Web-based contact form being abused

[HodgeHi]

I have a problem with our email form used to contact us being abused. Pupils are sending abusive messages into the enquiries address which is then viewed by our secretary.

There is validation of the form on the site but they just get around that by suppliying a fake but valid address.

Is there any way i can filter the message contents and then dump any that don't adhere to good manners?

I hope you can help as it has become very problematic but i don't want to take down the form as it is useful.

Thanks in advance.

Can you not block the contact page for children via your proxy?

[FN-GM]

If they are doing it from school could you block the contact us page? Allo you could just put the E-mail address on the site without the form. If you are going to do this put the e-mail down as a picture so the site can't be scanned for e-mail addresses by spammers.

[FN-GM]

Beat me to it SYSMAN_MK!

[localzuk]

Which language is your form in?

I used to have a php script which checked that the domain was a valid one as well as being a validly formatted address.

Other than that, there is not much you can do - adding things like email verification would annoy legitimate posters more.

[pete]

I wonder, do you have a VLE?

It probably logs IPs, so it would be quite easy to link IPs to vle usernames, and then not much of a stretch to link the form abuse to the offenders?

This assumes it's being sent externally. If it's done internally, you should be able to link ip address -> machine -> timeframe -> logged on user.

Can you redirect the content through spamassassin before it gets sent to the secretary?

[HodgeHi]

It is sent externally and we don't have a VLE (yet). The form uses php to send the email and javascript to validate.

We host our website on Broadband Sandwells servers and send the form trough their localhost account so probably doesn't go through their spam filter either.

Is there anything script-wise i can do to filter out email based on words before submitting, i.e. form fields have to go into variables to create theemail so could i not run it against a list of words and if it matches stop the mail being sent?

I Don't know php much which is why i ask.

[Gerry]

You should be able to log visitor IP's using this line of PHP:
$ip=@$REMOTE_ADDR;

Or if "register_global" is set to Off in "php.ini":
$ip=$_SERVER['REMOTE_ADDR'];

Change the contact us page to show their IP and say that it will be logged with the message and that any abuse will be reported to the authorities ;-)

[HodgeHi]

Thanks for that one Gerry. I was going to look into ip logging and that just saved me looking around to find it.

I have checked the access log on the webserver though and the ip address seems to resolve to an AOL proxy server. Can anyone confirm that this would be the case? I don't want to blacklist the IP and as a result block legitimate users.

Is there anyway to log the actual users modem IP?

[intrigue]

You could check against a list of words yourself quite easily by editing the PHP
In pseudocode it would be something like this

Submit to validation.php

request the form variable textfield input
while array is not empty do

if textfield contains array item X then
banned content variable + 1
end if

end while

If banned content variable is greater then 0
send email = false
write to page "sorry your an idiot"
else
send email
end if

I could probably do that in PHP if i could remember how to write PHP in ASP and ASP.NET i could do it very quickly

If you want me to do it in PHP send me a PM and i will give it a go although if someone else here is a good PHP expert then let them do it.

Thanks
Matt

[HodgeHi]

That would be great. I am looking through some javascript at the moment to try and do just that but am having a bit of trouble getting it to work with the other validation fields. I'm a bit naff at this coding thing and am surprised at how far i've got really.

I don't get a lot of time to sit and learn the stuff properly.

I can read scripts to a certain extent but cannot write one for the life of me.
Any help would be great.

Thanks for the offer.

[AnnDroyd]

Straying a bit off the point here, but just out of interest, why do you use an email contact form, rather than just publishing an email address?

From a personal point of view, I'm always suspicious about forms, and worry that there isn't actually a real person at the other end of it who will receive the message!

[HodgeHi]

Not everyone owns a computer and so if they use their local library to browse the site and come across the contact us page they would not have either an email address or an email client configured to use the mailto command.

The page does send an email to an alias linked to the secretarys inbox, so she should collect them and then respond.

Thats the plan anyway.

[AnnDroyd]

Fair enough. Not sure how someone would receive the reply if they don't have an email address, but I take your point about not having an email client configured.

[HodgeHi]

They could state that in the message and leave a phone number to reply to.
Since it would be a human on the other end it would be dealt with accordingly.

Again that is the plan anyway.