Can some one help me with spamming attempts?

[nevesgodnroc]

I have a cms that i built and am so far only hosting one site with it for testing. and have noticed some security problems.

 

It has a built in auto responder that is very basic just sends the owner of  the web site the person filling out the forms contact information and any comments that they enter. and another email to the person filling out the for that basically just says thankyou for contacting me.

 

My client started getting a couple emails a day with advertising in them. just text and linkd to some pokertips website blog and some of the normal viagra stuff.

 

I implemented some code to search for anything that looked like a link and had the code terminate if it found anything. Since then there have been no more emails with links and the amount slowwed down but he is still getting some junk which to me just looks like someone probing.

 

here is the site  andysommerfelt.com 

 

if someone could give me any ideas how to stop fake contacts from working. and to be able to determine for sure that my autoresponder script is not being hijacked I would appreciate it very much.

 

 

[JonnoTheDev]

Use a CAPTCHA image on all contact forms. This should stop non human posts.

[PFMaBiSmAd]

Auto-responder emails for form submissions are a bad idea. Every time a person or a bot script submits data to your form processing code an email will be sent to the email address that was entered. And if your from processing code allows email header injection along with that email address, a spammer can send anything to that email address. Does that sound like a good idea?

 

The visitor is already on the site with their browser open, just display the thank you message in the browser.

[mtoynbee]

Most spam bots sending a form will complete all input fields automatically in case all fields are mandatory. I suggest creating an extra input field like so:

 

<input type="text" name="inf" id="inf" size="10" style="display:none" />

 

This will hide the field from normal users and the spam bot will complete this field. When the form submits, if this field has anything in it then exit; the script.

 

Hope this helps

[premiso]

Most spam bots sending a form will complete all input fields automatically in case all fields are mandatory. I suggest creating an extra input field like so:

 

<input type="text" name="inf" id="inf" size="10" style="display:none" />

 

This will hide the field from normal users and the spam bot will complete this field. When the form submits, if this field has anything in it then exit; the script.

 

Hope this helps

 

Responding just because.

 

If you really wanted to make that to where 99% of spam bots cannot detect it I would suggest using something like this:

<script type="text/javascript">
<!--
    function reCaptcha(name) {
          var recap = document.getElementById(name);
          recap.style.display = "none";
    }
// -->
</script>

<body onload="reCaptcha('inf');">
<input type="text" name="inf" id="inf" size="10" />

 

That should fool the majority of the bots since they would have to look through the javascript to find that code and see what it executes. And if you put that javascript into a file and include that file, it makes it that much harder cause they would have to parse the whole page to figure out that input box is getting hidden.

 

Anyhow I found the above very very effective. The only flaw is if the user does not have javascript enabled they will see that field.

 

 

[mtoynbee]

Nice script premiso!

 

I suppose if the user didn't have js enabled you could simply use css to make the input field the same colour as the background with no border and make it width 0px. That would solve that one.

 

 

[JonnoTheDev]

The only flaw is if the user does not have javascript enabled they will see that field

 

Bigger flaw. The tag is still viewable in the html. A bot using CURL can easily read the html, extract the form fields and post straight back. Doesnt matter about javascript.

 

Use a proper captcha image to stop bots. Not javascript or CSS, etc

Get one from http://www.phpclasses.org

 

[premiso]

The only flaw is if the user does not have javascript enabled they will see that field

 

Bigger flaw. The tag is still viewable in the html. A bot using CURL can easily read the html, extract the form fields and post straight back. Doesnt matter about javascript.

 

Use a proper captcha image to stop bots. Not javascript or CSS, etc

Get one from http://www.phpclasses.org

 

 

We want the HTML read, since bots will read the HTML and not the displayed page they will fill out that id field and we check if that field is filled out we do not add the data. The image works, but it is also flawed in that some bots can decipher the image.

 

The biggest problem I have with images is they are so annoying to the users. The above works 99% of the time without annoying the crap out of your users.

 

But yes, if a human does view that form they can determine which fields to send back and bypass that security.

 

If the above does not stop most spam or one spammer is bugging you, implement the captcha image. Simple as that, I would at least give the above a go for a few months and see how it holds up before I implement the image technique.

[damianjames]

That's a great snippet there, premiso - thanks for sharing with us!  I have a client that hates the captcha (the owner has bad eyesight) and I just told her about another way to stop spam - she's ecstatic

[vicodin]

What about storing the persons ip address in a db and limit them to 3 submits per hour?

[premiso]

What about storing the persons ip address in a db and limit them to 3 submits per hour?

 

Would work, but spammers often send a fake IP or use several proxies. IPs are easy to spoof/get a new one it is absurd. Plus if you have multiple users in an office/school setting it will block them out if 3 different people from work used that form.

 

Not a very viable option.

[vicodin]

True... good call.

[nevesgodnroc]

I have put in place code to detect for injection attempts including the following:

 

$bad_strings = array(

"content-type:",

"mime-version:",

"multipart/mixed",

"Content-Transfer-Encoding:",

"bcc:",

"cc:",

"to:"

);

 

and every part that is taken from a user is checked for these strings.

please let me know if i missed one.

 

and by CAPTCHA image i am assuming that means one of the enter the letters to see validation tool.

 

I thought of that but if possible i would like to stay away from that unless i find it to be absolutely neccessary.

 

Does anyone know if there is a log somewhere that will tell how many emails have been sent in a specified amount of time. just to verify that some one hasn't found a work around to my protection from injection attempts.

 

 

[darkfreaks]

http://www.askapache.com/htaccess/mod_security-htaccess-tricks.html#block-post-spam

 

i think mod_rewrite is what you are looking for

[redarrow]

This is the only true way......

Use a CAPTCHA image on all contact forms

 

ps... most CAPTCHA image's are being hacked, everybody looking for a better solution......

 

Using good old fashion fonts with gd will help, but like i say there getting in......

 

advertisers pay millions to get programmers to design programs to read the fonts on top of

the gd CAPTCHA image's.

 

Most banks will send a number to your home, and a specil quistion to access your info,

or even send a message to contact them, It is becomming a real headake spam....

 

pss. I think in the future where end up comfirming sent messages via mobile phone sms/text it

getting that bad..........

 

[xcoderx]

yesterday somesite tried to send bulk emails using my site contact form but failed  ;Dcan i sue them for the attempt they made???