Anyone have a working server side screening snippet?
As noted, some blackhats are able to post emails without using my form or using my form in some manner.
They are posting an email format (template) that no longer exists.
They are getting past basic honeypot screening ( if (empty($_POST['comment'])) { ) comment being the trap and if filled don't process the email
Next I set a Session and if not present don't allow the form to process:
<?php
$dateTime = date('Y-m-d h:i:s');
$rand = md5(mt_rand());
$hash = sha1($dateTime . $rand);
@session_start();
if (!isset($_SESSION['hash'])){
$_SESSION['hash'] = $hash;
}
//echo $_SESSION['hash'];
?>
<?php // Honeypot and Same server check
if (empty($_POST['comment']) && isset($_SESSION['hash'])) {
?>
I used to match the $hash variable from a hidden form input but that did not properly match on first page load.
Now I'm just looking for a $_SESSION value which should only happen when the form is accessed locally.
BUT they are still sending emails....
