Contact Form Processing Products - for all your needs

FormMail • Form Encryption • Hosted Forms

ATTACK_DETECTION_URL_PATTERNS Setting

This page documents the ATTACK_DETECTION_URL_PATTERNS configuration setting in FormMail.

Type Of Setting

ATTACK_DETECTION_URL_PATTERNS is a LEAVE setting, which means...

LEAVE : you can change this setting if you really need to and know what you're doing, but we recommend that you leave this setting unchanged.

Précis

Defines the patterns used to detect URLs.

Description

Set ATTACK_DETECTION_URL_PATTERNS to a list of Perl Regular Expression patterns that will detect URLs.

These patterns are used by FormMail's spam attack detection feature. In particular, ATTACK_DETECTION_MANY_URLS and ATTACK_DETECTION_MANY_URL_FIELDS.

FormMail uses some built-in patterns in addition to the patterns defined in this setting. In particular, anything beginning with "http://" or "https://" or with an HTML "<a href=...>" tag is considered to be a URL.

The purpose of the ATTACK_DETECTION_URL_PATTERNS setting is to allow you to deal with spam attacks that assume your email client will show certain strings as links. For example, "www.somesite.com" will be shown as a link in many email clients (e.g. Outlook Express, GMail.com). Spammers use this knowledge to send you form spam.

By providing strong URL pattern matching, FormMail can detect these attacks and thwart spammers.

Note that the patterns provided in this setting do not match all possible URLs. For example, they don't match URLs in these top-level domains (and others): ".museum", ".aero", ".arpa", or ".gov". This is because spammers are not likely to send you links to websites in those domains, and, in particular, the registrars of those top-level domains are likely to protect them from use by spammers. For example, you have to be a legitimate museum to have a ".museum" domain name.

Note that version 8.02 of FormMail contained a bug in these patterns that erroneously detected certain email addresses as being URLs (an email address that contained a hyphen in the domain name would be detected as a URL). The default value shown below does not contain this bug.

Default Value

$ATTACK_DETECTION_URL_PATTERNS = array(
    '(^|[^-a-z_.0-9]+)(?<!@)([-a-z0-9]+\.)+(com|org|net|biz|info|name|pro|tel|asia|cat)\b',
    '(^|[^-a-z_.0-9]+)(?<!@)([-a-z0-9]+\.)+(com{0,1}|org|net)\.[a-z][a-z]\b');

The first pattern looks for the likely top-level domains, and the second pattern looks for country-code domains, including ".co.uk".

See Also

 
Close