Validation of php mail script

Question

So I have this script that I use for all my emails in different domains. For some reasons, the second I started using it on a 1&1 hosting account - I've been getting tons of spam! A condition that stops emails without a sender doesn't work - some of the spam comes from fake spam emails.

Here is the script:

<?php
$nambre = $_POST['name'];
$number = $_POST['number'];
$email = $_POST['email'];
$user_message = $_POST['message'];
$message = "<h3>From:&nbsp;".$nambre."</h1>";
$message .= "<h3>Phone:&nbsp;".$number."</h3><br/>";
$message .=$user_message;
$headers = "From: " . strip_tags($_POST['email']) . "\r\n";
$headers .= "Reply-To: ". strip_tags($_POST['email']) . "\r\n";
$headers .= "MIME-Version: 1.0\r\n";
$headers .= "Content-Type: text/html; charset=ISO-8859-1\r\n";
mail ( 'email@email.com' , 'Someone is contacting you from you website',        $message, $headers );
header("location: success.html");
?>

Is there anything I can do?

Answer 1

You'd need a captcha or some other type of human-validation. I would suggest that you time the page-load to form-submission. Since bots will do it automatically and therefore in a matter of milliseconds, it would be easy to do it with Javascript's Date() object.

<joke>

Alternatively, you could ask the bot/human what .1+.2 is, and if the result comes out to 0.30000000000000004, you've got a bot.

</joke>

If you're looking more specifically for a CAPTCHA based one, you could use reCAPTCHA.

However, another interesting thing that I have seen work well is to have a form field that is either hidden or has a message to the user saying not to fill it in. If the user fills it in, you can be confident that your script will reject both bots and humans who don't know how to read