...

View Full Version : Contact forms abuse?



Dodge
11-25-2005, 08:05 PM
Hi all,

We have several contact forms on our site - simple .php scripts that take the contents of a form and e-mail us the comments.

Lately we have been experiencing some shenanigans with the forms! We get several dozen submissions a day from the forms - but not all from legitimate site users. The bulk of the submissions are from e-mail addresses that contain our domains - like

thee9173@ourdomain.com
o4228@ourdomain.com

The message bodies are empty and the subject line is as such:


Subject: rely upon tto s power of observation his

Anyone know what this is all about and how we can stop it?

The form we currently use, I found over at HotScripts, is the wmdformmailer.php. Maybe someone could suggest a better form.

Thanks!
Dodge

vinyl-junkie
11-25-2005, 09:15 PM
If the message body is empty or less than a certain number of characters, do something like this:


if (strlen($message) <= 10) {
header("location: http://www.mydomain.com");
exit();
}
To combat the bogus email address problem that you mentioned, you might consider incorporating the PEAR Validate (http://pear.php.net/package/Validate/) class into your code.

One of the things I had noticed was that some of these auto spammers were using my domain name in their email address. For example, mydomain.com would use an email address of something like jfkdjf@mydomain.com. To circumvent that sort of thing, I put this code in place:


$fromtest = strpos($from, 'mydomain.com');

if($from == "" || $fromtest == true) {
header("location: http://www.mydomain.com");
exit();
}
Doing things like this seems to have stopped the contact form spam, for the time being at least.

Hope this helps.

Dodge
11-25-2005, 09:47 PM
Thank you very much!

Could I further bother you to explain "where" those code snippets go? I'm afraid that I have no working knowledge of .php (if that is what that is?).

I'm including the script - the one I'm currently using - could you take a look and see if it could be modified with the ideas you had above?

Or does that info, you mentioned, actually go in the form?

Thanks
Dodge


<?php
$toMail = ''; // your email address
$CCMail = ''; // CC (Crbon copy) also send the email to this address (leave empty if you don't use it)
$thanksPage = ''; // the URL of the thank you page.
$mailSub = ''; // the subject of the email
// If you are asking for a email address in your form, you can name the input fields "EMail".
// It's necessary that you should have an "EMail" input field in your HTML form. You just need to call this script in your form like: <FORM action="wmdformmailer.php" method="post" name="ContactForm" id="ContactForm">
// If you do this, the message will apear to come from that email address and you can simply click the reply button to answer it.
// You can use this script to submit your forms or to receive orders by email.

//================= DON'T EDIT BELOW THIS CODE ==============================
if(isset($_POST['EMail'])){
$mailBody = '<font face="arial" size="2" color="#000000">';
foreach ($_POST as $field => $input) {
if(strtolower($field) != 'submit' || strtolower($field) != 'reset'){
$mailBody .= '<b>'.ucfirst ($field) .' : </b>'. trim(strip_tags($input)) . '<br>';
}
}
//===============================================================
$mailBody .= '</font>';
//===============================================================
$usrMail = $_POST['EMail'];
$headers = "From:$usrMail\r\n";
$headers .= "cc:$CCMail\r\n";
$headers .= "Content-type: text/html\r\n";
$sendRem = mail($toMail, $mailSub, $mailBody, $headers);
if($sendRem){
header('location:'.$thanksPage);
exit;
}else{
print '<h2>Failed to send your query.</h2>';
print '<h3>Please Try Later.</h3>';
}
}

?>

vinyl-junkie
11-25-2005, 11:02 PM
I didn't incorporate the Validate class in this (I don't use it myself), but here is some altered (and untested) code for you. Bolded items are the new stuff. Note: Be sure to change mydomain.com to whatever your domain name is.

<?php
$toMail = ''; // your email address
$CCMail = ''; // CC (Crbon copy) also send the email to this address (leave empty if you don't use it)
$thanksPage = ''; // the URL of the thank you page.
$mailSub = ''; // the subject of the email
$fromtest = strpos($from, 'mydomain.com');
// If you are asking for a email address in your form, you can name the input fields "EMail".
// It's necessary that you should have an "EMail" input field in your HTML form. You just need to call this script in your form like: <FORM action="wmdformmailer.php" method="post" name="ContactForm" id="ContactForm">
// If you do this, the message will apear to come from that email address and you can simply click the reply button to answer it.
// You can use this script to submit your forms or to receive orders by email.

//================= DON'T EDIT BELOW THIS CODE ==============================
if(isset($_POST['EMail'])){
$mailBody = '<font face="arial" size="2" color="#000000">';
foreach ($_POST as $field => $input) {
if(strtolower($field) != 'submit' || strtolower($field) != 'reset'){
$mailBody .= '<b>'.ucfirst ($field) .' : </b>'. trim(strip_tags($input)) . '<br>';
}
}
if($toMail == "" || $fromtest == true) {
header("location: http://www.mydomain.com");
exit();
}
if (strlen($mailBody) <= 10) {
header("location: http://www.mydomain.com");
exit();
}
//===============================================================
$mailBody .= '</font>';
//===============================================================
$usrMail = $_POST['EMail'];
$headers = "From:$usrMail\r\n";
$headers .= "cc:$CCMail\r\n";
$headers .= "Content-type: text/html\r\n";
$sendRem = mail($toMail, $mailSub, $mailBody, $headers);
if($sendRem){
header('location:'.$thanksPage);
exit;
}else{
print '<h2>Failed to send your query.</h2>';
print '<h3>Please Try Later.</h3>';
}
}

?>

Dodge
11-26-2005, 02:14 AM
Thank you, I will give this a try.

Is there a way to test this or do I just wait and see if I get any more of those bogus e-mails?

I tried using the form and inputing an e-mail address on that domain and it went through with no trouble ... I don't know what that means. :\ Should it have rejected that submission?

Thanks
Dodge

vinyl-junkie
11-26-2005, 04:19 AM
You need to change that code from mydomain.com to whatever your website domain is. Then test it with some bogus email address from your domain as the "from" email address. Your contact form should reject mail from there if it is working properly. Also, test it with an empty message body, which should also get rejected.

ralph l mayo
11-26-2005, 05:18 AM
Small caveat:




$fromtest = strpos($from, 'mydomain.com');

if($from == "" || $fromtest == true) {
header("location: http://www.mydomain.com");
exit();
}

strpos(haystack, needle) never returns true, only false or an integer indicating the starting position of needle in haystack. This snippet only works by fluke since PHP treats nonzero integers as true. More correct usage:


$fromtest = strpos($from, 'mydomain.com');

// !== means not identical to, != means not equal to. the former is more correct in boolean logic
if($from == "" || $fromtest !== false) {
header("location: http://www.mydomain.com");
exit();
}

Dodge
11-26-2005, 12:24 PM
Okay - vinyl-junkie - I did replace mydomain with our domain ... this morning my inbox was full of theaffending e-mails, so something went wrong in there somewhere; could have been something I did. :|

Ralph | Mayo - when I used your code it broke the process completely. No mail was delivered and I wasn't directed to the "thanks" page. I don't know what the deal is there - I replaced Vinyl-junkie's code with yours.

Thanks!
Dodge

vinyl-junkie
11-26-2005, 04:21 PM
If you'd like, PM me with the full script including the contact form. I'll have a look at the code, plus try it out on my server. I'll change the appropriate code to point to my domain instead of yours before testing it out. (I promise I won't use the script to spam you. ;))

Dodge
11-26-2005, 09:23 PM
Thank you for that nice offer. After talking to my webhost and showing them the script they were sufficiently concerned enough to design me a secure backend script for our forms... it's to everyone's benefit to stop the spam when possible so they are not even charging me for the dev time. :)

Thanks so much for the time and help with this.

Dodge



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum