How could I secure a PHP messaging system from spam?

Question

I am currently creating a PHP messaging system and cannot seem to think of a suitable way to stop spam attacks. A message will be sent from this form (simplified to contain essentials):

<form action="messages/send" method="POST">
  <input type="text" name="message" />
  <input type="hidden" name="recipient" value="10" />
  <input type="submit" value="Send" />
</form>

The hidden field above stores the recipient ID. This data is NOT secure on this site and is available for people to see (such as facebook; profile.php?id=45345345.)

When the form is submitted the back-end PHP does the following checks:

1. Is the sender logged in?
2. Is the send allowed to contact the recipient?
3. Does the message contain anything? (Not empty)

The problem I have thought of is someone could easily create a simple script which could auto increment the "recipient" value in the form and essentially send a site-wide message. What other back-end PHP checks, or other types of checks, could be carried out to prevent this from happening?

Answer 1

You could add a few things:

• CSRF
• Server side and client side validation
• captcha - [http://www.smashingmagazine.com/2011/03/04/in-search-of-the-perfect-captcha/]
• The Roboo script. Demoed at Blackhat this year and gives you some DOS protection as well.
• Adding a honeypot hidden field that should never be completed. You can use Javascript to fill this in automatically on legitimate form submissions and validate server side.
• Velocity measures such as how fast the form is submitted.

Take a look at - https://security.stackexchange.com/questions/4235/how-should-i-secure-a-contact-form-that-appears-on-every-page-of-a-website