td valign="top" align="right">To:</td>
        <td>

<?php

  
//  Display Menu if More than one name
  
if( count$eMail ) > ) {
    echo 
"<select size=\"1\" name=\"To\">\n";

    foreach( 
$eMail as $k => $a )
        echo 
"<option value=\"$k\">$a[0]</option>\n";
    echo 
"</select>\n";
   } else
     echo 
$eMail[0][0];

?>
        </td>
      </tr>
      <tr>
        <td valign="top" align="right">From:</td>
        <td><input type="text" name="From" size="44" maxlength="32"></td>
      </tr>
      <tr>
        <td valign="top" align="right">E-Mail:</td>
        <td><input type="text" name="EMail" size="44"></td>
      </tr>
      <tr>
        <td valign="top" align="right">Subject: </td>
        <td>
          <p align="center"><input type="text" name="Subject" size="44"></td>
      </tr>
    </table>
    </center>
  </div>
  <p align="center"><textarea rows="10" name="Body" cols="45"></textarea></p>
  <p align="center"><input type="submit" value="Send" name="B1"></p>
</form>

<?php
 
} else {

   echo 
"<B>Attempting to send message</b></BR></BR>\n";

   
$userip = ($_SERVER['X_FORWARDED_FOR']) ? $_SERVER['X_FORWARDED_FOR'] : $_SERVER['REMOTE_ADDR'];

   if( 
count$eMail ) == )
    
$_POST["To"] = "0";

   if( 
mail'"' $eMail[$_POST["To"]][0] . '" <' $eMail[$_POST["To"]][1] . '>',
       
$_POST["Subject"], $_POST["Body"],
       
'Return-Path: "' $_POST["From"] . '" <' $_POST["EMail"] . ">\n"
       
'From: "' $_POST["From"] . '" <' $_POST["EMail"] . ">\n"
       
'Reply-To: "' $_POST["From"] . '" <' $_POST["EMail"] . ">\n"
       
"X-Mailer: PHP/" phpversion() . "\n"
       
"X-From-IP: " $userip ) )
     echo 
"Message Sent Successfully";
  else
      echo 
"UNABLE To Send Message.";
}
?>
  </BODY>
</HTML>


--------- Script Ends Here --------