Facebook Share Button Twitter Share Button Reddit Share Button

Using PHP to Check an IP Address Against a Blocklist

 

One way to reduce the amount of spam submitted through your contact form is to discard submissions made from IP addresses that have recently been used by known spammers. I don't do this at the form level because I implement them at the firewall, so they never get as far as the form. But if you have no control over your server's firewall, comparing the IP address of a computer used to submit a form against a blocklist can help reduce your spam.

For purposes of this page, I'm going to use a blocklist that I own, maintain, and make available for free to anyone in the Interwebs-connected world. Like most IP blocklists, it's just a text file of IP addresses that have been sending out spam or engaging in other malicious, Web-based activities within the past few days. It's updated daily, so it's pretty fresh and has a very low false-positive rate. You can view the list at https://www.rjmblocklist.com/free/webattack.txt.

If you want to use this list, first create a directory named rjmblocklist one level above your web root (in other words, in /home/yourusername on a typical Unix server). Make sure its permissions are 754 or 755.

Next, create a shell script named rjmblocklist.sh containing the following content and upload it into the /home/yourusername/rjmblocklist directory:

#!/bin/bash
cp -f /home/yourusername/rjmblocklist/webattack.txt /home/yourusername/rjmblocklist/webattack.bak
curl -G https://www.rjmblocklist.com/free/webattack.txt -o webattack.txt
size=$(stat -c%s /home/yourusername/rjmblocklist/webattack.txt)
min="1100"
if [[ $size -lt $min ]]; then
    cp -f /home/yourusername/rjmblockist/webattack.bak /home/yourusername/rjmblocklist/webattack.txt
fi
exit

That file will back up webattack.txt if it exists, download the freshest webattack.txt , and discard it and replace the backed-up file if the download is too small (as might happen if the connection is interrupted and then times out). Give the file execute permission (754 will work) and execute it by typing ./rjmblocklist.sh from the shell. Many FTP clients can also execute a shell script.

To keep the file fresh, set up a cron job to run the shell script once a day. For example, to run the script daily at 8:00 a.m., the cron entry would be:

0 8 * * * /home/yourusername/rjmblocklist/rjmblocklist.sh

Please check and download the blocklist no more often than once a day! That list is only updated daily, so checking it more often than that would be wasteful. (It also could eventually get your IP on a blocklist.)

Checking an IP address against the blocklist is a simple thing. The form processor we built on this page begins with:

<?php
session_start();
date_default_timezone_set('America/New_York'); // replace with the server's time zone
$submitTime = time(); // gets submission time;
$submitBrowser = $_SERVER['HTTP_USER_AGENT']; // gets the current browser
$submitIP = $_SERVER['REMOTE_ADDR']; // gets the current IP address
$submitReferer = $_SERVER['HTTP_REFERER']; // gets the URL of page that sent the form data, if available

All we have to do to reject a form submitted from an IP on the list is add the following code:

$blocklist = file("../rjmblocklist/webattack.txt", FILE_IGNORE_NEW_LINES | FILE_SKIP_EMPTY_LINES);
    if (in_array($submitIP, $blocklist))
    {
    print "<meta http-equiv=\"refresh\" content=\"0;URL=https://www.mydomain.tld/success.php\">";
    die;
}

The spammer is redirected to the success page, but the spam is never processed and is effectively discarded. In addition, because this is done early in the script, it also saves server resources. The script stops processing once the spam is rejected.

Again, none of this is necessary if you use good blocklists at the firewall level. But if that's out of your control, then comparing the IP of the computer submitting the form against a text file of known spammers' IP addresses is a good way to reduce your spam.