Contact Form Spam - PHP
This is a discussion on Contact Form Spam - PHP ; On Jan 24, 4:23 am, Rob <ratkin...@tbs-ltd.co.uk> wrote:
> On Jan 24, 5:33 am, Manuel Lemos <mle...@acm.org> wrote:
>
>
>
> > Hello,
>
> > on 01/24/2008 03:21 AM Shelly said the following:
>
> > > The ...
-
Re: Contact Form Spam
On Jan 24, 4:23 am, Rob <ratkin...@tbs-ltd.co.uk> wrote:
> On Jan 24, 5:33 am, Manuel Lemos <mle...@acm.org> wrote:
>
>
>
> > Hello,
>
> > on 01/24/2008 03:21 AM Shelly said the following:
>
> > > The calling code is (The constants are defined earlier. Also, $fld is
> > > an instance of a class that contains information about all of the
> > > fields on the form. The last three are not on the form and the
> > > security field was not part of $fld.)
> > > ====================
> > > $mail = new htmlMimeMail();
> > > $mail->setFrom(MAIL_FROM);
> > > $mail->setBcc(MAIL_CC);
> > > $mail->setSubject(MAIL_SUBJECT);
> > > $i = 0;
> > > $message = "";
>
> > > $html = '<body bgcolor="#CCFFCC">' .
> > > '<strong>From: </strong>' . MAIL_FROM . '<webmaster@' . MAIL_FROM .
> > > '.com><br>' .
> > > '<strong>Sent: </strong>' . MAIL_SENT . "<br>" .
> > > '<strong>To: </strong>' . MAIL_TO . "<br>" .
> > > '<strong>Subject: </strong>' . MAIL_SUBJECT . "<br>" .
> > > '<table border="1" align="center"><caption align="top"><b>' .
> > > MAIL_SUBJECT . '</b></caption><br>';
>
> > > for ($i=0; $i<$fld->size; $i++) {
> > > $message .= $fld->fldDisplay[$i] . ": " . $fld->fldVal[$fld-
> > >> fldName[$i]] . "\r\n";
> > > $html .= '<tr><th>' . $fld->fldDisplay[$i] . '</th><td>' .
> > > $fld->fldVal[$fld->fldName[$i]] . '</td></tr>';
> > > }
>
> > > $html .= '<tr><th>Security Code Generated</th><td>' .
> > > $_POST['securityHidden'] . '</td></tr>';
> > > $html .= '<tr><th>Security Code Entered</th><td>' .
> > > $_POST['securityCode'] . '</td></tr>';
> > > $html .= '<tr><th>User IP Address</th><td>' . getenv("REMOTE_ADDR") .
> > > '</td></tr>';
> > > $html .= '</table></body>';
>
> > I don't know if that is enough to explain it, but you are not encoding
> > the values that you insert in the HTML message.
>
> > If any values start with < the mail program will process as a tag and
> > may not render anything. So the actual code may be there but is not
> > being displayed because it is taken as a tag.
>
> > Even parts of your static HTML will be omitted like this:
>
> > '<webmaster@' . MAIL_FROM .'.com><br>'
>
> > All you need to do is to use HtmlSpecialChars() to properly encode your
> > values in HTML.
>
> > --
>
> > Regards,
> > Manuel Lemos
>
> > PHP professionals looking for PHP jobshttp://www.phpclasses.org/professionals/
>
> > PHP Classes - Free ready to use OOP components written in PHPhttp://www.phpclasses.org/-Hide quoted text -
>
> > - Show quoted text -
>
> Shelly, I haven't read this (long) thread in detail, but I think you
> have a problem I've seen before.
>
> Basically, what stops a spammer looking at the HTML on your page, then
> posting content back to the form processor contained in the 'ACTION'?
>
> By doing this, they bypass your page security, and can pass any
> information they want to.
>
> You can correct this by generating a known field on the form, lets say
> the date and time, or a unique ID, then checking this as the form
> results come back.
>
> There is NO SUBSTITUTE for checking the integrity of the data returned
> from a form, even if you have client side checking in place.
>
> I may be barking up the wrong tree here, but it certainly sounds like
> your problem.
>
> Rob.
Wow! I just learned something very important. Thanks. I looked at
the html generated (view source) and there it is. The hidden field,
its name, and its value are all to see. That means that they can
generate a form and put in even a null field in that area and my check
would fail because it matches. So, where do I hide the value to be
checked? Do I create a session variable and put its value there and
then check the returned value against that? (That seems to be
equivalent to the dste and time).
Shelly
-
Re: Contact Form Spam
Shelly wrote:
> Why is this the problem?
>
> <input type="hidden" value="<?php echo $securityCode; ?>"
> name="securityHidden">
The problem is twofold:
1. The security code might be in a hidden field, but the field can still
be seen quite easily by viewing the source code to the page.
2. An even bigger problem: the client can change the contents of the
securityHidden field -- change it to "" for instance.
--
Toby A Inkster BSc (Hons) ARCS
[Geek of HTML/SQL/Perl/PHP/Python/Apache/Linux]
[OS: Linux 2.6.17.14-mm-desktop-9mdvsmp, up 25 days, 33 min.]
CSS to HTML Compiler
http://tobyinkster.co.uk/blog/2008/01/22/css-compile/
-
Re: Contact Form Spam
On Jan 24, 8:24 am, Toby A Inkster <usenet200...@tobyinkster.co.uk>
wrote:
> Shelly wrote:
> > Why is this the problem?
>
> > <input type="hidden" value="<?php echo $securityCode; ?>"
> > name="securityHidden">
>
> The problem is twofold:
>
> 1. The security code might be in a hidden field, but the field can still
> be seen quite easily by viewing the source code to the page.
>
> 2. An even bigger problem: the client can change the contents of the
> securityHidden field -- change it to "" for instance.
>
Thank you all for your help. I changed the storage mechanism to a
session variable and removed the hidden field from the form. I now
check the typed in version against that session variable's contents.
That variable gets changed with each presentation of the form.
Hopefully that fixes the problem. Thanks again everyone.
Shelly
-
Re: Contact Form Spam
<comp.lang.php>
<Shelly>
<Thu, 24 Jan 2008 05:01:42 -0800 (PST)>
<4cec3359-a419-4c37-a8c2-35eaa453836c@s13g2000prd.googlegroups.com>
> I looked at
> the html generated (view source) and there it is. The hidden field,
> its name, and its value are all to see. That means that they can
> generate a form and put in even a null field in that area and my check
> would fail because it matches. So, where do I hide the value to be
> checked? Do I create a session variable and put its value there and
> then check the returned value against that?
>
I use the ip address to create the filename and to store anti spam bot
code as a flat file - and then read the code in on the next page .
While its certainly not impossible 2 or more users will be surfing your
website using the same ip address - the chances that more than one user
will be using the contact form at that precise moment is quite remote
even if its a fairly busy website as the vast majority of users are
'surfers' and not 'contactors' .
www.jpgimage.co.uk/contact.php
BTW: one of the tricks IMHO is to write your own image code that you can
then use on any of your own websites - and despite what you might like
to think its not that hard once you learn some GD basics .
-
Re: Contact Form Spam
In article <fn9548$uqm$1@aioe.org>, Manuel Lemos <mlemos@acm.org>
wrote:
> Hello,
>
> on 01/24/2008 02:40 AM Shelly said the following:
> >>> The email is only sent to the site owner, so the spammer has no way of
> >>> knowing what the email should look like. That tells me that they have
> >>> to be going through the form. Yet the proper email has an echo of
> >>> generated security code. The spam email has that field empty. So,
> >>> that says he can't be going through the form.
> >>> It seems to me that they must:
> >>> 1 - Somehow diverting a legitimate email so that copy is sent to
> >>> them.
> >>> 2 - Using that email copy to create a template and modify the output
> >>> so that junk is sent.
> >>> I really don't know how they are doing it.
> >> If you are not using a good CAPTCHA, I am not sure what you mean by
> >> security codes.
> >>
> >> Anyway, I suspect that your code has a common vulnerability of contact
> >> forms which is to not properly encode information that goes to message
> >> headers. This means that if the abuser inserts a well throught character
> >> sequences, he may make your script compose a message that uses your mail
> >> server to send spam to anybody in the world.
> >>
> >> It is hard to advise without seeing your script. Anyway, I recommend
> >> using a component that knows how to properly encode or escape malicious
> >> character sequences to avoid abuses like your suffering.
> >>
> >> I use this MIME message composing and sending class that is well aware
> >> of all the e-mail standards that are necessary to compose messages
> >> properly. You may want to use it to avoid the abuses.
> >>
> >> http://www.phpclasses.org/mimemessage
> >>
> >
> > I use the class htmlMimeMail from http://www.phpguru.org/ by Richard
>
> I have not studied that class. I don't know if it properly encodes
> message headers.
>
>
> > Heyes. The security code is just a randomly generated string of 6
> > characters. I am not using a CAPTCHA. I guess I will have to.
>
> That may explain it. Even some CAPTCHAs can be bypassed with good OCR
> scripts. But even a basic CAPTCHA can raise the bar hard enough to make
> your abuser give up.
I use a very simple trick. Put a HIDDEN field with an obvious name like
"COUNTRY" or "POSTAL CODE" or whatever giving it an initially blank
value. Check in the post processing for the form to see that it's
blank, meaning the form was filled out by a browser with a human sitting
in front of it. If a bot filled out the form, chances are it put in a
value. Throw those submissions away and do nothing. Mail the others.
--
DeeDee, don't press that button! DeeDee! NO! Dee...
-
Re: Contact Form Spam
Just a heads up Shelly
Theres a free trial online of the pForms automated forms validator at
http://www.streamforensics.com the download link is on their introduction
page.(sorry I forget the actual page name)
It writes all the PHP code for you.
It is only a trial and you do need to buy the "data minion" software to
keep using it but its very interesting stuff for anyone with any sort
of web form. You might find it useful.
andy
-
Re: Contact Form Spam
I kind of like the new test you've been seeing here and there where it
says something like "2+2 = " and you enter the answer, seems like it
strikes more a balance between protection from bots and making the
form accessible to screen readers, etc.
---
www.NEXCESS.NET - Shared/Reseller Hosting
www.EliteRax.com - Dedicated Servers, Server Clusters
www.MaxVPS.com - Virtual Private Servers
- Great prices, Great service - check us out!
On Jan 24, 3:00 pm, Michael Vilain <vil...@NOspamcop.net> wrote:
> In article <fn9548$uq...@aioe.org>, Manuel Lemos <mle...@acm.org>
> wrote:
>
>
>
> > Hello,
>
> > on 01/24/2008 02:40 AM Shelly said the following:
> > >>> The email is only sent to the site owner, so the spammer has no way of
> > >>> knowing what the email should look like. That tells me that they have
> > >>> to be going through the form. Yet the proper email has an echo of
> > >>> generated security code. The spam email has that field empty. So,
> > >>> that says he can't be going through the form.
> > >>> It seems to me that they must:
> > >>> 1 - Somehow diverting a legitimate email so that copy is sent to
> > >>> them.
> > >>> 2 - Using that email copy to create a template and modify the output
> > >>> so that junk is sent.
> > >>> I really don't know how they are doing it.
> > >> If you are not using a good CAPTCHA, I am not sure what you mean by
> > >> security codes.
>
> > >> Anyway, I suspect that your code has a common vulnerability of contact
> > >> forms which is to not properly encode information that goes to message
> > >> headers. This means that if the abuser inserts a well throught character
> > >> sequences, he may make your script compose a message that uses your mail
> > >> server to send spam to anybody in the world.
>
> > >> It is hard to advise without seeing your script. Anyway, I recommend
> > >> using a component that knows how to properly encode or escape malicious
> > >> character sequences to avoid abuses like your suffering.
>
> > >> I use this MIME message composing and sending class that is well aware
> > >> of all the e-mail standards that are necessary to compose messages
> > >> properly. You may want to use it to avoid the abuses.
>
> > >>http://www.phpclasses.org/mimemessage
>
> > > I use the class htmlMimeMail fromhttp://www.phpguru.org/by Richard
>
> > I have not studied that class. I don't know if it properly encodes
> > message headers.
>
> > > Heyes. The security code is just a randomly generated string of 6
> > > characters. I am not using a CAPTCHA. I guess I will have to.
>
> > That may explain it. Even some CAPTCHAs can be bypassed with good OCR
> > scripts. But even a basic CAPTCHA can raise the bar hard enough to make
> > your abuser give up.
>
> I use a very simple trick. Put a HIDDEN field with an obvious name like
> "COUNTRY" or "POSTAL CODE" or whatever giving it an initially blank
> value. Check in the post processing for the form to see that it's
> blank, meaning the form was filled out by a browser with a human sitting
> in front of it. If a bot filled out the form, chances are it put in a
> value. Throw those submissions away and do nothing. Mail the others.
>
> --
> DeeDee, don't press that button! DeeDee! NO! Dee...
LinkBack URL
About LinkBacks