Email Address Validation for PHP Registration Form

Jackson — Thu, 07 Jun 2007 11:55:30 +0000

So a client has a great new video site. And as it attracts users, it attracts unsavory script kiddies from across the globe – probing the system for weaknesses and always it seems trying to send nonsensical spam. The first thing they do is create a user account to get into the members area. We always get a heads up because inevitably they use a bogus email address, and in turn the registration notice bounces back to info@. The client then forwards to me and I delete the bogus users from the DB. I always notice in succession they try and stuff additional mail headers into the database. The input gets truncated because of the length and thus far appears to be a fairly harmless nuisance.

But what if I could prevent them from registering in the first place? We already use validation to make sure a valid email address is entered. But this is just checking the pattern of the string. Making sure there’s an ‘@’ surrounded by text, with a domain name on one side. While this is a good start, it doesn’t check to see if the domain name entered exists.

We can use PHP’s checkdnsrr function to lookup the DNS records for the entered domain. This is great because now can’t register and make more work for me. However they’re smarter than we think! They use the domain name of the site itself for their fake address. Oy. So now we need to take it to the next level and verify that the mailbox name they entered actually exists…

Update, now seeing activity on the “tell a friend” form : reading..uk, admin..uk, sales..uk – all invalid addresses. Online tool to validate mailboxes here : http://www.yellowpipe.com/yis/tools/email-validator/verify_email.php

Here’s a mod for phpBB that does what I need : http://www.phpbb.com/community/viewtopic.php?t=280755 I’ll have to dig in and see if I can adapt for my usage.

Jackson Whelan » email

Email Address Validation for PHP Registration Form