I digress.  Let’s get to the form bits.  In my past posts, I’ve spoken about broad concepts that have worked for me.  This time, I’m going to provide the actual code I’m using.    With my latest change of checking for a valid MX record, I’ve completely stopped spam on the form that I’m using this on for over a month.

Since I’m passing variables via a session, at the top of the file, I’m going to go ahead and start the session before anything else is done in the file.

<?php
session_start();

Then I create a couple session variables:

/*Anti-Spam*/
/*-We’re going to seed the input with a hidden and random value and we’re timing to find the slowpokes.*/

$_SESSION['AS_seed'] =  mt_rand(1000, 9999); //Pull a random number out of our ass between 1k and 9999.
$AS_seed = $_SESSION['AS_seed']; //We are going to use the random number to change the form element names.
$_SESSION['AS_substart'] = mktime(); //Pass the form generation time to a session var.

Now in the form, we’re going to create the inputs like so:

<input type=’text’ name=’”.$AS_seed.”email’ size=’20′>

So what we’ve done is we’ve made sure that every time this page is generated, the element name is different.  The reason for this method of protection is the fact that one method the spammers use to submit form spam is by crawling the site(or manually browsing), saving the page HTML and then using a bot to automatically parse the page to shoot spam off.  Since the element name is different each time, saving a copy of the form will result in erroring out on the submittal side.

So on the entry side, we’ve created a start time and we’ve given the elements a random name.  Now we need to do some things on the submission side.

/*Let’s submit the form!*/
case “submit” :

/*AS: Anti-Spam measures*/

/*Setting a time to compare to the form generation*/
$AS_subend = mktime();

/*First a value set by the submission form.  This should defeat bots that simply contact the form processor, bypassing the actual form page.*/
if((!ISSET($_SESSION['AS_seed']))OR(!ISSET($_SESSION['AS_substart']))){ //If either session variable is missing, then we know that the submittal was not made via the proper method(form).
$stop =’1′;
echo(“Text to let them know that there were no session variables present in the form.”);
}

/*If it took them less than 5 seconds to submit the form, they’re not human.*/
if($AS_subend <= ($_SESSION['AS_substart']+5)){
$stop =’1′;
echo(“Text to let them know that the post took less than 5 seconds to make.  Send them packing.”);
}

/*If it took them longer than 30 minutes to submit the form, they fell asleep and their comment is probably really too boring anyway. Send them back to start*/
if($AS_subend >= ($_SESSION['AS_substart']+3600)){
$stop =’1′;
echo(“Text to let them know that the post took longer than 30 minutes to make.”);
}

/* If they made it this far, then all we need to do is verify the sender. */
// email address validation function.  This does not check for a valid domain, only a valid structure.
// kudos to http://iamcal.com/publish/articles/php/parsing_email/
function is_valid_email_address($email) {
$qtext = ‘[^\\x0d\\x22\\x5c\\xa6-\\xff]‘;
$dtext = ‘[^\\x0d\\x5b-\\x5d\\xa6-\\xff]‘;
$atom = ‘[^\\x00-\\x20\\x22\\x28\\x29\\x2c\\x2e\\x3a-\\x3c'.
'\\x3e\\x40\\x5b-\\x5d\\xa6-\\xff]+’;
$quoted_pair = ‘\\x5c[\\x00-\\xa5]‘;
$domain_literal = “\\x5b($dtext|$quoted_pair)*\\x5d”;
$quoted_string = “\\x22($qtext|$quoted_pair)*\\x22″;
$domain_ref = $atom;
$sub_domain = “($domain_ref|$domain_literal)”;
$word = “($atom|$quoted_string)”;
$domain = “$sub_domain(\\x2e$sub_domain)*”;
$local_part = “$word(\\x2e$word)*”;
$addr_spec = “$local_part\\x40$domain”;
return (preg_match(“!^$addr_spec$!”, $email));
}

$email = $_POST[$_SESSION['AS_seed'].’user_email’];

if(!is_valid_email_address($email)){
$stop =’1′;
echo(“Text to let them know that the email structure was invalid.”);
}else{
/* If the “if” checked out, then we are dealing with a properly structured email address.  Now, the “else” will determine whether the email domain actually has an MX record. That means that the domain is not only registered but also is set up to accept email.*/
function verify_email_dns($email){
// This will split the email into its front
// and back (the domain) portions
list($name, $domain) = split(‘@’,$email);

if(!checkdnsrr($domain,’MX’)){
// No MX record found
return false;
} else {
// MX record found, return email
return $email;
}
}

if(!verify_email_dns($email)){
$stop =’1′;
echo(“Text to let them know that the submission failed due to no MX record.”);
}

//So, lets see if any flags popped up.
if(!ISSET($stop)){ //If “stop” is not set, then none of the checks above triggered it and we’re ok to submit the form.

$username = strip_tags (substr ($_POST[$_SESSION['AS_seed'].’username’], 0, 50));
$name = strip_tags (substr ($_POST[$_SESSION['AS_seed'].’name’], 0, 50));
$user_email = strip_tags (substr ($_POST[$_SESSION['AS_seed'].’user_email’], 0, 50));
$comment = strip_tags (substr ($_POST['comment'], 0, 2000));

$to = me@here.com’;
$subject = “Your site -|- Contact form submission”;
$message = “Here’s a submission for you:\r\n
User: $username \r\n
Name: $name \r\n
Email: $user_email \r\n
Comment: \r\n
$comment”;

$headers = “From: $user_email” . “\r\n” . “X-Mailer: PHP/” . phpversion();

mail($to, $subject, $message, $headers);

echo(“Text to let them know that the submission was a success.”);

}

break;

Before I added the mx check, I was getting a single spamming piece of whale shit that kept hitting me with the same test post:

Here’s a submission for you:

User: bunqwputd

Name: bunqwputd

Email: aaivnq@gjpluc.com

Comment:

QHq9CT  exmlpcvlbyvq, [url=http://ywepjoknkzps.com/]ywepjoknkzps[/url], [link=http://fzzqigwvqeao.com/]fzzqigwvqeao[/link], http://zpedowpklfhx.com/

which doesn’t make much sense at first, but here’s the deal.  Most spammers don’t read the language of the page they’re on and they don’t have the time to decipher each form’s purpose.  They’ve got shit to post.  To help in their effort, they post bullshit like this and then see what happens.  If the resulting page shows their spam, then they know it’s a form they want to hit.  If it doesn’t, it’s time to move on.

I lucked out here because they use a random string for a domain name.  I suspect they do this to protect themselves from forms that block posts from known webmail domains that historically house spam accounts.  If it’s a bogus domain, then it’s definitely not going to be on any blacklist.

It will also not return a valid mx record

That’s it.  Months have gone by with no more spam.  If it changes, I’ll start playing with other things to try short of a CAPTCHA. I imagine I’ll begin running the content through Akismet.  For now though, this is doing the trick.  Hope it helps someone else.